Security
A privilege escalation flaw in udev
A vulnerability in udev, the user-space tool that manages the Linux /dev tree, has left unpatched systems vulnerable to a local root privilege escalation. Exploits are already circulating on the full-disclosure mailing list, so it is rather important for users and administrators to update their systems. The problem was caused by the way udev processes the messages it receives—certain kinds of messages, which could be generated by user processes, were not considered. That oversight led to the vulnerability.
The ever-expanding nature of the /dev tree, along with the rise of more dynamic hardware environments, led to the creation of udev in 2003. It replaced the devfs filesystem that was an earlier attempt to solve those problems. Unfortunately, devfs codified device naming policy into the kernel—something the kernel hackers try to avoid. By moving those decisions to user space with udev, that problem—along with a number of others—was resolved.
In order for udevd (the udev daemon) to do its job, it needs a way to be informed by the kernel when devices come and go—typically because the user attached or detached some device. A standard Linux way to send messages between the kernel and user space is via a netlink socket. Netlink sockets are an inter-process communication (IPC) mechanism that is geared for kernel to user space (and vice versa) IPC. It provides the well-understood sockets API to user space programs and is a much more flexible IPC mechanism than other possible choices.
One of the nice features of netlink sockets is the ability to multicast messages (i.e. a message sent to multiple recipients). Each netlink protocol type can have up to 32 multicast groups associated with it. Typically, multicast messages can only be sent and received by root, though some netlink protocol types will allow non-root processes to send and/or receive multicast messages. In fact, a recent change to the kernel allows non-root processes to receive—but not send—the udev multicast messages (which are also known as uevents).
Since only root processes can send the multicast uevents, it would seem there is no hole to exploit. Unfortunately, no one considered unicast messages. Any process can send a unicast netlink message to any other process, just by addressing it to a particular pid. It is up to the recipient to decide whether to accept and process the message. Because these unicast messages fell through the cracks, udevd would happily process them—creating devices as specified by a potentially malicious user. One of the more obvious exploits would be to create world-writeable block device corresponding to the root filesystem—other, nastier exploits are likely possible as well.
The fix was straightforward: enabling credentials (a header placed on each message by the kernel that includes the uid and pid of the sender) for the netlink socket, then requiring that all messages received have a uid of zero, which Kay Sievers added on April 8. Scott James Remnant added some additional checks shortly thereafter, requiring that messages received are not unicast and have been sent by the kernel.
Sievers says that either
patch "alone would be sufficient
" to fix the problem and that
doing both is, in
some sense, defensive programming. The credentials check is needed for
upcoming changes, he said, and Remnant's checks will take care of a
theoretical concern: "a confined
root process inside SELinux or AppArmor jail, which in fact is not
root in the usual sense, has no privileges, but could have the uid
0
". While Sievers didn't think the theory was particularly viable,
checking for a sender pid of zero (as Remnant's change does) will
take care of that problem as well.
This vulnerability illustrates a fairly common mistake: not considering all of the ways that input can reach a program. Every input mechanism factors into the "attack surface" of a program (or system). In this case, messages that—up until very recently at least—couldn't even be seen by non-root processes, could be sent by them. It is not uncommon for developers to focus on the "normal" usage of an input mechanism and miss a lesser, but still valid, use.
It is interesting to see that this vulnerability has a strange overlap with the capabilities flaw we reported on last week. In both cases, an exploit would use a device node created by mknod(), which is, itself, an uncommonly-used system call. These are the kinds of places that attackers are likely to focus their efforts. One hopes that other users of netlink sockets—routing daemons, netfilter, firewall applications, and others—have examined their code for similar problems.
Brief items
The voting machine industry looks at open source
Here is a report from the Election Technology Council [PDF] giving the voting machine industry's view of open source software. It's ... interesting. "The level of accountability present within an open source product offering is weakened due to its diffuse contributor base and lack of clear liability. Public oversight is arguably just as diminished in an open source environment since the layperson is unable to read and understand software source code adequately enough to ensure total access and comprehension. If a third party is charged with this oversight function to remedy this situation, this is would be no different than any other regulatory process that institutionalizes an oversight function." (Seen on Freedom To Tinker, where Dan Wallach adds several comments of his own).
The details on loading rootkits via /dev/mem
For the curious, here is the paper describing rootkit injection via /dev/mem [PDF]. As expected, there's not a whole lot that's truly new, though there are some clever techniques for getting the kernel to allocate memory for the injected code. The authors note that, indeed, the STRICT_DEVMEM configuration option will block this attack. "Until recently there was no protection inside the kernel main- line, although SELinux has limited seeks above the first megabyte of memory for a few years. Users of RHEL and other distributions have been safe for some time now."
New vulnerabilities
apt: return code not checked
| Package(s): | apt | CVE #(s): | CVE-2009-1300 | ||||||||
| Created: | April 21, 2009 | Updated: | April 27, 2009 | ||||||||
| Description: | From the Ubuntu advisory: Alexandre Martani discovered that the APT daily cron script did not check the return code of the date command. If a machine is configured for automatic updates and is in a time zone where DST occurs at midnight, under certain circumstances automatic updates might not be applied and could become permanently disabled. | ||||||||||
| Alerts: |
| ||||||||||
clamav: multiple vulnerabilities
| Package(s): | clamav | CVE #(s): | CVE-2008-6680 CVE-2009-1270 | ||||||||||||||||
| Created: | April 16, 2009 | Updated: | December 8, 2009 | ||||||||||||||||
| Description: | Clamav has three vulnerabilities, from the Debian alert:
CVE-2008-6680 Attackers can cause a denial of service (crash) via a crafted EXE file that triggers a divide-by-zero error. CVE-2009-1270 Attackers can cause a denial of service (infinite loop) via a crafted tar file that causes (1) clamd and (2) clamscan to hang. (no CVE Id yet) Attackers can cause a denial of service (crash) via a crafted EXE file that crashes the UPack unpacker. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
cups: integer overflow
| Package(s): | cups | CVE #(s): | CVE-2009-0163 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 17, 2009 | Updated: | March 15, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory: It was discovered that the imagetops filter in cups, the Common UNIX Printing System, is prone to an integer overflow when reading malicious TIFF images. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
cups: multiple vulnerabilities
| Package(s): | cups | CVE #(s): | CVE-2009-0146 CVE-2009-0147 CVE-2009-0166 CVE-2009-0799 CVE-2009-0800 CVE-2009-1179 CVE-2009-1180 CVE-2009-1181 CVE-2009-1182 CVE-2009-1183 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 17, 2009 | Updated: | August 18, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
Multiple buffer overflow flaws were found in the CUPS JBIG2 decoder. An attacker could create a malicious PDF file that would cause CUPS to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0146, CVE-2009-1182) Multiple integer overflow flaws were found in the CUPS JBIG2 decoder. An attacker could create a malicious PDF file that would cause CUPS to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0147, CVE-2009-1179) Multiple flaws were found in the CUPS JBIG2 decoder that could lead to the freeing of arbitrary memory. An attacker could create a malicious PDF file that would cause CUPS to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0166, CVE-2009-1180) Multiple denial of service flaws were found in the CUPS JBIG2 decoder. An attacker could create a malicious PDF file that would cause CUPS to crash when printed. (CVE-2009-0799, CVE-2009-1181, CVE-2009-1183) Multiple input validation flaws were found in the CUPS JBIG2 decoder. An attacker could create a malicious PDF file that would cause CUPS to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0800) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2009-0652 CVE-2009-1302 CVE-2009-1303 CVE-2009-1304 CVE-2009-1305 CVE-2009-1306 CVE-2009-1307 CVE-2009-1308 CVE-2009-1309 CVE-2009-1310 CVE-2009-1311 CVE-2009-1312 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 22, 2009 | Updated: | September 14, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Firefox prior to the 3.0.9 release contains a list of vulnerabilities of varying severity. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
git-core: privilege escalation
| Package(s): | git-core | CVE #(s): | |||||
| Created: | April 21, 2009 | Updated: | April 22, 2009 | ||||
| Description: | From the Debian advisory: Peter Palfrader discovered that in the Git revision control system, on some architectures files under /usr/share/git-core/templates/ were owned by a non-root user. This allows a user with that uid on the local system to write to these files and possibly escalate their privileges. | ||||||
| Alerts: |
| ||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2009-1072 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 16, 2009 | Updated: | July 2, 2009 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | The kernel has a privilege escalation vulnerability.
From the SUSE alert:
nfsd in the Linux kernel does not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes, as demonstrated on a filesystem that has been exported with the root_squash option. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
mpg123: user-assisted execution of arbitrary code
| Package(s): | mpg123 | CVE #(s): | CVE-2009-1301 | ||||||||||||
| Created: | April 17, 2009 | Updated: | December 8, 2009 | ||||||||||||
| Description: | From the Gentoo advisory: The vendor reported a signedness error in the store_id3_text() function in id3.c, allowing for out-of-bounds memory access. A remote attacker could entice a user to open an MPEG-1 Audio Layer 3 (MP3) file containing a specially crafted ID3 tag, possibly resulting in the execution of arbitrary code with the privileges of the user running the application. | ||||||||||||||
| Alerts: |
| ||||||||||||||
phpMyAdmin: insufficient output sanitizing
| Package(s): | phpMyAdmin | CVE #(s): | CVE-2009-1285 | ||||||||
| Created: | April 16, 2009 | Updated: | April 22, 2009 | ||||||||
| Description: | phpMyAdmin has a vulnerability involving insufficient output sanitizing.
The phpMyAdmin
security report states:
Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file. Combined with ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code. This issue is on different parameters than PMASA-2009-3 and it was missed out of our radar because it was not existing in 2.11.x branch. | ||||||||||
| Alerts: |
| ||||||||||
poppler: multiple vulnerabilities
| Package(s): | poppler | CVE #(s): | CVE-2009-1187 CVE-2009-1188 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 17, 2009 | Updated: | May 24, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the rPath advisory: Previous versions of poppler contain multiple vulnerabilities, the most serious of which could allow an attacker to cause a denial of service or execute arbitrary code as the user executing the application. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
slurm-llnl: privilege escalation
| Package(s): | slurm-llnl | CVE #(s): | |||||
| Created: | April 21, 2009 | Updated: | April 22, 2009 | ||||
| Description: | From the Debian advisory: It was discovered that the Simple Linux Utility for Resource Management (SLURM), a cluster job management and scheduling system, did not drop the supplemental groups. These groups may be system groups with elevated privileges, which may allow a valid SLURM user to gain elevated privileges. | ||||||
| Alerts: |
| ||||||
udev: multiple vulnerabilities
| Package(s): | udev | CVE #(s): | CVE-2009-1185 CVE-2009-1186 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 16, 2009 | Updated: | December 3, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | udev has two vulnerabilities, from the Debian alert:
Sebastian Kramer discovered two vulnerabilities in udev, the /dev and hotplug management daemon. CVE-2009-1185 udev does not check the origin of NETLINK messages, allowing local users to gain root privileges. CVE-2009-1186 udev suffers from a buffer overflow condition in path encoding, potentially allowing arbitrary code execution. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
xine-lib: integer overflow
| Package(s): | xine-lib | CVE #(s): | CVE-2009-0698 | ||||||||||||||||||||
| Created: | April 21, 2009 | Updated: | June 1, 2010 | ||||||||||||||||||||
| Description: | From the CVE entry: Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c) in xine-lib 1.1.16.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a 4X movie file with a large current_track value, a similar issue to CVE-2009-0385. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>