Vigil@nce: Linux kernel, bypassing protections via fcaps
April 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can use personalities, in order to bypass
protections of programs which gained their privileges from the
filesystem.
– Severity: 1/4
– Creation date: 20/04/2012
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
System calls (select(), poll(), etc.) and memory layout are
different between systems. For example, a program conceived to use
the select() of Solaris may not work with the Linux select()
because of minor behavior changes.
Personalities (or execution domains) indicate how the kernel has
to behave:
– PER_LINUX: normal mode for Linux
– PER_SOLARIS: emulate the Solaris kernel
– PER_IRIX32: emulate the IRIX kernel
– etc.
These information are stored in the 16 least significant bit.
The 16 most significant bit contain information to change the Linux
behavior:
– ADDR_NO_RANDOMIZE : disable ASLR
– MMAP_PAGE_ZERO : allow to mmap the address 0 (used to exploit
NULL pointers dereferences)
– etc.
The PER_CLEAR_ON_SETID macro defines personalities related to
setuid() and setgid() calls. It uses ADDR_NO_RANDOMIZE and
MMAP_PAGE_ZERO, so attacks are harder to exploit against suid/sgid
programs.
When the filesystem supports capabilities (fcaps), a program can
gain his privileges from the filesystem. However, in this case,
the PER_CLEAR_ON_SETID macro is not used.
A local attacker can therefore use personalities, in order to
bypass protections of programs which gained their privileges from
the filesystem. This vulnerability thus facilitates the
exploitation of another vulnerability in a privileged program, by
disabling ASLR for example.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-bypassing-protections-via-fcaps-11561