[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] local root exploit in Linux kernel



Topic
=====
local root exploit in Linux kernel due to bug in brk() system call

Problem Description
===================
A flaw in bounds checking in the do_brk() function in the Linux kernel
versions 2.4.22 and previous can allow a local attacker to gain root
privileges. This issue is known to be exploitable; an exploit has been
seen in the wild that takes advantage of this vulnerability.
The effect of this vulneratbility is that any user on the system can
gain root priviledges. Immediate action is strongly advised.

Affected Versions
=================
kernel versions 2.4.22 and earlier.

Solution
========
upgrade to kernel 2.4.23 or a patched kernel for your distribution

RedHat 7.x
----------
rpm -Fvh kernel-source-2.4.20-24.7.i386.rpm \
         kernel-doc-2.4.20-24.7.i386.rpm

rpm -ivh kernel<type>-2.4.20-24.7.<arch>.rpm
where <type> is either empty or -smp or -bigmem and <arch> is either
i386, i586, i686, or athlon (check-rpms will list the correct <type>
and <arch> for your system).
After installing the new kernel you must change the /etc/grub.conf
file so that the new kernel is used by default. This usually means
that you change the line "default=<n>" to "default=0" (note that the
first kernel entry in /etc/grub.conf corresponds to "default=0").
After changing /etc/grub.conf reboot.

RedHat 8.0
----------
rpm -Fvh kernel-source-2.4.20-24.8.i386.rpm \  
         kernel-doc-2.4.20-24.8.i386.rpm       
                                               
rpm -ivh kernel<type>-2.4.20-24.8.<arch>.rpm   

[the comments from the 7.x section apply for 8.0 as well]

RedHat 9                                                
--------                                                
rpm -Fvh kernel-source-2.4.20-24.9.i386.rpm \             
         kernel-doc-2.4.20-24.9.i386.rpm                  
                                                          
rpm -ivh kernel<type>-2.4.20-24.9.<arch>.rpm              
                                                          
[the comments from the 7.x section apply for 9 as well]

SuSE
----
Use the following command to find the kernel type that is
installed on your system:

  rpm -qf /boot/vmlinuz

The following options are possible (disregarding the version and build
number following the name, separated by the "-" character):

  k_deflt   # default kernel, good for most systems.
  k_i386    # kernel for older processors and chipsets
  k_athlon  # kernel made specifically for AMD Athlon(tm) family processors
  k_psmp    # kernel for Pentium-I dual processor systems
  k_smp     # kernel for SMP systems (Pentium-II and above)

SuSE-7.3, 8.0
-------------
rpm -Fvh kernel-source-2.4.18.SuSE-281.i386.rpm
rpm -ivh k_<type>-2.4.18-281.i386.rpm

After installing the kernel you may have to create an initial ramdisk
(initrd) using a command simmilar to:
mkinitrd 2.4.18-281 /boot/initrd-2.4.18-281.img
Them follow the steps mentioned below.

SuSE-8.1
--------
rpm -Fvh kernel-source-2.4.21-151.i386.rpm      
rpm -ivh k_<type>-2.4.21-151.i386.rpm                
                                                     
Them follow the steps mentioned below.                

SuSE-8.2                                  
--------                                  
rpm -Fvh kernel-source-2.4.20.SuSE-101.i586.rpm
rpm -ivh k_<type>-2.4.20-101.i586.rpm     
                                          
Them follow the steps mentioned below.     

SuSE-9.0                                
--------                                  
rpm -Fvh kernel-source-2.4.21-144.i586.rpm
rpm -ivh k_<type>-2.4.21-144.i586.rpm     
                                          
Them follow the steps mentioned below.     

SuSE - bootloader configuration
-------------------------------
run the command "grep LOADER_TYPE /etc/sysconfig/bootloader".
If the output shows that you are using lilo, run "lilo".
If it is showing grub, check the /etc/grub.conf file whether
the default line points to the new kernel (again: the first
kernel entry corresponds to default=0).
After those modifications reboot.

Debian 3.0 (woody)
------------------
update to kernel-source-2.4.18_2.4.18-14_all.deb,
          kernel-doc-2.4.18_2.4.18-14_all.deb
          kernel-image-2.4.18-1<arch>_2.4.18-12_i386.deb,
          kernel-pcmcia-modules-2.4.18-1<arch>_2.4.18-12_i386.deb,
          kernel-headers<arch>_2.4.18-12_i386.deb

where <arch> is one of 386, 586tsc, 686, 686-smp, k6, k7 or empty.

Mandrake 9.0
------------
rpm -Fvh kernel-source-2.4.19-36mdk.i586.rpm
rpm -ivh kernel<type>-2.4.19-36mdk-1-1mdk.i586

where <type> is one of -enterprise, -secure, -smp or empty.

Mandrake 9.1                                               
------------                                                
rpm -Fvh kernel-source-2.4.21-0.26mdk.i586.rpm                
rpm -ivh kernel<type>-2.4.21.0.26mdk-1-1mdk.i586              
                                                            
where <type> is one of -enterprise, -secure, -smp or empty. 

The update procedure for a Mandrake kernel should be similar to
RedHat's.

Fedora 1
--------
The Fedora 1 kernel, version 2.4.22-1.2115.nptl, is already patched
against the do_brk() bug, thus Fedora 1 is not vulnerable.
Completely unrelated there is a new kernel release for Fedora 1 that
fixes (a less serious) bug which could lead to a local DoS attack
(kernel crash). Here is the update information for that bug:

rpm -Fvh kernel-source-2.4.22-1.2129.nptl.i386.rpm \
         kernel-doc-2.4.22-1.2129.nptl.i386.rpm \
         kernel-debuginfo-2.4.22-1.2129.nptl.<arch>.rpm
rpm -ivh kernel<type>-2.4.22-1.2129.nptl.<arch>.rpm

where <type> is either empty or -smp and <arch> is one of i386, i586,
i686, or athlon.

The kernel upgrade procedure is identical to RedHat's.