[IMC-Tech] serious vulnerability found affecting most common linux kernels

maxigas at anargeek.net maxigas at anargeek.net
Fri Aug 14 08:19:48 PDT 2009 

hi!

Here is the superpower bug that was found yesterday in the Linux kernel, prepended by advice on
how to fix it.  I don't claim to understand it properly or to guarantee that the fix works but it
sounds serious so i thought it could be helpful for people at least as grounds for looking into
it.

maxigas

----

> > I tried to send antoher message _with_ the attached file, but
> > lists.apc.org didn't seem to deliver it.
> >
> > So, here's the contents of disabled-protocols .
> >
> > ================================================
> > # these networking protocols are not needed on this server
> >
> > install net-pf-3  /bin/true             # Amateur Radio AX.25
> > install net-pf-4  /bin/true             # Novell IPX
> > install net-pf-5  /bin/true             # AppleTalk DDP
> > install net-pf-6  /bin/true             # Amateur Radio NET/ROM
> > install net-pf-8  /bin/true             # ATM PVCs
> > install net-pf-9  /bin/true             # Reserved for X.25 project
> > install net-pf-10 /bin/true             # IP version 6
> > install net-pf-11 /bin/true             # Amateur Radio X.25 PLP
> > install net-pf-12 /bin/true             # Reserved for DECnet project
> > install net-pf-13 /bin/true             # Reserved for 802.2LLC project
> > install net-pf-18 /bin/true             # Ash
> > install net-pf-19 /bin/true             # Acorn Econet
> > install net-pf-20 /bin/true             # ATM SVCs
> > install net-pf-22 /bin/true             # Linux SNA Project (nutters!)
> > install net-pf-23 /bin/true             # IRDA sockets
> > install net-pf-24 /bin/true             # PPPoX sockets
> > install net-pf-25 /bin/true             # Wanpipe API Sockets
> > install net-pf-26 /bin/true             # Linux LLC
> > install net-pf-30 /bin/true             # TIPC sockets
> > install net-pf-31 /bin/true             # Bluetooth sockets
> > ________________________________________

> > On the servers where I really care about security, I disable most
> > networking protocols by installing the attached file as:
> >
> >   /etc/modprobe.d/disabled-protocols
> >
> > [Note that this file disables IPv6.]
> >
> > It's safest to reboot after installing this file, in case any of
> > the networking-protocol modules have already been inserted into
> > the kernel.
> >

----

> > Linux NULL pointer dereference due to incorrect proto_ops initializations
> > -------------------------------------------------------------------------
> >
> > In the Linux kernel, each socket has an associated struct of operations
> > called proto_ops which contain pointers to functions implementing various
> > features, such as accept, bind, shutdown, and so on.
> >
> > If an operation on a particular socket is unimplemented, they are
> > expected to point the associated function pointer to predefined stubs,
> > for example if the "accept" operation is undefined it would point to
> > sock_no_accept(). However, we have found that this is not always the case
> > and some of these pointers are left uninitialized.
> >
> > This is not always a security issue, as the kernel validates the pointers
> > at the call site, such as this example from sock_splice_read:
> >
> > static ssize_t sock_splice_read(struct file *file, loff_t *ppos,
> >                     struct pipe_inode_info *pipe, size_t len,
> >                 unsigned int flags)
> > {
> >     struct socket *sock = file->private_data;
> >
> >     if (unlikely(!sock->ops->splice_read))
> >         return -EINVAL;
> >
> >     return sock->ops->splice_read(sock, ppos, pipe, len, flags);
> > }
> >
> > But we have found an example where this is not the case; the
> > sock_sendpage() routine does not validate the function pointer is valid
> > before dereferencing it, and therefore relies on the correct
> > initialization of the proto_ops structure.
> >
> > We have identified several examples where the initialization is
> > incomplete:
> >
> > - The SOCKOPS_WRAP macro defined in include/linux/net.h, which appears
> > correct at first glance, was actually affected. This includes
> > PF_APPLETALK, PF_IPX, PF_IRDA, PF_X25 and PF_AX25 families.
> >
> > - Initializations were missing in other protocols, including
> > PF_BLUETOOTH, PF_IUCV, PF_INET6 (with IPPROTO_SCTP), PF_PPPOX and
> > PF_ISDN.
> >
> > --------------------
> > Affected Software
> > ------------------------
> >
> > All Linux 2.4/2.6 versions since May 2001 are believed to be affected:
> >
> > - Linux 2.4, from 2.4.4 up to and including 2.4.37.4
> > - Linux 2.6, from 2.6.0 up to and including 2.6.30.4
> >
> > --------------------
> > Consequences
> > -----------------------
> >
> > This issue is easily exploitable for local privilege escalation. In order
> > to exploit this, an attacker would create a mapping at address zero
> > containing code to be executed with privileges of the kernel, and then
> > trigger a vulnerable operation using a sequence like this:
> >
> > /* ... */
> >     int fdin = mkstemp(template);
> >     int fdout = socket(PF_PPPOX, SOCK_DGRAM, 0);
> >
> >     unlink(template);
> >
> >     ftruncate(fdin, PAGE_SIZE);
> >
> >     sendfile(fdout, fdin, NULL, PAGE_SIZE);
> > /* ... */
> >
> > Please note, sendfile() is just one of many ways to cause a sendpage
> > operation on a socket.
> >
> > Successful exploitation will lead to complete attacker control of the
> > system.
> >
> > -------------------
> > Mitigation
> > -----------------------
> >
> > Recent kernels with mmap_min_addr support may prevent exploitation if
> > the sysctl vm.mmap_min_addr is set above zero. However, administrators
> > should be aware that LSM based mandatory access control systems, such
> > as SELinux, may alter this functionality.
> >
> > It should also be noted that all kernels up to 2.6.30.2 are vulnerable to
> > published attacks against mmap_min_addr.
> >
> > -------------------
> > Solution
> > -----------------------
> >
> > Linus committed a patch correcting this issue on 13th August 2009.
> >
> > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit
> >;h =e694958388c50148389b0e9b9e9e8945cf0f1b98
> >
> > -------------------
> > Credit
> > -----------------------
> >
> > This bug was discovered by Tavis Ormandy and Julien Tinnes of the Google
> > Security Team.
> >
> > --
> > -------------------------------------
> > tavisosdf.lonestar.org | finger me for my gpg key.
> > -------------------------------------------------------
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/

More information about the imc-tech mailing list