Vigil@nce - Linux kernel: privilege escalation via SCM_RIGHTS
September 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can use SCM_RIGHTS to spoof a pid, in order to
escalate his privileges on the Linux kernel.
– Impacted products: Linux
– Severity: 2/4
– Creation date: 04/09/2013
DESCRIPTION OF THE VULNERABILITY
A Unix or NetLink socket can use the SCM_CREDENTIALS message, in
order to obtain information (pid, uid, gid) about the client
process. A service can thus authenticate the connected client.
The scm_check_creds() function of the net/core/scm.c file checks
credentials. However, the check is not performed on the current
Name Space.
A local attacker can therefore use SCM_RIGHTS to spoof a pid, in
order to escalate his privileges on the Linux kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-privilege-escalation-via-SCM-RIGHTS-13348