Vigil@nce - Linux kernel: privilege elevation via MSR
February 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker, who has the uid 0, can access to /dev/cpu/*/msr,
in order to execute code with kernel privileges.
Impacted products: Linux
Severity: 1/4
Creation date: 07/02/2013
DESCRIPTION OF THE VULNERABILITY
Intel processors have specific MSR (Model Specific Register)
registers.
A root user (uid 0) can access to the special "/dev/cpu/*/msr"
file. The msr_open() function of the arch/x86/kernel/msr.c file
allows this access. However, it does not check if the user also
has the CAP_SYS_RAWIO capability.
A local attacker, who has the uid 0, but not CAP_SYS_RAWIO, can
therefore access to /dev/cpu/*/msr, in order to execute code with
kernel privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-privilege-elevation-via-MSR-12389