Vigil@nce: Linux kernel, privilege elevation via SCM_CREDENTIALS
September 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can send a message to a socket with spoofed
SCM_CREDENTIALS data, in order to access to the service listening
on the socket.
– Impacted products: Fedora, Linux
– Severity: 2/4
– Creation date: 22/08/2012
DESCRIPTION OF THE VULNERABILITY
A Unix or NetLink socket can use the SCM_CREDENTIALS message, in
order to obtain information (pid, uid, gid) of the client process.
A service can thus authenticate the connected client.
In order to optimize its performance, the Linux kernel does not
force credentials to be sent on Netlink sockets. So, a client can
send a message with no credential, which will be interpreted as
pid=0, uid=0 and gid=0 on the recipient service. The service can
then deduce that the socket client is root.
A local attacker can therefore send a message to a socket with
spoofed SCM_CREDENTIALS data, in order to access to the service
listening on the socket.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-privilege-elevation-via-SCM-CREDENTIALS-11881