Search
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

De la Théorie à la pratique











Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigil@nce: Linux kernel, information disclosure on a process

May 2009 by Vigil@nce

A local attacker can obtain information about the memory structure of a process in order to bypass ASLR.

- Severity: 1/4
- Consequences: data reading
- Provenance: user shell
- Means of attack: 1 attack
- Ability of attacker: technician (2/4)
- Confidence: confirmed by the editor (5/5)
- Diffusion of the vulnerable configuration: high (3/3)
- Creation date: 11/05/2009

IMPACTED PRODUCTS

- Linux kernel

DESCRIPTION OF THE VULNERABILITY

The ASLR (Address Space Layout Randomization) feature randomizes various sections (stack, heap and libraries) of a process. Attacks using assembler code are thus harder to implement.

The /proc/$PID/stat file contains information about the state of a process:
- 27th field: start_stack (start of stack)
- 28th field: esp (current address of the stack)
- 29th field: eip (current instruction)
- 34th field: wchan (waiting function, such as wait(), which can also be found in /proc/$PID/wchan)

A local attacker can sample data from this file in order to find various values. He can thus slowly reconstruct the structure of the stack and addresses of libraries.

A local attacker can therefore obtain information about the memory structure of a process in order to bypass ASLR.

CHARACTERISTICS

- Identifiers: VIGILANCE-VUL-8699
- Url: http://vigilance.fr/vulnerability/Linux-kernel-information-disclosure-on-a-process-8699




See previous articles

    

See next articles