Vigil@nce - Linux kernel: privilege escalation via scm_set_cred
May 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a suid/sgid application using SCM, in order to
escalate his privileges.
– Impacted products: Fedora, Linux
– Severity: 2/4
– Creation date: 29/04/2013
DESCRIPTION OF THE VULNERABILITY
A Unix or NetLink socket can use the SCM_CREDENTIALS message, in
order to obtain information (pid, uid, gid) of the client process.
A service can thus authenticate the connected client.
The scm_set_cred() function of the include/net/scm.h file stores
the credentials of the process. However, it uses the effective
uid/gid, instead of the read uid/gid. Credentials of suid/sgid
applications are thus incorrect, which may help to bypass a
security feature.
An attacker can therefore use a suid/sgid application using SCM,
in order to escalate his privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-privilege-escalation-via-scm-set-cred-12727