Vigil@nce - Linux kernel: privilege escalation via get_dumpable
December 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When the sysctl fs/suid_dumpable is set to 2 (SUID_DUMP_ROOT), a
local attacker can dump a suid program, in order to retrieve
information to escalate his privileges.
Impacted products: Linux
Severity: 2/4
Creation date: 02/12/2013
DESCRIPTION OF THE VULNERABILITY
The get_dumpable() function indicates if a user is allowed to dump
a running program.
However, it is incorrectly used in two places.
When the sysctl fs/suid_dumpable is set to 2 (SUID_DUMP_ROOT), a
local attacker can therefore dump a suid program, in order to
retrieve information to escalate his privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-privilege-escalation-via-get-dumpable-13846