Vigil@nce: Linux kernel, information disclosure on a process
May 2009 by Vigil@nce
A local attacker can obtain information about the memory structure
of a process in order to bypass ASLR.
– Severity: 1/4
– Consequences: data reading
– Provenance: user shell
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 11/05/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The ASLR (Address Space Layout Randomization) feature randomizes
various sections (stack, heap and libraries) of a process. Attacks
using assembler code are thus harder to implement.
The /proc/$PID/stat file contains information about the state of a
process:
– 27th field: start_stack (start of stack)
– 28th field: esp (current address of the stack)
– 29th field: eip (current instruction)
– 34th field: wchan (waiting function, such as wait(), which can
also be found in /proc/$PID/wchan)
A local attacker can sample data from this file in order to find
various values. He can thus slowly reconstruct the structure of
the stack and addresses of libraries.
A local attacker can therefore obtain information about the memory
structure of a process in order to bypass ASLR.
CHARACTERISTICS
– Identifiers: VIGILANCE-VUL-8699
– Url: http://vigilance.fr/vulnerability/Linux-kernel-information-disclosure-on-a-process-8699