Vigil@nce - Linux kernel: privilege escalation via TUNSETIFF
September 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who has the CAP_NET_ADMIN capability, can use the
TUNSETIFF ioctl of the Linux kernel, in order to gain root
privileges.
Impacted products: Linux
Severity: 1/4
Creation date: 13/09/2013
DESCRIPTION OF THE VULNERABILITY
The TUNSETIFF ioctl is used to configure a TUN interface. The
CAP_NET_ADMIN privilege is required to perform this operation.
The tun_set_iff() function of the drivers/net/tun.c file processes
the TUN interface creation. However, if the interface name is
malformed, a memory area is freed twice.
An attacker, who has the CAP_NET_ADMIN capability, can therefore
use the TUNSETIFF ioctl of the Linux kernel, in order to gain root
privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-privilege-escalation-via-TUNSETIFF-13426