Vigil@nce - Linux kernel : privilege escalation via ptrace SYSRET RIP
juillet 2014 par Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can use ptrace, SYSRET and RIP on a Linux kernel
installed on x86_64, in order to escalate his privileges.
Impacted products : Debian, Fedora, Linux, SUSE Linux Enterprise
Desktop, SLES, Ubuntu
Severity : 2/4
Creation date : 07/07/2014
Revision date : 09/07/2014
DESCRIPTION OF THE VULNERABILITY
The ptrace() function is used to monitor the execution of a
process.
The SYSCALL/SYSRET assembler instruction is used to manage the
enter and the return from a system call.
The RIP 64 bit register indicates the instruction pointer (the
address which contains the code to execute).
However, an attacker can use ptrace, with SYSRET and RIP 64, in
order to modify the processor state.
A local attacker can therefore use ptrace, SYSRET and RIP on a
Linux kernel installed on x86_64, in order to escalate his
privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-privilege-escalation-via-ptrace-SYSRET-RIP-14994