[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] local root exploit in Linux kernel

To: linux-security@sfu.ca
Subject: [linux-security] local root exploit in Linux kernel
From: Martin Siegert <siegert@sfu.ca>
Date: Wed, 7 Jan 2004 19:56:46 -0800
User-Agent: Mutt/1.4.1i

Topic
=====
A flaw in bounds checking in mremap() in the Linux kernel may allow a local
attacker to gain root privileges.

Problem Description
===================
The do_mremap() function of the Linux Kernel is used to manage
(move, resize) Virtual Memory Areas (VMAs). By exploiting an incorrect
bounds check in do_mremap() during the remapping of memory it is
possible to create a VMA with the size of 0.
In normal operation do_mremap() leaves a memory hole of one page and
creates an additional VMA of two pages. In case of exploitation no
hole is created but the new VMA has a 0 bytes length.
The Linux Kernel's memory management is corrupted from this point
and can be abused by local users to gain root privileges.

Affected Versions
=================
Linux kernel versions 2.4.x with x < 24.
[2.2 kernels and the 2.6.0 kernel (the final version!) are not affected]

Solution
========
upgrade to kernel version 2.4.24 (or patched version for your distribution)

RedHat 7.x
----------
rpm -ivh kernel<type>-2.4.20-28.7.<arch>.rpm
where <type> is either empty or smp, bigmem and <arch> is one of
i386, i586, i686, athlon.

rpm -Fvh kernel-source-2.4.20-28.7.i386.rpm \
         kernel-doc-2.4.20-28.7.i386.rpm

RedHat 8.0
----------
rpm -ivh kernel<type>-2.4.20-28.8.<arch>.rpm
where <type> is either empty or smp, bigmem and <arch> is one of
i386, i586, i686, athlon.

rpm -Fvh kernel-source-2.4.20-28.8.i386.rpm \
         kernel-doc-2.4.20-28.8.i386.rpm

RedHat 9
--------
rpm -ivh kernel<type>-2.4.20-28.9.<arch>.rpm
where <type> is either empty or smp, bigmem and <arch> is one of
i386, i586, i686, athlon.
rpm -Fvh kernel-source-2.4.20-28.9.i386.rpm \
         kernel-doc-2.4.20-28.9.i386.rpm

SuSE-8.0
--------
rpm -ivh k_<type>-2.4.18-282.i386.rpm
where <type> is one of deflt, psmp, smp, i386.
You can determine the correct type for your system with the command:
rpm -qf /boot/vmlinuz

rpm -Fvh kernel-source-2.4.18.SuSE-282.i386.rpm

SuSE-8.1
--------
rpm -ivh k_<type>-2.4.21-168.i586.rpm
where <type> is one of deflt, smp, psmp, athlon.
You can determine the correct type for your system with the command:
rpm -qf /boot/vmlinuz

SuSE-8.2
--------
rpm -ivh k_<type>-2.4.20-101.i586.rpm
where <type> is one of deflt, smp, psmp, athlon.
You can determine the correct type for your system with the command:
rpm -qf /boot/vmlinuz

rpm -Fvh kernel-source-2.4.20.SuSE-102.i586.rpm

SuSE-9.0
--------
rpm -ivh k_<type>-2.4.21-166.i586.rpm
where <type> is one of deflt, smp, smp4G, um, athlon.
You can determine the correct type for your system with the command:
rpm -qf /boot/vmlinuz

rpm -Fvh kernel-source-2.4.21-166.i586.rpm

Fedora 1
--------
rpm -ivh kernel<type>-2.4.22-1.2140.nptl.<arch>.rpm
where <type> is either empty or smp, bigmem and <arch> is one of
i586, i686, athlon.
rpm -Fvh kernel-source-2.4.22-1.2140.nptl.i386.rpm \
         kernel-doc-2.4.22-1.2140.nptl.i386.rpm

Debian 3.0 (woody)
------------------
upgrade to one of kernel-image-2.4.18-1-386_2.4.18-12.1_i386.deb,
                  kernel-image-2.4.18-1-586tsc_2.4.18-12.1_i386.deb,
                  kernel-image-2.4.18-1-686_2.4.18-12.1_i386.deb,
                  kernel-image-2.4.18-1-686-smp_2.4.18-12.1_i386.deb,
                  kernel-image-2.4.18-1-k6_2.4.18-12.1_i386.deb,
                  kernel-image-2.4.18-1-k7_2.4.18-12.1_i386.deb,
                  kernel-image-2.4.18-bf2.4_2.4.18-5woody6_i386.deb

and one of kernel-pcmcia-modules-2.4.18-1-386_2.4.18-12.1_i386.deb,
           kernel-pcmcia-modules-2.4.18-1-586tsc_2.4.18-12.1_i386.deb,
           kernel-pcmcia-modules-2.4.18-1-686_2.4.18-12.1_i386.deb,
           kernel-pcmcia-modules-2.4.18-1-686-smp_2.4.18-12.1_i386.deb,
           kernel-pcmcia-modules-2.4.18-1-k6_2.4.18-12.1_i386.deb,
           kernel-pcmcia-modules-2.4.18-1-k7_2.4.18-12.1_i386.deb

and one of kernel-headers-2.4.18-1_2.4.18-12.1_i386.deb,
           kernel-headers-2.4.18-1-386_2.4.18-12.1_i386.deb
           kernel-headers-2.4.18-1-586tsc_2.4.18-12.1_i386.deb,
           kernel-headers-2.4.18-1-686_2.4.18-12.1_i386.deb,
           kernel-headers-2.4.18-1-686-smp_2.4.18-12.1_i386.deb,
           kernel-headers-2.4.18-1-k6_2.4.18-12.1_i386.deb,
           kernel-headers-2.4.18-1-k7_2.4.18-12.1_i386.deb,
           kernel-headers-2.4.18-bf2.4_2.4.18-5woody6_i386.deb

and kernel-doc-2.4.18_2.4.18-14.1_all.deb,
    kernel-source-2.4.18_2.4.18-14.1_all.deb

Prev by Date: [linux-security] lftp remote exploit
Next by Date: [linux-security] check-rpms version 3.0.0 available
Prev by thread: [linux-security] local root exploit in Linux kernel
Next by thread: [linux-security] local root exploit in Linux kernel
Index(es):
- Date
- Thread