Vigil@nce: Linux kernel, privilege elevation via SELinux
August 2009 by Vigil@nce
When SELinux is enabled, a local attacker can bypass mmap_min_addr
to exploit a NULL pointer dereference.
Severity: 2/4
Consequences: administrator access/rights
Provenance: user shell
Means of attack: 3 attacks
Ability of attacker: beginner (1/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 18/08/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The sysctl vm.mmap_min_addr, added in version 2.6.23, defines the
minimal memory address that the system can mmap.
Due to a conception choice of SELinux, unconfined domains (such as
unconfined_t or initrc_t) do not honour mmap_min_addr.
A local attacker can therefore mmap the page at address zero, in
order to exploit a NULL pointer dereference.
This error cannot be directly exploited (it is similar to
VIGILANCE-VUL-8861 (https://vigilance.fr/tree/1/8861)), but it can
be used to exploit other vulnerabilities.
CHARACTERISTICS
Identifiers: 18042, BID-36051, CVE-2009-2695, VIGILANCE-VUL-8953
Pointed by: VIGILANCE-VUL-8861, VIGILANCE-VUL-8873,
VIGILANCE-VUL-8950, VIGILANCE-VUL-8953, VIGILANCE-VUL-8969,
VIGILANCE-VUL-8973
http://vigilance.fr/vulnerability/Linux-kernel-privilege-elevation-via-SELinux-8953