Paul Starzetz has
in the Linux kernel that can be used to gain root access
to the system.
The vulnerability, published on May 11, affects the kernel's ELF
(Executable and Linking Format) loader, which could allow a local user to
use a manipulated binary to gain elevated privileges.
This vulnerability affects kernels in the 2.2, 2.4 and 2.6
series. According to Starzetz report, the flaw is in the function
This function does not correctly handle the argument area
of the ELF process, which could be abused to override the memory layout:
It is possible to create a manipulated ELF binary, that specifies an ELF
program section to be loaded at the place of program arguments, but with no
access rights itself (that is, a page table level protection equal to
PROT_NONE). That will cause the strnlen_user() function to page fault at
the first attempt to count argument lengths. Moreover, the loading of
ELF sections happens just after the initial arguments have been set up in
the fresh memory space, so that it is easily possible to "override" the
predefined ELF memory layout. To illustrate this, here two memory
(1) initial ELF memory layout before starting to load program sections:
----------------EMPTY------------------[ ARGS stack region ] TASK_SIZE
(2) possible memory layout after loading ELF sections:
---------[CODE][DATA]------------------[FAKE][stack region ] TASK_SIZE
where FAKE is an ELF section mmaped into memory with PROT_NONE rights
What seems odd is the amount of attention that the vulnerability is
getting, or the lack thereof. While Colin
Percival's report of a vulnerability in Hyper-Threading is getting attention,
the ELF vulnerability has barely been a blip on the radar.
To date, only Trustix has
issued an alert and fix for this issue. Red Hat has just issued a kernel update,
but the ELF vulnerability is not mentioned in
the release announcement. We've checked the lists for Ubuntu, Debian,
Mandriva, Slackware, Fedora, Fedora Legacy, Yellow Dog -- none of these
distributions have issued a update yet for what appears to be a fairly
serious local exploit. As of this writing, nearly a week has passed since
Starzetz made the discovery public.
At the same time, most of those vendors have released new versions of Squid
to deal with a vulnerability
that would allow malicious users to spoof DNS lookups. The Squid
vulnerability was announced the same day as the ELF loader vulnerability.
It does seem that a patch, at least for the 2.6 series, is
available. Given the potential severity of the vulnerability, we're
curious to see how long it will be before updates are made available from
the major distributions. With Linux under close scrutiny for security
vulnerabilities and vendor response times, one hopes that it will be soon.
to post comments)