SecurityTracker.com Archives - Linux Kernel Race Condition in ia32 Compatability Code Yields Root Privileges to Local Users

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: OS (Linux) > Linux Kernel

Vendors: kernel.org

Linux Kernel Race Condition in ia32 Compatability Code Yields Root Privileges to Local Users

SecurityTracker Alert ID: 1014442

SecurityTracker URL: http://securitytracker.com/id?1014442

CVE Reference: CVE-2005-1768 (Links to External Site)

Updated: Jun 15 2008

Original Entry Date: Jul 11 2005

Impact: Denial of service via local system, Execution of arbitrary code via local system, Root access via local system

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 2.4 - 2.4.31; 2.6 - 2.6.6

Description: A race condition vulnerability was reported in the Linux kernel in the ia32 compatibility code. A local user can execute arbitrary code with kernel level privileges.

The ia32 compatibility execve() system call contains a race condition, affecting x86_64 and ia64 architectures.

A local user can invoke the get_user() function to block while a blocking kmalloc() call is made in the sys32_execve() function. As a result, the local user's thread can modify pointers processed by the sys32_execve() function to trigger a buffer overflow.

A local user may be able to cause a kernel panic or execute arbitrary code with kernel ring 0 privileges.

Ilja van Sprundel from Suresec discovered this vulnerability.

The original advisory is available at:

http://www.suresec.org/advisories/adv4.pdf

Impact: A local user can cause the kernel to crash.

A local user can execute arbitrary code with kernel level privileges.

Solution: A source code fix is available via Bitkeeper. Version 2.4.32-pre1 also contains the fix.

Vendor URL: www.kernel.org/ (Links to External Site)

Cause: Boundary error, State error

Underlying OS: Linux (Caldera/SCO), Linux (Conectiva), Linux (Debian), Linux (EnGarde), Linux (Gentoo), Linux (HP Secure OS), Linux (Immunix), Linux (Mandriva/Mandrake), Linux (Progeny Debian), Linux (Red Hat Enterprise), Linux (Red Hat Fedora), Linux (Red Hat Linux), Linux (SGI), Linux (Slackware), Linux (Sun), Linux (SuSE), Linux (Trustix), Linux (Turbo Linux), Linux (Ubuntu), Linux (Xandros)

Reported By: Suresec Advisories <advisories@suresec.org>

Message History: This archive entry has one or more follow-up message(s) listed below.

Aug 25 2005

(Red Hat Issues Fix) Linux Kernel Race Condition in ia32 Compatability Code Yields Root Privileges to Local Users (bugzilla@redhat.com)
Red Hat has released a fix.

Source Message Contents

Date: Mon, 11 Jul 2005 08:26:21 +0200
From: Suresec Advisories <advisories@suresec.org>
Subject: [Full-disclosure] [ Suresec Advisories ] - Linux kernel ia32

 

Suresec Security Advisory  - #00004
10/07/05

Linux kernel ia32 compatibility race condition 
Advisory: http://www.suresec.org/advisories/adv4.pdf <http://www.suresec.org/advisories/adv3.pdf>

Description:

A race condition vulnerability has been found in the ia32 compatibility 
execve() systemcall. The race condition may lead to heap corruption.

Risk:

Exploitation of this vulnerability may results in panics, oopses or 
in the worst case code exection at ring 0.

Credit:

The vulnerability was discovered by Ilja van Sprundel.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2007, SecurityGlobal.net LLC