Vigil@nce : Linux kernel, privilege elevation via splice
octobre 2008 par Vigil@nce
SYNTHESIS
A local attacker can create a sgid file in order to obtain
privileges of a group.
Gravity : 2/4
Consequences : privileged access/rights
Provenance : user shell
Means of attack : no proof of concept, no attack
Ability of attacker : expert (4/4)
Confidence : confirmed by the editor (5/5)
Diffusion of the vulnerable configuration : high (3/3)
Creation date : 03/10/2008
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION
Each file/directory has a owner and a group. The sgid bit (octal
02000) has the following meaning :
– on a file : when the file is executed, the process has the
privileges of the group of the file (instead of the group of
the user executing the file)
– on a directory : when a file is created in this directory, its
group is the group of the directory (instead of the group of
the user creating the file) (compatible BSD semantic)
The open() and creat() functions have a parameter to indicate the
requested mode when a file is created. A local attacker can
therefore create a file with the sgid bit in a directory which
also has this bit. The file then has the group of the directory
and the sgid bit. The attacker can then use the splice() function
to convert this program to a binary file (he cannot use write()
because this function removes the sgid bit).
A local attacker can therefore create a sgid program in order to
obtain the privileges of the group. To exploit this vulnerability,
a sgid directory has to exist on the system.
CHARACTERISTICS
Identifiers : 464450, BID-31567, CVE-2008-3833, VIGILANCE-VUL-8143