User: Password:
Subscribe / Log in / New account


Linux ASLR vulnerabilities

By Jake Edge
April 29, 2009

A recent LWN comment thread—which unfortunately descended into flames and rudeness—had a post with some interesting pointers to recent security research on Linux address space layout randomization (ASLR). Both look to be plausible attacks against ASLR, and have not yet been addressed by the kernel hackers. Perhaps worse than that, though, is that these kinds of problems are evidently not being reported to linux-kernel (or other kernel security channels), or not being acted on. Over the years, the interaction of security researchers and kernel hackers has often been contentious, to the point where some security researchers may not be reporting the Linux flaws they find via the usual channels.

ASLR is a technique used to thwart buffer overflow vulnerabilities in user applications by randomizing the location of various pieces of the application's address space. Libraries, the heap and stack, as well as the executable code for a process are placed at random addresses so that attacker programs have a much more difficult time exploiting a buffer overflow. Without the use of ASLR, an attack could use hardcoded addresses of known locations in a process's address space (e.g. specific library functions) to perform its nefarious deeds.

It is important that attacker programs be unable to see—or figure out—the memory layout for other processes in the system. Attackers who can gain that information could then use any buffer overflows they know of for that program with all of the addresses they need. For that reason, /proc/pid/maps (a file that describes the address space for process id pid) only contains data when read by the owner of that pid—or someone who can ptrace() it. A recent advisory about memcache and memcacheDB divulging that information, unauthenticated over the network should be worrisome for just this reason.

The decision to stop allowing anyone to read the maps file came about in 2.6.22, long after ASLR was added in 2.6.12. Based on a presentation [PDF] at this year's CanSecWest conference, there is still enough information being leaked from /proc files to be able to determine the address space layout for a program.

The /proc/pid/stat file reports the value of the instruction and stack pointers of the process, and the /proc/pid/wchan file reports its "wait channel", which is the function in which the process is currently blocked. Using that information, possibly sampled multiple times, along with a map of the instruction boundaries of the executable, Julien Tinnes and Tavis Ormandy were able to bypass ASLR.

The second flaw in ASLR was presented at Black Hat Europe by Hagen Fritsch. A whitepaper [PDF] describing the flaw is instructive. Essentially, the random number generator (RNG) used to create the addresses for ASLR is flawed, allowing those values to be correctly calculated up to two minutes after a target process has been run.

There is clearly a disconnect between the comment in the get_random_int() function (which uses the IP RNG secure_ip_id()) and the implementation of re-keying the RNG in drivers/char/random.c. The former claims that it gets re-keyed every second, but the REKEY_INTERVAL in the random driver is five minutes. If ASLR requires the RNG to re-key every second, a different function should be used. But, there is an additional problem.

The secure_ip_id() function takes one argument which it mixes with the key in order to generate the random number. get_random_int() passes the sum of the pid and the internal kernel counter jiffies as that parameter. For a period of five minutes, if the attacker can arrange for the same sum to be passed in, they will get the same value as the target process did. That can happen in one of two ways: either by calling execve() on the desired target within one jiffy of when the attack process started—a rather difficult thing to arrange for a number of reasons—or by calling execve() when pid + jiffies is the same as it was for the target process.

An attacker process can spawn children until it gets a desired pid, then wait for jiffies to reach a value where the sum is the same. Even though the absolute value of jiffies is not known outside of the kernel, various calculations on the difference in jiffie values can be used to narrow down the search. Once again, the /proc/pid/stat file can come into play here, by providing a start time for the target process with a granularity typically 2.5 times that of jiffies (10ms vs. 4ms).

In addition, Fritsch notes that IP sequence numbers may be leaking information that could be used to assist in this attack because it uses the same RNG with the five minute re-key time. He has not looked at whether that is the case.

These two vulnerabilities are fairly substantial and should certainly be fixed. It would seem fairly straightforward to limit access to the /proc files based on the same ptrace() test used for maps. The RNG flaw is more subtle and probably requires a fair amount of thought, but it is clear that the randomness provided is insufficient, at least for ASLR.

Another report that came out of the comment thread demonstrates a misclassification of security flaws that tends to be very annoying to the security community. Misclassifying remotely exploitable flaws as a "denial of service" (due to a kernel crash) is a fairly common thing for distributions and others (knowingly or not) to do. As the blog posting indicates, it irritates some researchers:

I'm wondering why kernel developers (or vendors?) continue to claim that kernel memory corruption are just Denial of Service. Most of the times they _are_ exploitable.. yes, even when the vulnerability is remotely triggered, yes.. even when the corruption takes place in a freaking slub in the middle of a kernel _heap_ .. yes even when you have kernel data pages marked NX and the kernel .text read-only and yes, absolutely yes even when you start only with a 16bit displacement...

That particular vulnerability is long fixed in the kernel, but the whole posting is worth a read for those interested in how a kernel buffer overflow can become a remote root exploit (even bypassing SELinux). It is also indicative of the frustration that some in the security community feel about Linux security. For good or ill, Linux security is not well regarded in that community, to the point where it appears that some, possibly large, amount of Linux kernel security research is not being communicated to the kernel community. Perhaps that communication is occurring but is just "flying under the radar"—something that frequently happens with security discussions—as it would be a tragedy to think that known vulnerabilities are just falling through the cracks.

Comments (8 posted)

New vulnerabilities

acpid: denial of service

Package(s):acpid CVE #(s):CVE-2009-0798
Created:April 28, 2009 Updated:December 7, 2009
Description: From the Ubuntu advisory: It was discovered that acpid did not properly handle a large number of connections. A local user could exploit this and monopolize CPU resources, leading to a denial of service.
Mandriva MDVSA-2009:107-1 acpid 2009-12-03
Fedora FEDORA-2009-5578 acpid 2009-05-28
Fedora FEDORA-2009-5608 acpid 2009-05-28
Gentoo 200905-06 acpid 2009-05-24
CentOS CESA-2009:0474 acpid 2009-05-07
Red Hat RHSA-2009:0474-01 acpid 2009-05-07
Mandriva MDVSA-2009:107 acpid 2009-05-06
Debian DSA-1786-1 acpid 2009-05-02
Ubuntu USN-766-1 acpid 2009-04-27

Comments (none posted)

apt: incorrect signature checking

Package(s):apt CVE #(s):CVE-2009-1358
Created:April 27, 2009 Updated:April 29, 2009

From the Debian advisory:

CVE-2009-1358: A repository that has been signed with an expired or revoked OpenPGP key would still be considered valid by APT.

Debian DSA-1779-1 apt 2009-04-26

Comments (none posted)

clamav: multiple vulnerabilities

Package(s):clamav CVE #(s):CVE-2009-1241 CVE-2009-1371 CVE-2009-1372
Created:April 24, 2009 Updated:December 8, 2009
Description: From the Mandriva advisory:

Unspecified vulnerability in ClamAV before 0.95 allows remote attackers to bypass detection of malware via a modified RAR archive. CVE-2009-1241

The CLI_ISCONTAINED macro in libclamav/others.h in ClamAV before 0.95.1 allows remote attackers to cause a denial of service (application crash) via a malformed file with UPack encoding. CVE-2009-1371

Stack-based buffer overflow in the cli_url_canon function in libclamav/phishcheck.c in ClamAV before 0.95.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted URL. CVE-2009-1372

Mandriva MDVSA-2009:327 clamav 2009-12-08
Gentoo 200909-04 clamav 2009-09-09
Mandriva MDVSA-2009:097 clamav 2009-04-24

Comments (none posted)

firefox: arbitrary code execution

Package(s):firefox CVE #(s):CVE-2009-1313
Created:April 28, 2009 Updated:May 13, 2009
Description: From the Red Hat advisory: A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox.
Gentoo 201301-01 firefox 2013-01-07
Mandriva MDVSA-2009:111 firefox 2009-05-12
Ubuntu USN-765-1 firefox-3.0, xulrunner-1.9 2009-04-28
Fedora FEDORA-2009-4083 gnome-web-photo 2009-04-28
Fedora FEDORA-2009-4083 kazehakase 2009-04-28
Fedora FEDORA-2009-4083 devhelp 2009-04-28
Fedora FEDORA-2009-4083 pcmanx-gtk2 2009-04-28
Fedora FEDORA-2009-4083 mugshot 2009-04-28
Fedora FEDORA-2009-4083 perl-Gtk2-MozEmbed 2009-04-28
Fedora FEDORA-2009-4083 blam 2009-04-28
Fedora FEDORA-2009-4083 yelp 2009-04-28
Fedora FEDORA-2009-4083 galeon 2009-04-28
Fedora FEDORA-2009-4083 ruby-gnome2 2009-04-28
Fedora FEDORA-2009-4083 xulrunner 2009-04-28
Fedora FEDORA-2009-4083 Miro 2009-04-28
Fedora FEDORA-2009-4083 gecko-sharp2 2009-04-28
Fedora FEDORA-2009-4083 mozvoikko 2009-04-28
Fedora FEDORA-2009-4083 epiphany 2009-04-28
Fedora FEDORA-2009-4083 google-gadgets 2009-04-28
Fedora FEDORA-2009-4083 gnome-python2-extras 2009-04-28
Fedora FEDORA-2009-4083 firefox 2009-04-28
Fedora FEDORA-2009-4078 chmsee 2009-04-28
Fedora FEDORA-2009-4078 mugshot 2009-04-28
Fedora FEDORA-2009-4078 galeon 2009-04-28
Fedora FEDORA-2009-4078 yelp 2009-04-28
Fedora FEDORA-2009-4078 google-gadgets 2009-04-28
Fedora FEDORA-2009-4078 mozvoikko 2009-04-28
Fedora FEDORA-2009-4078 gtkmozembedmm 2009-04-28
Fedora FEDORA-2009-4078 epiphany 2009-04-28
Fedora FEDORA-2009-4078 blam 2009-04-28
Fedora FEDORA-2009-4078 totem 2009-04-28
Fedora FEDORA-2009-4078 xulrunner 2009-04-28
Fedora FEDORA-2009-4078 gnome-web-photo 2009-04-28
Fedora FEDORA-2009-4078 kazehakase 2009-04-28
Fedora FEDORA-2009-4078 Miro 2009-04-28
Fedora FEDORA-2009-4078 evolution-rss 2009-04-28
Fedora FEDORA-2009-4078 epiphany-extensions 2009-04-28
Fedora FEDORA-2009-4078 gnome-python2-extras 2009-04-28
Fedora FEDORA-2009-4078 ruby-gnome2 2009-04-28
Fedora FEDORA-2009-4078 devhelp 2009-04-28
Fedora FEDORA-2009-4078 firefox 2009-04-28
CentOS CESA-2009:0449 firefox 2009-04-28
Red Hat RHSA-2009:0449-01 firefox 2009-04-27

Comments (2 posted)

freetype: arbitrary code execution

Package(s):freetype CVE #(s):CVE-2009-0946
Created:April 28, 2009 Updated:December 7, 2009
Description: From the Ubuntu advisory: Tavis Ormandy discovered that FreeType did not correctly handle certain large values in font files. If a user were tricked into using a specially crafted font file, a remote attacker could execute arbitrary code with user privileges.
Gentoo 201412-08 insight, perl-tk, sourcenav, tk, partimage, bitdefender-console, mlmmj, acl, xinit, gzip, ncompress, liblzw, splashutils, m4, kdm, gtk+, kget, dvipng, beanstalkd, pmount, pam_krb5, gv, lftp, uzbl, slim, iputils, dvbstreamer 2014-12-11
Mandriva MDVSA-2009:243-2 freetype2 2009-12-05
Mandriva MDVSA-2009:243-1 freetype2 2009-09-22
Mandriva MDVSA-2009:243 freetype2 2009-09-22
Gentoo 200905-05 freetype 2009-05-24
CentOS CESA-2009:1061 freetype 2009-05-22
CentOS CESA-2009:0329 freetype 2009-05-22
Red Hat RHSA-2009:1062-01 freetype 2009-05-22
Red Hat RHSA-2009:1061-02 freetype 2009-05-22
Red Hat RHSA-2009:0329-02 freetype 2009-05-22
SuSE SUSE-SR:2009:010 firefox apport evolution freetype2 java_1_4_2-ibm kdegraphics3 libopenssl libsoup xulrunner opensc python-crypto unbound xpdf 2009-05-12
Debian DSA-1784-1 freetype 2009-04-30
Ubuntu USN-767-1 freetype 2009-04-27

Comments (none posted)

libdbd-pg-perl: multiple vulnerabilities

Package(s):libdbd-pg-perl CVE #(s):CVE-2009-0663 CVE-2009-1341
Created:April 29, 2009 Updated:December 28, 2009
Description: The libdbd-pg-perl package suffers from a buffer overflow vulnerability (CVE-2009-0663) and a memory leak (CVE-2009-1341) which could enable denial-of-service attacks.
Mandriva MDVSA-2009:344 perl-DBD-Pg 2009-12-28
SuSE SUSE-SR:2009:012 optipng, cups, quagga, pango, strongswan, perl-DBD-Pg, irssi, openssl/libopenssl-devel, net-snmp, ImageMagick/GraphicsMagick, perl, ipsec-tools/novell-ipsec-tools, poppler/libpoppler3/libpoppler4, yast2-ldap-server, tomcat6, gstreamer-plugins/gstreamer010-plugins-bad, apache2-mod_php5 2009-07-03
Red Hat RHSA-2009:1067-01 Red Hat Application Stack 2009-05-26
CentOS CESA-2009:0479 perl-DBD-Pg 2009-05-19
Red Hat RHSA-2009:0479-01 perl-DBD-Pg 2009-05-13
Mandriva MDVSA-2009:255 perl-DBD-Pg 2009-10-02
Debian DSA-1780-1 libdbd-pg-perl 2009-04-28

Comments (none posted)

libmodplug: integer overflow

Package(s):libmodplug CVE #(s):CVE-2009-1438
Created:April 28, 2009 Updated:December 4, 2009
Description: From the CVE entry: Integer overflow in the CSoundFile::ReadMed function (src/load_med.cpp) in libmodplug before 0.8.6, as used in gstreamer-plugins and other products, allows context-dependent attackers to execute arbitrary code via a MED file with a crafted (1) song comment or (2) song name, which triggers a heap-based buffer overflow.
Mandriva MDVSA-2009:128-1 libmodplug 2009-12-03
Debian DSA-1851-1 gst-plugins-bad0.10 2009-08-06
Debian DSA-1850-1 libmodplug 2009-08-04
Gentoo 200907-07 libmodplug 2009-07-12
SuSE SUSE-SR:2009:012 optipng, cups, quagga, pango, strongswan, perl-DBD-Pg, irssi, openssl/libopenssl-devel, net-snmp, ImageMagick/GraphicsMagick, perl, ipsec-tools/novell-ipsec-tools, poppler/libpoppler3/libpoppler4, yast2-ldap-server, tomcat6, gstreamer-plugins/gstreamer010-plugins-bad, apache2-mod_php5 2009-07-03
Mandriva MDVSA-2009:128 libmodplug 2009-06-04
Ubuntu USN-771-1 libmodplug 2009-05-07
Fedora FEDORA-2009-4068 libmodplug 2009-04-28
Fedora FEDORA-2009-4064 libmodplug 2009-04-28

Comments (none posted)

mahara: insufficient input sanitization

Package(s):mahara CVE #(s):CVE-2009-0664
Created:April 23, 2009 Updated:April 29, 2009
Description: Mahara has an insufficient input sanitization vulnerability. From the Debian alert: It was discovered that mahara, an electronic portfolio, weblog, and resume builder, is prone to cross-site scripting (XSS) attacks because of missing input sanitization of the introduction text field in user profiles and any text field in a user view.
Debian DSA-1778-1 mahara 2009-04-22

Comments (none posted)

mod_jk: information disclosure

Package(s):mod_jk CVE #(s):CVE-2008-5519
Created:April 24, 2009 Updated:January 12, 2010
Description: From the Red Hat advisory: An information disclosure flaw was found in mod_jk. In certain situations, if a faulty client set the "Content-Length" header without providing data, or if a user sent repeated requests very quickly, one user may view a response intended for another user.
SuSE SUSE-SR:2009:020 apache2-mod_jk, cacti, cups, expat, finch/pidgin, htmldoc, kdelibs3/kdelibs4, libpoppler/poppler, lighttpd, opera, perl-HTML-Parser, pyxml, seamonkey, wireshark/ethereal, xntp, zope/zope3 2010-01-12
SuSE SUSE-SR:2009:018 cyrus-imapd, neon/libneon, freeradius, strongswan, openldap2, apache2-mod_jk, expat, xpdf, mozilla-nspr 2009-11-10
Gentoo 200906-04 mod_jk 2009-06-29
Red Hat RHSA-2009:1087-01 mod_jk 2009-06-09
Debian DSA-1810-1 libapache-mod-jk 2009-06-02
Red Hat RHSA-2009:0446-01 mod_jk 2009-04-23

Comments (none posted)

mysql: cross-site scripting

Package(s):mysql CVE #(s):CVE-2008-4456
Created:April 29, 2009 Updated:March 8, 2010
Description: From the Debian advisory: Thomas Henlich reported that the MySQL commandline client application did not encode HTML special characters when run in HTML output mode (that is, "mysql --html ..."). This could potentially lead to cross-site scripting or unintended script privilege escalation if the resulting output is viewed in a browser or incorporated into a web site.
Ubuntu USN-1397-1 mysql-5.1, mysql-dfsg-5.0, mysql-dfsg-5.1 2012-03-12
Gentoo 201201-02 mysql 2012-01-05
rPath rPSA-2010-0014-1 mysql 2010-03-07
Ubuntu USN-897-1 mysql-dfsg-5.0, mysql-dfsg-5.1 2010-02-10
Mandriva MDVSA-2009:326 mysql 2009-12-07
CentOS CESA-2010:0110 mysql 2010-02-17
Red Hat RHSA-2010:0110-01 mysql 2010-02-16
Red Hat RHSA-2009:1461-01 Red Hat Application Stack 2009-09-23
CentOS CESA-2009:1289 mysql 2009-09-15
Red Hat RHSA-2009:1289-02 mysql 2009-09-02
SuSE SUSE-SR:2009:014 dnsmasq, icu, libcurl3/libcurl2/curl/compat-curl2, Xerces-c/xerces-j2, tiff/libtiff, acroread_ja, xpdf, xemacs, mysql, squirrelmail, OpenEXR, wireshark 2009-09-01
Debian DSA-1783 mysql-dfsg-5.0 2009-04-29

Comments (none posted)

prewikka: world readable password

Package(s):prewikka CVE #(s):
Created:April 28, 2009 Updated:April 29, 2009
Description: From the Fedora advisory: The permissions on the prewikka.conf file are world readable and contain the sql database password used by prewikka. This update makes it readable just by the apache group.
Fedora FEDORA-2009-3761 prewikka 2009-04-21
Fedora FEDORA-2009-3789 prewikka 2009-04-21

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds