User: Password:
Subscribe / Log in / New account


The /proc vulnerability

July 19, 2006

This article was contributed by Jake Edge.

A second local privilege escalation bug has been found recently in the 2.6 kernel series. The first, covered by LWN last week, configured processes to dump core in directories not normally writable by the user. The most recent vulnerability exploits the setuid permissions bit on files in the /proc filesystem and a kernel race. In both cases, the result is root privileges for interested local users.

The first indication of the vulnerability came as a working exploit posted to the full-disclosure mailing list. The exploit uses an mmap() of a large file on the disk to slow the system down enough to exploit a race condition in the /proc filesystem handling. Permissions for the /proc/self/environ file can be set with the setuid bit 'on' and prctl() can be used to set the owner of that file to root. Tacking an a.out executable onto the environ file allows a local user to get a root shell.

The fix is fairly obvious: setuid and setgid bits do not make any sense for /proc filesystem entries and removing that 'feature' fixes the problem. The stable 2.6 kernels were patched the same day as the exploit was released and a tweak to the original fix was released the next day.

A fairly simple workaround is to mount (or remount) /proc with the nosuid flag. That flag will prevent the setuid/setgid bits from having any affect for files on that filesystem. It should be noted that this workaround was the right thing to do for /proc all along; nothing good can come from allowing those bits to be used. Distributions should take a look at tightening these kinds of restrictions and help their users avoid these kinds of problems whenever possible.

Systems that have sufficiently restricted SELinux configurations were not affected by this vulnerability. For example, the targeted policy in enforcing mode that is the default for Red Hat Enterprise Linux 4 will not allow setting those bits on /proc files. In addition, kernels that did not have a.out support enabled would not be affected by this exploit, but there may be other ways to exploit the bug without using an a.out binary. Even so, this vulnerability is a good example of why it makes sense to disable unused functionality, even if it doesn't have any immediate security implications. Most currently-running Linux systems have probably never seen an a.out binary; they certainly do not need that format enabled in their kernels.

It is fairly common for local privilege escalation issues to be given insufficient attention by system administrators because their systems either have no login user accounts or trust the people who do have them. Unfortunately, there is often a significant risk even to those kinds of systems. All that it takes is an exploit in a web program or other network service that allows a malicious user to get a shell. That shell will be running with the permissions of the user that runs the exploited service ('apache' for example), but a privilege escalation can allow that limited shell access to become a full takeover of the box. Any network accessible system should be considered vulnerable to this kind of problem and be patched accordingly.

Comments (7 posted)

New vulnerabilities

kernel: denial of service by memory consumption

Package(s):kernel CVE #(s):CVE-2006-2936
Created:July 17, 2006 Updated:November 14, 2007
Description: The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to 2.6.17, and possibly later versions, allows local users to cause a denial of service (memory consumption) by writing more data to the serial port than the driver can handle, which causes the data to be queued.
SuSE SUSE-SA:2007:035 kernel 2007-06-14
Mandriva MDKSA-2006:151 kernel 2006-08-25
Mandriva MDKSA-2006:150 kernel 2006-08-25
Ubuntu USN-331-1 linux-source-2.6.15 2006-08-03
rPath rPSA-2006-0130-1 kernel 2006-07-17

Comments (none posted)

kernel: race condition

Package(s):kernel CVE #(s):CVE-2006-3626
Created:July 17, 2006 Updated:July 21, 2006
Description: It was discovered that a race condition in the process filesystem can lead to privilege escalation.
Trustix TSLSA-2006-0042 gnupg, kernel, samba 2006-07-21
Ubuntu USN-319-2 linux-source-2.6.10, linux-source-2.6.12 2006-07-19
Mandriva MDKSA-2006:124 kernel 2006-07-18
Ubuntu USN-319-1 linux-source-2.6.15 2006-07-18
Debian DSA-1111-1 kernel-source-2.6.8 2006-07-16

Comments (2 posted)

libpng: buffer overflow

Package(s):libpng CVE #(s):CVE-2006-3334
Created:July 19, 2006 Updated:December 15, 2008
Description: In pngrutil.c, the function png_decompress_chunk() allocates insufficient space for an error message, potentially overwriting stack data, leading to a buffer overflow.
Gentoo 200812-15 povray 2008-12-14
Mandriva MDKSA-2006:213 chromium 2006-11-16
rPath rPSA-2006-0133-1 libpng 2006-07-19
Gentoo 200607-06 libpng 2006-07-19

Comments (none posted)

libtunepimp: buffer overflows

Package(s):libtunepimp CVE #(s):CVE-2006-3600
Created:July 13, 2006 Updated:August 2, 2006
Description: The libtunepimp tag parser has multiple buffer overflow vulnerabilities. If a user can be tricked into opening specially crafted tagged multimedia files, arbitrary code can be executed with the user's privileges.
Debian DSA-1135-1 libtunepimp 2006-08-02
Gentoo 200607-11 tunepimp 2006-07-28
Mandriva MDKSA-2006:126 libtunepimp 2006-07-18
Ubuntu USN-318-1 libtunepimp 2006-07-13

Comments (none posted)

libwmf: integer overflow

Package(s):libwmf CVE #(s):CVE-2006-3376
Created:July 13, 2006 Updated:November 6, 2006
Description: libwmf, a library that is used for processing Windows MetaFile vector graphics files, has an integer overflow vulnerability.
OpenPKG OpenPKG-SA-2006.031 libwmf 2006-11-06
Debian DSA-1194-1 libwmf 2006-10-09
Gentoo 200608-17 libwmf 2006-08-10
Ubuntu USN-333-1 libwmf 2006-08-09
Mandriva MDKSA-2006:132 libwmf 2006-07-28
Fedora FEDORA-2006-831 libwmf 2006-07-18
Fedora FEDORA-2006-832 libwmf 2006-07-18
Fedora FEDORA-2006-805 libwmf 2006-07-12
Fedora FEDORA-2006-804 libwmf 2006-07-12
Arch Linux ASA-201701-1 libwmf 2017-01-01

Comments (none posted)

rssh: bypass access restrictions

Package(s):rssh CVE #(s):CVE-2006-1320
Created:July 17, 2006 Updated:July 19, 2006
Description: Russ Allbery discovered that rssh, a restricted shell, performs insufficient checking of incoming commands, which might lead to a bypass of access restrictions.
Debian DSA-1109-1 rssh 2006-07-16

Comments (none posted)

vixie-cron: directory permissions

Package(s):vixie-cron CVE #(s):
Created:July 18, 2006 Updated:July 19, 2006
Description: vixie-cron has a directory permission issue, the cron spool directories had the wrong permissions and have been changed to 0700. The security implications of the previous permissions are unspecified.
Fedora FEDORA-2006-823 vixie-cron 2006-07-17

Comments (none posted)

webmin: arbitrary file read

Package(s):webmin CVE #(s):CVE-2006-3392
Created:July 19, 2006 Updated:August 7, 2006
Description: Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files.
Gentoo 200608-11 webmin 2006-08-06
Mandriva MDKSA-2006:125 webmin 2006-07-18

Comments (none posted)

wireshark: multiple vulnerabilities

Package(s):wireshark CVE #(s):CVE-2006-3627 CVE-2006-3628 CVE-2006-3629 CVE-2006-3630 CVE-2006-3631 CVE-2006-3632
Created:July 19, 2006 Updated:August 16, 2006
Description: Wireshark (formerly Ethereal) reports numerous vulnerabilities in versions 0.8.16 up to and including 0.99.0.
Red Hat RHSA-2006:0602-01 wireshark ethereal 2006-08-16
Fedora FEDORA-2006-860 wireshark 2006-07-28
Debian DSA-1127-1 ethereal 2006-07-28
Gentoo 200607-09 wireshark 2006-07-25
rPath rPSA-2006-0132-1 wireshark 2006-07-19
Mandriva MDKSA-2006:128 wireshark 2006-07-18

Comments (none posted)

zope: privilege escalation

Package(s):zope CVE #(s):CVE-2006-3458
Created:July 13, 2006 Updated:August 9, 2006
Description: Zope version 2.7.0 to 2.7.8, 2.8.0 to 2.8.7, and 2.9.0 to 2.9.3 has a privilege escalation vulnerability related to its failure to deactivate the raw command. Remote users with privileges to edit zope pages with RestructuredText can cause arbitrary files to become exposed.
SuSE SUSE-SR:2006:019 fbi gimp libwmf zope horde 2006-08-09
Debian DSA-1113-1 zope2.7 2006-07-18
Ubuntu USN-317-1 zope2.8 2006-07-13

Comments (1 posted)

Page editor: Rebecca Sobol
Next page: Kernel development>>

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds