Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   OS (Linux)  >   Linux Kernel Vendors:
Linux Kernel Datagram Serialization Error May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1012363
SecurityTracker URL:
CVE Reference:   CVE-2004-1068   (Links to External Site)
Date:  Nov 30 2004
Impact:   Modification of system information, Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 2.4.28
Description:   A vulnerability was reported in the Linux kernel in the serialization of datagrams. A local user may be able to gain elevated privileges.

It is reported that the kernel does not properly serialize received datagrams. Paul Starzetz reports that a local user can exploit this flaw modify kernel space memory and potentially obtain elevated privileges.

Impact:   A local user may be able to obtain elevated privileges.
Solution:   A fix is available in 2.4.28 and via BitKeeper at:

Vendor URL: (Links to External Site)
Cause:   Access control error

Message History:   None.

 Source Message Contents

Subject:  [Full-Disclosure] Addendum, recent Linux <= 2.4.27 vulnerabilities

Hash: SHA1


while looking at the changelog for 2.4.28, I've found, that a bug I 
independently came over some days ago has been fixed in that release:

David S. Miller:
  o [AF_UNIX]: Serialize dgram read using semaphore just like stream

That fixes missing serialization in unix_dgram_recvmsg().

I was slightly suprised reading the 2.4.27 code and I strongly believe 
that the flaw is fully exploitable to gain elevated privileges. 

There is a subtle race condition finally permitting a non-root user to 
increment (up to 256 times) any arbitrary location(s) in kernel space.

The condition is not easy to exploit since an attacker must trick 
kmalloc() to sleep on allocation of a special chunk of memory and then 
convince the scheduler to execute another thread. But it is feasible.

Conclusion: update as quick as possible to 2.4.28.

- -- 
Paul Starzetz
iSEC Security Research

Version: GnuPG v1.0.7 (GNU/Linux)


Full-Disclosure - We believe in it.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC