Vigil@nce: Linux kernel, bypassing SELinux
May 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can do network operations, even if the SELinux
"compat_net" policy forbids it.
Severity: 2/4
Consequences: privileged access/rights
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 04/05/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The SELinux "compat_net" policy is used to control network
packets. It was replaced by "Secmark", however it was supported
until kernel version 2.6.29.x.
The selinux_ip_postroute_iptables_compat() function of the
security/selinux/hooks.c file is used by "compat_net" to check if
a user has the permission to send a packet. This function checks:
– the interface
– the node
– the port
However, due to a logic error (a missing "if" test), the function
prematurely exits before checking the node and the port.
A local attacker can therefore do network operations, even if the
SELinux "compat_net" policy forbids it.
CHARACTERISTICS
Identifiers: CVE-2009-1184, VIGILANCE-VUL-8687
http://vigilance.fr/vulnerability/Linux-kernel-bypassing-SELinux-8687