|
|
Subscribe / Log in / New account

Security

Responding to the kernel ELF vulnerability

May 18, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

Paul Starzetz has discovered a vulnerability in the Linux kernel that can be used to gain root access to the system. The vulnerability, published on May 11, affects the kernel's ELF (Executable and Linking Format) loader, which could allow a local user to use a manipulated binary to gain elevated privileges.

This vulnerability affects kernels in the 2.2, 2.4 and 2.6 series. According to Starzetz report, the flaw is in the function elf_core_dump(), in binfmt_elf.c. This function does not correctly handle the argument area of the ELF process, which could be abused to override the memory layout:

It is possible to create a manipulated ELF binary, that specifies an ELF program section to be loaded at the place of program arguments, but with no access rights itself (that is, a page table level protection equal to PROT_NONE). That will cause the strnlen_user() function to page fault at the first attempt to count argument lengths. Moreover, the loading of ELF sections happens just after the initial arguments have been set up in the fresh memory space, so that it is easily possible to "override" the predefined ELF memory layout. To illustrate this, here two memory layouts: 
(1) initial ELF memory layout before starting to load program sections:

----------------EMPTY------------------[ ARGS stack region ] TASK_SIZE


(2) possible memory layout after loading ELF sections:

---------[CODE][DATA]------------------[FAKE][stack region ] TASK_SIZE
where FAKE is an ELF section mmaped into memory with PROT_NONE rights specified.

What seems odd is the amount of attention that the vulnerability is getting, or the lack thereof. While Colin Percival's report of a vulnerability in Hyper-Threading is getting attention, the ELF vulnerability has barely been a blip on the radar.

To date, only Trustix has issued an alert and fix for this issue. Red Hat has just issued a kernel update, but the ELF vulnerability is not mentioned in the release announcement. We've checked the lists for Ubuntu, Debian, Mandriva, Slackware, Fedora, Fedora Legacy, Yellow Dog -- none of these distributions have issued a update yet for what appears to be a fairly serious local exploit. As of this writing, nearly a week has passed since Starzetz made the discovery public.

At the same time, most of those vendors have released new versions of Squid to deal with a vulnerability that would allow malicious users to spoof DNS lookups. The Squid vulnerability was announced the same day as the ELF loader vulnerability.

It does seem that a patch, at least for the 2.6 series, is available. Given the potential severity of the vulnerability, we're curious to see how long it will be before updates are made available from the major distributions. With Linux under close scrutiny for security vulnerabilities and vendor response times, one hopes that it will be soon.

Comments (9 posted)

New vulnerabilities

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 bzip2 2007-01-09
Debian DSA-741-1 bzip2 2005-07-07
Red Hat RHSA-2005:474-01 bzip2 2005-06-16
OpenPKG OpenPKG-SA-2005.008 bzip2 2005-06-10
SuSE SUSE-SR:2005:015 multi 2005-06-07
Debian DSA-730-1 bzip2 2005-05-27
Mandriva MDKSA-2005:091 bzip2 2005-05-18
Ubuntu USN-127-1 bzip2 2005-05-17

Comments (2 posted)

FreeRADIUS: buffer overflow and SQL injection

Package(s):freeradius CVE #(s):CAN-2005-1454 CAN-2005-1455
Created:May 17, 2005 Updated:June 23, 2005
Description: Primoz Bratanic discovered that the sql_escape_func function of FreeRADIUS 1.0.2 and earlier may be vulnerable to a buffer overflow. He also discovered that FreeRADIUS fails to sanitize user-input before using it in a SQL query, possibly allowing SQL command injection.
Alerts:
Red Hat RHSA-2005:524-01 freeradius 2005-06-23
Gentoo 200505-13:02 freeradius 2005-05-17
Gentoo 200505-13 freeradius 2005-05-17

Comments (1 posted)

kernel: extended attribute denial of service

Package(s):kernel CVE #(s):CAN-2005-0757
Created:May 18, 2005 Updated:May 18, 2005
Description: The extended attribute code (at least as backported by Red Hat into the 2.4 kernel) suffers from an offset handling error which can be exploited to cause a system crash.
Alerts:
Red Hat RHSA-2005:294-01 kernel 2005-05-18

Comments (1 posted)

mozilla suite/ mozilla firefox: remote compromise

Package(s):mozilla firefox CVE #(s):CAN-2005-1476 CAN-2005-1477
Created:May 16, 2005 Updated:May 23, 2005
Description: Several vulnerabilities in the Mozilla Suite (versions before 1.7.8) and Firefox (versions before 1.0.4) allow an attacker to conduct cross-site scripting attacks or to execute arbitrary code.
Alerts:
Red Hat RHSA-2005:435-01 mozilla 2005-05-23
Red Hat RHSA-2005:434-01 firefox 2005-05-23
Mandriva MDKSA-2005:088-1 mozilla 2005-05-17
Slackware SSA:2005-135-01 mozilla 2005-05-16
Gentoo 200505-11 mozilla-firefox 2005-05-15

Comments (none posted)

nasm: buffer overflow in the ieee_putascii() function

Package(s):nasm CVE #(s):CAN-2005-1194
Created:May 17, 2005 Updated:May 19, 2005
Description: Josh Bressers discovered a buffer overflow in the ieee_putascii() function of nasm 0.98 and earlier. If an attacker tricked a user into assembling a malicious source file, they could exploit this to execute arbitrary code with the privileges of the user that runs nasm.
Alerts:
Mandriva MDKSA-2005:090 nasm 2005-05-18
Ubuntu USN-128-1 nasm 2005-05-17

Comments (2 posted)

openssh: directory traversal

Package(s):openssh CVE #(s):CAN-2004-0175
Created:May 18, 2005 Updated:July 13, 2005
Description: The OpenSSH scp client can, when connected to a hostile server, be instructed to overwrite arbitrary files.
Alerts:
Fedora-Legacy FLSA:123014 openssh 2005-07-11
Mandriva MDKSA-2005:100 rsh 2005-06-14
Red Hat RHSA-2005:495-01 rsh 2005-06-13
Red Hat RHSA-2005:165-01 rsh 2005-06-08
Red Hat RHSA-2005:481-01 openssh 2005-06-02
Red Hat RHSA-2005:106-01 openssh 2005-05-18
Red Hat RHSA-2005:074-01 rsh 2005-05-18

Comments (1 posted)

phpBB: cross-site scripting

Package(s):phpbb CVE #(s):
Created:May 15, 2005 Updated:May 17, 2005
Description: Paul Laudanski reported a vulnerability in phpBB (in versions prior to 2.0.15) in the processing of BBCode. A remote user may be able to cause scripting code to be executed by the target user.
Alerts:
Gentoo 200505-10 phpbb 2005-05-14

Comments (none posted)

phpsysinfo: cross-site-scripting

Package(s):phpsysinfo CVE #(s):CAN-2005-0870
Created:May 18, 2005 Updated:November 15, 2005
Description: The phpsysinfo program contains several cross-site scripting vulnerabilities.
Alerts:
Debian DSA-724-1 phpsysinfo 2005-05-18

Comments (none posted)

squid: DNS spoofing

Package(s):squid CVE #(s):CAN-2005-1519
Created:May 18, 2005 Updated:July 13, 2005
Description: The squid proxy server performs DNS lookups in a way which is susceptible to answers injected by a hostile user, and, thus, DNS spoofing attacks.
Alerts:
Debian DSA-751-1 squid 2005-07-11
Mandriva MDKSA-2005:104 squid 2005-06-24
Red Hat RHSA-2005:415-01 squid 2005-06-14
Red Hat RHSA-2005:489-01 squid 2005-06-13
Ubuntu USN-129-1 squid 2005-05-18
Fedora FEDORA-2005-373 squid 2005-05-17

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds