SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Linux)  >   Linux Kernel Vendors:   [Multiple Authors/Vendors]
Linux 2.2 Kernel Bug in /proc/pid/mem mmap() Interface May Let Local Users Crash the System
SecurityTracker Alert ID:  1005822
SecurityTracker URL:  http://securitytracker.com/id/1005822
CVE Reference:   CVE-2002-1380   (Links to External Site)
Date:  Dec 17 2002
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.2.x
Description:   A vulnerability was reported in the Linux operating system kernel (version 2.2.x) in the /proc/pid/mem interface. A local user could cause the system to crash, requiring a manual reboot to return to normal operations.

RAZOR issued an advisory warning of a flaw in how the /proc/pid/mem mmap() function is validated. According to the report, the /proc/pid/mem interface is used to allow an application to access the memory of another application and is useful in debugging processes, but contains a flaw.

A local user could invoke mmap() with the PROT_READ parameter to request read access to memory pages that are non-readable to the traced process. Due to the flaw, the local user may be granted a memory map that is marked as readable. Then, the local user can reportedly request the kernel to read this memory, causing the system to crash.

Some demonstration exploit code is provided in the Source Message.

According to the report, the 2.4.x kernel does not contain the functionality needed to exploit this flaw, and so is "not immediately vulnerable."

Impact:   A local user could cause the system to hang. A manual reboot may be required to return the system to normal operations.
Solution:   It is reported that, due to implementation reliability issues, the vendor will drop /proc/pid/mem mmap() functionality in 2.2 kernels. Because of this, there will be no fix for the issue that preserves the functionality.

The upcoming 2.2.24 release will reportedly address this issue.

A patch to disable the functionality is provided in the Source Message and in the RAZOR advisory at:

http://razor.bindview.com/publish/advisories/adv_mmap.html

Please read the instructions and caveats if you consider using the patch.

Vendor URL:  www.kernel.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Red Hat Issues Fix) Linux 2.2 Kernel Bug in /proc/pid/mem mmap() Interface May Let Local Users Crash the System
Red Hat has released a fix.
(EnGarde Issues Fix) Linux 2.2 Kernel Bug in /proc/pid/mem mmap() Interface May Let Local Users Crash the System
EnGarde has released a fix.



 Source Message Contents

Subject:  [Full-Disclosure] RAZOR advisory: Linux 2.2.xx /proc/<pid>/mem mmap() vulnerability



RAZOR advisory: Linux kernel 2.2.x /proc/pid/mem mmap() vulnerability

   Issue Date : 12/17/2002
   Contact    : Michal Zalewski <mzalewsk@razor.bindview.com>
   CVE number : CAN-2002-1380

Topic:

   A locally exploitable system crash vulnerability is present in the
   Linux kernel, versions 2.2.x. The system is likely to hang and
   require a manual reboot.

Affected Systems:

   All Linux systems running 2.2.x kernels. The functionality required
   to exploit this vulnerability is not present in the 2.4.x line as of
   today, and those systems are not immediately vulnerable.

Details:

   The /proc/pid/mem interface is designed to enable one application to,
   under certain conditions, access the memory of another application in
   a convenient way. This feature is very useful for developers or
   administrators who wish to debug or analyze programs running on their
   system. One of ways to access the memory is by directly mapping pages
   using mmap().

   A vulnerability is present in the way this process is validated. It is
   possible for the user to use mmap() interface to request access to memory
   pages that are non-readable to the traced process itself. The user can
   pass PROT_READ parameter to this call to request read access to this
   mapping. Because of insufficient validation, he will be granted a map
   marked as readable. From now on, the user can request his instance to be
   read by the kernel. Doing so will result in crashing the system.

   The problem does not affect 2.4 kernels because, as of today, mmap() on
   /proc/pid/mem is not supported; mmap() interface is no longer available
   on 2.4 because of implementation reliability concerns.

Proof of concept code:

   #define PAGES 10

   #include <asm/page.h>
   #include <sys/mman.h>
   #include <unistd.h>
   #include <stdio.h>
   #include <fcntl.h>
   #include <sys/ptrace.h>

   int main() {
     int ad1,ad2,zer,mem,pid,i;
     zer=open("/dev/zero",O_RDONLY);
     ad1=(int)mmap(0,PAGES*PAGE_SIZE,0,MAP_PRIVATE,zer,0);
     pid=getpid();
     if (!fork()) {
       char p[64];
       ptrace(PTRACE_ATTACH,pid,0,0);
       sleep(1);
       sprintf(p,"/proc/%d/mem",pid);
       mem=open(p,O_RDONLY);
       ad2=(int)mmap(0,PAGES*PAGE_SIZE,PROT_READ,MAP_PRIVATE,mem,ad1);
       write(1,(char*)ad2,PAGES*PAGE_SIZE);
     }
     sleep(100);
     return 0;
   }

Mitigating factors:

   In order to successfully exploit the vulnerability, the attacker would
   need to have the right to execute code of his choice on the local machine.

   Restricting ptrace() or /proc access can help mitigate the risk. Several
   security-enhancing patches such as Openwall or grsecurity offer solutions
   to implement such restrictions.

Workaround / fix:

   There is no immediate fix available. Kernel developers suggest to disable
   mmap() functionality on /proc/pid/mem to address the issue. The following
   patch can be used:

--- linux-2.2/fs/proc/mem.c.old		Sun Mar 25 08:30:58 2001
+++ linux-2.2/fs/proc/mem.c		Tue Dec 10 14:29:05 2002
@@ -323,7 +323,7 @@
        NULL,           /* mem_readdir */
        NULL,           /* mem_poll */
        NULL,           /* mem_ioctl */
-       mem_mmap,       /* mmap */
+       NULL,           /* mmap */
        NULL,           /* no special open code */
        NULL,           /* flush */
        NULL,           /* no special release code */

   Administrators who prefer to patch their systems without the need to
   recompile and reboot, and do not rely on having ptrace() interface
   available to all users, can deploy a loadable module that disables
   ptrace() for non-privileged accounts instead. One of such modules
   can be obtained at http://www.securiteam.com/tools/5SP082K5GK.html .

   Please note that this third-party kernel module is not authored nor
   endorsed by RAZOR, and that compilation and installation of kernel modules
   should be performed by experienced users only.

Vendor Response:

   Because of implementation reliability issues, Linux developers decided to
   drop /proc/pid/mem mmap() functionality in 2.2 kernels. There will be no
   fix for the issue that preserves the functionality.

   Upcoming 2.2.24 release will address this and other bugs in 2.2 kernels.







_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC