Vigil@nce: Linux kernel, privilege elevation via PER_CLEAR_ON_SETID
July 2009 by Vigil@nce
A local attacker can use personalities in a suid root program in
order to elevate his privileges.
– Severity: 2/4
– Consequences: administrator access/rights
– Provenance: user shell
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 15/07/2009
– Revision date: 17/07/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
System calls (select(), poll(), etc.) and memory layout are
different between systems. For example, a program conceived to use
the select() of Solaris may not work with the Linux select()
because of minor behavior changes.
Personalities (or execution domains) indicate how the kernel has
to behave:
– PER_LINUX: normal mode for Linux
– PER_SOLARIS: emulate the Solaris kernel
– PER_IRIX32: emulate the IRIX kernel
– etc.
The PER_CLEAR_ON_SETID macro defines personalities related to
setuid() and setgid() calls.
A process with the CAP_SYS_RAWIO capability is allowed to bypass
the inferior limit defined by the vm.mmap_min_addr sysctl. A suid
root process can therefore mmap memory pages with a low address.
Moreover, as the PER_CLEAR_ON_SETID macro does not contain
MMAP_PAGE_ZERO, it can even mmap the page zero.
A local attacker can therefore use a suid root program (such as
pulseaudio) in order to mmap the page at address zero, and thus
exploit a NULL pointer dereference.
CHARACTERISTICS
– Identifiers: BID-35647, CVE-2009-1895, VIGILANCE-VUL-8861
Pointed by: VIGILANCE-VUL-8861, VIGILANCE-VUL-8873
– Url: http://vigilance.fr/vulnerability/Linux-kernel-privilege-elevation-via-PER-CLEAR-ON-SETID-8861