Vigil@nce: udev, privilege elevation
April 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can use two udev vulnerabilities in order to
execute code with kernel privileges.
Severity: 2/4
Consequences: administrator access/rights
Provenance: user shell
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Number of vulnerabilities in this bulletin: 2
Creation date: 16/04/2009
Revision date: 20/04/2009
IMPACTED PRODUCTS
– Debian Linux
– Fedora
– Linux kernel
– OpenSUSE
– Red Hat Enterprise Linux
– Slackware Linux
– SUSE Linux Enterprise Server
DESCRIPTION OF THE VULNERABILITY
The 2.6 kernel uses udev to manage /dev and hotplug devices. It is
impacted by two vulnerabilities.
The NETLINK_KOBJECT_UEVENT message is sent on a PF_NETLINK socket
by the kernel to an user space process. However, udev does not
check if this message comes from the kernel space. It then accepts
the associated action, such as creating a device. A local attacker
can therefore obtain the root privilege. [grav:2/4; 495051,
BID-34536, CVE-2009-1185]
The util_path_encode() function of the udev/lib/libudev-util.c
file converts special characters to "\xXX" where XX is the
hexadecimal code of the character. The final name is thus longer
than the requested device name, but the function does not reserve
sufficient space to store the new name. An attacker can therefore
generate a buffer overflow. [grav:2/4; 495052, BID-34539,
CVE-2009-1186]
A local attacker can therefore execute code with kernel privileges.
CHARACTERISTICS
Identifiers: 495051, 495052, BID-34536, BID-34539, CVE-2009-1185,
CVE-2009-1186, DSA 1772-1, FEDORA-2009-3711, FEDORA-2009-3712,
RHSA-2009:0427-01, SSA:2009-111-01, SSA:2009-111-02,
SUSE-SA:2009:020, SUSE-SA:2009:025, VIGILANCE-VUL-8642
http://vigilance.fr/vulnerability/udev-privilege-elevation-8642