Vigil@nce - Linux kernel: root file creation via coredump
May 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can trigger a coredump with a special configuration of
the Linux kernel, in order to create a file with root privileges.
Impacted products: Linux.
Severity: 1/4.
Creation date: 02/05/2016.
DESCRIPTION OF THE VULNERABILITY
The Linux kernel can be configured with:
– fs.suid_dumpable = 2.
– kernel.core_pattern starting with "/".
– creation of User Namespace allowed.
However, in this case, an attacker can change the root directory,
to force the creation of a coredump file with root privileges and
located in a controllable directory.
An attacker can therefore trigger a coredump with a special
configuration of the Linux kernel, in order to create a file with
root privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Linux-kernel-root-file-creation-via-coredump-19496