Freely subscribe to our NEWSLETTER

– Severity: 2/4
– Consequences: administrator access/rights
– Provenance: user shell
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 15/07/2009
– Revision date: 17/07/2009

IMPACTED PRODUCTS

– Linux kernel

DESCRIPTION OF THE VULNERABILITY

System calls (select(), poll(), etc.) and memory layout are
different between systems. For example, a program conceived to use
the select() of Solaris may not work with the Linux select()
because of minor behavior changes.

Personalities (or execution domains) indicate how the kernel has
to behave:
– PER_LINUX: normal mode for Linux
– PER_SOLARIS: emulate the Solaris kernel
– PER_IRIX32: emulate the IRIX kernel
– etc.

The PER_CLEAR_ON_SETID macro defines personalities related to
setuid() and setgid() calls.

A process with the CAP_SYS_RAWIO capability is allowed to bypass
the inferior limit defined by the vm.mmap_min_addr sysctl. A suid
root process can therefore mmap memory pages with a low address.
Moreover, as the PER_CLEAR_ON_SETID macro does not contain
MMAP_PAGE_ZERO, it can even mmap the page zero.

A local attacker can therefore use a suid root program (such as
pulseaudio) in order to mmap the page at address zero, and thus
exploit a NULL pointer dereference.

CHARACTERISTICS

– Identifiers: BID-35647, CVE-2009-1895, VIGILANCE-VUL-8861
Pointed by: VIGILANCE-VUL-8861, VIGILANCE-VUL-8873
– Url: http://vigilance.fr/vulnerability/Linux-kernel-privilege-elevation-via-PER-CLEAR-ON-SETID-8861