Freely subscribe to our NEWSLETTER

SYNTHESIS OF THE VULNERABILITY

On an Intel x86_64 computer, a local attacker can bypass system
call restriction mechanisms.

Gravity: 1/4

Consequences: data flow, disguisement

Provenance: user shell

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Number of vulnerabilities in this bulletin: 2

Creation date: 02/03/2009

IMPACTED PRODUCTS

– Linux kernel

DESCRIPTION OF THE VULNERABILITY

System call numbers are different in 32 bit (x86) and 64 bit
(x86_64):
- 32 bit : 1=exit, 2=fork, 3=read, 4=write, 5=open, 6=close, etc.
- 64 bit : 0=read, 1=write, 2=open, 3=close, etc.
For example, open() can be called via 32b:5 or 64b:2.

A 32 bit process can use a 64 bit call with the "ljmp" and
"syscall" processor instructions. A 64 bit process can use a 32
bit call with the 0x80 interruption. However, in both cases, two
system call restriction mechanisms do not detect that the system
call is done on a size (32/64) different from the initial size of
the process. For example, if the open() system call is forbidden,
a 64 bit process (the number 2 is blocked) can switch to 32 bit
and use the number 5 to access to open().

The "seccomp" mechanism, enabled with the "CONFIG_SECCOMP=y"
compilation directive, uses the secure_computing() function, which
is impacted by this vulnerability. [grav:1/4; CESA-2009-004]

The "syscall-audit" mechanism, uses the audit_syscall_entry()
function, which is impacted by this vulnerability. [grav:1/4]

An attacker can therefore use 32/64 bit system calls on a 64 bit
computer in order to bypass these mechanism.

CHARACTERISTICS

Identifiers: CESA-2009-004, VIGILANCE-VUL-8500

http://vigilance.fr/vulnerability/Linux-kernel-using-forbidden-system-calls-on-x86-64-8500