Vigil@nce: Linux kernel, privilege elevation
October 2008 by Vigil@nce
A local attacker can create a sgid file in order to obtain
privileges of a group.
– Gravity: 2/4
– Consequences: privileged access/rights
– Provenance: user shell
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: medium (2/3)
– Creation date: 24/09/2008
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION
Each file/directory has a owner and a group. The sgid bit (octal
02000) has the following meaning:
– on a file: when the file is executed, the process has the
privileges of the group of the file (instead of the group of
the user executing the file)
– on a directory: when a file is created in this directory, its
group is the group of the directory (instead of the group of
the user creating the file) (compatible BSD semantic)
The open() and creat() functions have a parameter to indicate the
requested mode when a file is created. A local attacker can
therefore create a file with the sgid bit in a directory which
also has this bit. The file then has the group of the directory
and the sgid bit. The attacker can then use the ftruncate() and
mmap() functions to convert this program to a binary file (he
cannot use write() because this function removes the sgid bit).
A local attacker can therefore create a sgid program in order to
obtain the privileges of the group. To exploit this vulnerability,
a sgid directory has to exist on the system.
CHARACTERISTICS
– Identifiers: BID-31368, CVE-2008-4210, VIGILANCE-VUL-8132
– Url: http://vigilance.aql.fr/vulnerability/8132