Vigil@nce: Linux kernel, privilege elevation via sock_sendpage, SOCKOPS_WRAP, proto_ops
August 2009 by Vigil@nce
A local attacker can use some types of sockets, in order to obtain
root privileges.
Severity: 2/4
Consequences: administrator access/rights, denial of service of
computer
Provenance: user shell
Means of attack: 2 attacks
Ability of attacker: beginner (1/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 14/08/2009
IMPACTED PRODUCTS
– Debian Linux
– Fedora
– Linux kernel
– Mandriva Enterprise Server
– Mandriva Linux
– Novell Linux Desktop
– Novell Open Enterprise Server
– OpenSUSE
– Slackware Linux
– SUSE Linux Enterprise Server
DESCRIPTION OF THE VULNERABILITY
Each socket type is associated to a proto_ops structure, which
indicates functions implementing accept(), bind(), etc. When a
socket type does not support a function, it has to point to
sock_no_accept(). The SOCKOPS_WRAP macro initializes these
function pointers. However, the SOCKOPS_WRAP macro does not
initialize the sendpage field of the proto_ops structure. Impacted
protocols are PF_APPLETALK, PF_IPX, PF_IRDA, PF_X25, PF_AX25,
PF_BLUETOOTH, PF_IUCV, PF_INET6 (IPPROTO_SCTP), PF_PPPOX and
PF_ISDN.
Moreover, the sock_sendpage() function does not check if the
pointer is invalid. It thus calls the function at the indicated
null address, which stops the system. However, if the
VIGILANCE-VUL-8861 (https://vigilance.fr/tree/1/8861)
vulnerability is not corrected, an attacker can mmap the memory
address zero and store there a malicious function. This function
then runs with kernel privileges.
A local attacker can thus call a function (such as sendfile())
which calls sock_sendpage() on some types of sockets, in order to
obtain root privileges.
CHARACTERISTICS
Identifiers: 516949, BID-36038, CVE-2009-2692, DSA 1862-1, DSA
1864-1, DSA 1865-1, FEDORA-2009-8647, FEDORA-2009-8649,
MDVSA-2009:205, SSA:2009-230-01, SSA:2009-231-01,
SUSE-SA:2009:045, VIGILANCE-VUL-8950
Pointed by: VIGILANCE-VUL-8861, VIGILANCE-VUL-8950,
VIGILANCE-VUL-8953