Vigil@nce: Linux kernel, memory reading via binfmt_script
October 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can use a recursive script, in order to read a
fragment of kernel memory, and to obtain potentially sensitive
data.
– Impacted products: Linux
– Severity: 1/4
– Creation date: 22/10/2012
DESCRIPTION OF THE VULNERABILITY
When the kernel loads a program in a.out or ELF format, it calls
sys_uselib() to load the library analyzing this format. For
example, the ELF format is handled by the load_elf_library()
function of binfmt_elf.c. Similarly, when a file starts with
"#!program", the load_script() function of fs/binfmt_script.c is
called.
In order to protect the system against denials of service, the
maximal number of scripts to call recursively is limited. However,
when this limit is reached, the load_script() function
dereferences an invalid pointer, and copies a kernel memory area
to the user space.
A local attacker can therefore use a recursive script, in order to
read a fragment of kernel memory, and to obtain potentially
sensitive data.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-reading-via-binfmt-script-12086