SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (Linux)  >   Linux Kernel Vendors:   kernel.org
Linux Kernel RDS Protocol Bug Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1024613
SecurityTracker URL:  http://securitytracker.com/id/1024613
CVE Reference:   CVE-2010-3904   (Links to External Site)
Date:  Oct 20 2010
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.6.30 - 2.6.36-rc8
Description:   A vulnerability was reported in the Linux Kernel. A local user can obtain elevated privileges on the target system.

A local user can issue a specially crafted RDS protocol socket call to execute arbitrary code on the target system with kernel-level privileges.

Systems with the CONFIG_RDS kernel configuration option set and with no restrictions on unprivileged users loading packet family modules are affected.

The vendor was notified on October 13, 2010.

The original advisory is available at:

http://www.vsecurity.com/resources/advisory/20101019-1/

Demonstration exploit code is available at:

http://www.vsecurity.com/download/tools/linux-rds-exploit.c

Dan Rosenberg reported this vulnerability.

Impact:   A local user can obtain elevated privileges on the target system.
Solution:   The vendor has issued a fix (2.6.36-rc8), available at:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=799c10559d60f159ab2232203f222f18fa3c4a5f

Vendor URL:  www.kernel.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 26 2010 (Red Hat Issues Fix) Linux Kernel RDS Protocol Bug Lets Local Users Gain Elevated Privileges   (bugzilla@redhat.com)
Red Hat has issued a fix for Red Hat Enterprise Linux 5.



 Source Message Contents

Date:  Tue, 19 Oct 2010 14:22:55 -0400
Subject:  VSR Advisories: Linux RDS Protocol Local Privilege Escalation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                         VSR Security Advisory
                       http://www.vsecurity.com/

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Advisory Name: Linux RDS Protocol Local Privilege Escalation
 Release Date: 2010-10-19
  Application: Linux Kernel
     Versions: 2.6.30 - 2.6.36-rc8
     Severity: High
       Author: Dan Rosenberg < drosenberg (at) vsecurity (dot) com >
Vendor Status: Patch Released [3]
CVE Candidate: CVE-2010-3904
    Reference: http://www.vsecurity.com/resources/advisory/20101019-1/

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


Product Description
- -------------------
- From [1]:

 "Linux is a free Unix-type operating system originally created by Linus
  Torvalds with the assistance of developers around the world. Developed under
  the GNU General Public License, the source code for Linux is freely available
  to everyone."

- From [2]:

 "Reliable Datagram Sockets (RDS) provide in order, non-duplicating, 
  highly available, low overhead, reliable delivery of datagrams between 
  hundreds of thousands of non-connected endpoints."

Vulnerability Overview
- ----------------------
On October 13th, VSR identified a vulnerability in the RDS protocol, as
implemented in the Linux kernel.  Because kernel functions responsible for
copying data between kernel and user space failed to verify that a
user-provided address actually resided in the user segment, a local attacker
could issue specially crafted socket function calls to write abritrary values
into kernel memory.  By leveraging this capability, it is possible for
unprivileged users to escalate privileges to root.

Vulnerability Details
- ---------------------
On Linux, recvmsg() style socket calls are performed using iovec structs, which
allow a user to specify a base address and size for a buffer used to receive
socket data.  Each packet family is responsible for defining functions that
copy socket data, which is received by the kernel, back to user space to allow
user programs to process and handle received network data.

When performing this copying of data to user space, the RDS protocol failed to
verify that the base address of a user-provided iovec struct pointed to a valid
userspace address before using the __copy_to_user_inatomic() function to copy
the data.  As a result, by providing a kernel address as an iovec base and
issuing a recvmsg() style socket call, a local user could write arbitrary data
into kernel memory.  This can be leveraged to escalate privileges to root.

Proof-of-Concept Exploit
- ------------------------
VSR has developed a proof-of-concept exploit [4] to both demonstrate the
severity of this issue as well as allow users and administrators to verify the
existence of the vulnerability.  The exploit leverages the ability to write
into kernel memory to reset the kernel's security operations structure and gain
root privileges.  The exploit requires that kernel symbol resolution is
available to unprivileged users, via /proc/kallsyms or similar, as is the case
on most stock distributions.  It has been tested on both 32-bit and 64-bit x86
platforms.  While this exploit has been reliable during testing, it is not
advised to run kernel exploits on production systems, as there is a risk of
causing system instability and crashing the affected machine.

Versions Affected
- -----------------
This vulnerability affects unpatched versions of the Linux kernel, starting
from 2.6.30, where the RDS protocol was first included.  Installations are only
vulnerable if the CONFIG_RDS kernel configuration option is set, and if there
are no restrictions on unprivileged users loading packet family modules, as is
the case on most stock distributions.

Vendor Response
- ---------------
The following timeline details Linux's response to the reported issue.

2010-10-13    Vulnerability reported to Linux security team
2010-10-13    Response, agreement on disclosure date
2010-10-19    Fix publicly committed [3]
2010-10-19    Coordinated disclosure

Recommendation
- --------------
Users should either install updates provided by downstream distributions, or
apply the committed patch [3] and recompile their kernel.

Common Vulnerabilities and Exposures (CVE) Information
- ------------------------------------------------------
The Common Vulnerabilities and Exposures (CVE) project has assigned
the number CVE-2010-3904 to this issue.  This is a candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

Acknowledgements
- ----------------
Thanks to Andrew Morton, Linus Torvalds, Andy Grover, and Eugene Teo for their
prompt responses and patch.

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

References:

1. Linux kernel 
 http://www.linux.org

2. Reliable Datagram Sockets
 http://oss.oracle.com/pipermail/rds-devel/2007-November/000228.html

3. GIT patch 
 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=799c10559d60f159ab2232203f222f18fa3c4a5f 

4. RDS protocol privilege escalation exploit
 http://www.vsecurity.com/download/tools/linux-rds-exploit.c

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

This advisory is distributed for educational purposes only with the sincere
hope that it will help promote public safety. This advisory comes with
absolutely NO WARRANTY; not even the implied warranty of merchantability or
fitness for a particular purpose. Virtual Security Research, LLC nor the author
accepts any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible
disclosure practices: http://www.vsecurity.com/company/disclosure

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
     Copyright 2010 Virtual Security Research, LLC.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAky93O8ACgkQQ1RSUNR+T+gXiwCgkVifvjPHDD+Xf6JrQJ4NisSW
UKEAn0Rh+XhN3kGUne5sCAGFeGln+qM0
=cKv/
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC