SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   OS (Linux)  >   Linux Kernel Vendors:   kernel.org
(Turbolinux Issues Fix) Linux Kernel binfmt_elf Loader Lets Local Users Obtain Root Access
SecurityTracker Alert ID:  1012508
SecurityTracker URL:  http://securitytracker.com/id/1012508
CVE Reference:   CAN-2004-1070, CAN-2004-1071, CAN-2004-1072, CAN-2004-1073, CAN-2004-1074   (Links to External Site)
Date:  Dec 14 2004
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.4 through 2.4.27, 2.6 through 2.6.8
Description:   Some vulnerabilities were reported in the Linux kernel in the binfmt_elf loader. A local user can obtain root privileges on the target system.

Paul Starzetz reported several flaws in the ELF loader in the processing of set user id (setuid) binaries. These flaws include incorrect return value validation in the load_elf_binary() function, some faulty error handling, and an unterminated string bug in 'binfmt_elf.c' and also a file-type validation bug in 'exec.c' that allows non-readable ELF binaries to be read.

A local user can exploit these flaws to cause a setuid binary to execute arbitrary code.

The original advisory, including some demonstration exploit code, is available at:

http://isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
Impact:   A local user can execute arbitrary code with setuid privileges to obtain root access on the target system.
Solution:   Turbolinux has issued a fix for Turbolinux 10 Server:

Source Packages
Size : MD5

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/kernel-2.6.8-3.src.rpm
55161164 0ca8e635c4ddbb235f2f83fc0acf7593

Binary Packages
Size : MD5

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/kernel-2.6.8-3.i586.rpm
16448993 a4529057b9c3b6bf019806883e1331cd
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/kernel-extramodules-2.6.8-3.i586.rpm
6838609 63f0d926c8183cd41543ec13eabe674a
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/kernel-headers-2.6.8-3.i586.rpm
1894893 b3a3002daf1db85a46e3556470aa195f
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/kernel-numa-2.6.8-3.i586.rpm
16248001 bb0f877d54a012e84028d45427ce9b6d
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/kernel-pcmcia-cs-2.6.8-3.i586.rpm
334019 417d3e3c63b8529fa23ad49ec409583e
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/kernel-smp-2.6.8-3.i586.rpm
16216652 b8a05fec8bf1da3a5303e993923e55eb
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/kernel-smp64G-2.6.8-3.i586.rpm
16205367 87e1a7a968d46d035e29d6476adf9a62
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/kernel-source-2.6.8-3.i586.rpm
32759397 2099739a50e643ec02348732051a6147
Vendor URL:  www.kernel.org/ (Links to External Site)
Cause:   Access control error, Boundary error, Exception handling error, Input validation error
Underlying OS:  

Message History:   This archive entry is a follow-up to the message listed below.
Nov 10 2004 Linux Kernel binfmt_elf Loader Lets Local Users Obtain Root Access


 Source Message Contents
Date:  Mon, 13 Dec 2004 17:50:37 +0900
Subject:  [Full-Disclosure] [TURBOLINUX SECURITY INFO] 13/Dec/2004


To: security-announce@turbolinux.co.jp
Message-Id: <200412131750.49195.security-announce@turbolinux.co.jp>
X-ML-Name: server-users-e
X-Mail-Count: 00039
X-MLServer: fml [fml 4.0 STABLE (20040215/4.0.4_BETA)](fml commands only mode); post only (only members can post)
X-ML-Info: If you have a question, send e-mail with the body
	"help" (without quotes) to the address server-users-e-ctl@turbolinux.co.jp;
	help=<mailto:server-users-e-ctl@turbolinux.co.jp?body=help>
User-Agent: KMail/1.5.4
Content-Disposition: inline
X-MIME-Autoconverted: from quoted-printable to 8bit by meigetsu.turbolinux.co.jp id iBD8ooH5014039
Mime-Version: 1.0
Content-Type: Text/Plain;
  charset="us-ascii"
Content-Transfer-Encoding: 8bit
Content-Description: clearsigned data
Precedence: bulk
Lines: 159
List-Id: server-users-e.turbolinux.co.jp
List-Software: fml [fml 4.0 STABLE (20040215/4.0.4_BETA)]
List-Post: <mailto:server-users-e@turbolinux.co.jp>
List-Owner: <mailto:server-users-e-admin@turbolinux.co.jp>
List-Help: <mailto:server-users-e-ctl@turbolinux.co.jp?body=help>
List-Unsubscribe: <mailto:server-users-e-ctl@turbolinux.co.jp?body=unsubscribe>
Resent-From: security-announce@turbolinux.co.jp
Resent-To: server-users-e@turbolinux.co.jp (moderated)
Resent-Date: Mon, 13 Dec 2004 17:51:58 +0900
Resent-Message-Id: <200412131751.FMLAAB14047.server-users-e@turbolinux.co.jp>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is an announcement only email list for the x86 architecture.
============================================================
Turbolinux Security Announcement 13/Dec/2004
============================================================

The following page contains the security information of Turbolinux Inc.

 - Turbolinux Security Center
   http://www.turbolinux.com/security/

 (1) kernel -> Security & Bugfix

===========================================================
* kernel -> Security & Bugfix
===========================================================

 More information:
    The kernel package contains the Linux kernel -- the core of the Linux
    operating system.

      The following have been addressed:
      - Numerous issues in the Linux ELF binary loader
      - Issues relating to IDE DMA transfers which prevent installation on
        machines with SiS chipsets using the SiS 962/963 IDE controller
      - Null pointer dereferencing in the SG driver
      - Kernel panic in the SG module caused by successive loading/unloading
        of SCSI LLD kernel modules (i.e., successive calls to insmod/rmmod)
      - Race condition in the usb-ehci module
      - Deadlock condition in the memory manager with certain application-level
        invocations of mutex_lock
      - Quirks in the snd-intel8x0 module on some HP machines
      - Kernel oops on USB CD devices
      - A problem causing processes to be killed with "Out of Memory" errors 

      The following have been added/updated:
      - 3c59x driver
      - aic7xxx driver
      - aic79xx driver
      - ndisdriver (0.12) driver
      - Support for 82597EX_LR by ixgb
      - megaraid (v2.20.4.1) driver
      - ext3 and xfs filesystem bug fixes and updates

 Impact:

 Affected Products:
    - Turbolinux 10 Server

 Solution:
    Please use the turbopkg (zabom) tool to apply the necessary updates.

    From KDE, click the K-menu (usually with the Turbolinux logo) and run
    Turbo Update.

    From the command line, use the commands below.
 ---------------------------------------------
 # turboupdate
 or
 # zabom -u kernel kernel-extramodules kernel-headers kernel-numa \
                   kernel-pcmcia-cs kernel-smp kernel-smp64G kernel-source
 ---------------------------------------------


 <Turbolinux 10 Server>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/kernel-2.6.8-3.src.rpm
     55161164 0ca8e635c4ddbb235f2f83fc0acf7593

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/kernel-2.6.8-3.i586.rpm
     16448993 a4529057b9c3b6bf019806883e1331cd
   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/kernel-extramodules-2.6.8-3.i586.rpm
      6838609 63f0d926c8183cd41543ec13eabe674a
   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/kernel-headers-2.6.8-3.i586.rpm
      1894893 b3a3002daf1db85a46e3556470aa195f
   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/kernel-numa-2.6.8-3.i586.rpm
     16248001 bb0f877d54a012e84028d45427ce9b6d
   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/kernel-pcmcia-cs-2.6.8-3.i586.rpm
       334019 417d3e3c63b8529fa23ad49ec409583e
   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/kernel-smp-2.6.8-3.i586.rpm
     16216652 b8a05fec8bf1da3a5303e993923e55eb
   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/kernel-smp64G-2.6.8-3.i586.rpm
     16205367 87e1a7a968d46d035e29d6476adf9a62
   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/kernel-source-2.6.8-3.i586.rpm
     32759397 2099739a50e643ec02348732051a6147


 Notice: You must reboot your system for this (kernel) update to take effect.

 References:

 CVE
   [CAN-2004-1070]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1070
   [CAN-2004-1071]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1071
   [CAN-2004-1072]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1072
   [CAN-2004-1073]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1073
   [CAN-2004-1074]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1074


 * You may need to update the turbopkg tool before applying the update.
Please refer to the following URL for detailed information.

  http://www.turbolinux.com/download/zabom.html
  http://www.turbolinux.com/download/zabomupdate.html

Package Update Path
http://www.turbolinux.com/update/

============================================================
 * To obtain the public key

Here is the public key

 http://www.turbolinux.com/security/

 * To unsubscribe from the list

If you ever want to remove yourself from this mailing list,
  you can send a message to <server-users-e-ctl@turbolinux.co.jp> with
the word `unsubscribe' in the body (don't include the quotes).

unsubscribe

 * To change your email address

If you ever want to chage email address in this mailing list,
  you can send a message to <server-users-e-ctl@turbolinux.co.jp> with
the following command in the message body:

  chaddr 'old address' 'new address'

If you have any questions or problems, please contact
<supp_info@turbolinux.co.jp>

Thank you!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBvVflK0LzjOqIJMwRAugXAJ4kdTgEmP7fNlQaldp36E244r7VlACcCdg7
qpyUBeD83kSOS83W0a6DJKo=
=Hn8D
-----END PGP SIGNATURE-----




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC