Vigil@nce: Linux kernel, privilege elevation via ptrace_attach
May 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can obtain privileges of an application via
ptrace_attach().
Severity: 2/4
Consequences: administrator access/rights, privileged access/rights
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 04/05/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The PTRACE_ATTACH feature of ptrace() is used to attach to a
process in order to debug it. The ptrace() function refuses to
attach to a privileged process.
The ptrace_attach() function of the kernel/ptrace.c file
implements PTRACE_ATTACH. This function uses a lock
(current->cred_exec_mutex) to handle privileges. However, another
lock has to be used (task->cred_exec_mutex). Privileges are thus
not handled in an atomic way.
During a call to an exec() function for a suid/sgid process, a
local attacker can call PTRACE_ATTACH to obtain privileges of the
process. This attack may require several trials ("race" attack).
A local attacker can thus obtain privileges of an application via
ptrace_attach().
CHARACTERISTICS
Identifiers: BID-34799, CVE-2009-1527, VIGILANCE-VUL-8688