Attack vectors deja vu

zimage — Mon, 11 May 2009 07:01:37 +0000

I have to keep an eye on the IT security news. You know, “security is a process not product”. Just recently, Linux kernel vulnerability CVE-2009-1337 caught my attention. This even has l33t in its name The more interesting part is, of course, not the CVE number but the attack vector used in a recent exploit. Basically, a core is dumped to the logrotate.d directory. After this, logrotate executes the malicious code included in this dump since it uses rather naive parsing to find instructions in its configuration files.

Inevitably, this reminded me of a very similar situation from few years ago. In 2006, CVE-2006-2451, which is another kernel vulnerability, allowed core to be dumped in a directory that the attacker isn’t allowed to write to. A weakness in cron.d parsing similar to that in recent versions of logrotate was used as attack vector.

Just a few weeks ago, I had another deja vu. There’s a flaw in udev versions before 1.4.1 that allows local users to gain root privileges by not checking whether a NETLINK message originates from kernel (CVE-2009-1185). It took me some time to remember why this sounded so familiar since the older case is from 2003. Back then, the zebra routing suite failed to check the NETLINK message originators (CVE-2003-0858).

Oh well, to err is human, don’t you think?

Linux kernel vmsplice root exploit

Linux kernel vmsplice root exploit

zimage — Mon, 11 Feb 2008 20:47:38 +0000

Two strings walk into a bar. The first says, “Hello, I’d like a ciderO’y?kI’U`,E’*@???’?? ?!>A~Xx?(y’n?.” The second says, “Please excuse my friend, he’s not null-terminated.”

—

If you are running Linux kernel newer than 2.6.17 but older than 2.6.24.2 or 2.6.23.16 then any local user can easily become root or at least crash your system.

There are actually two different security issues related to vmsplice() system call and both of them could lead to local privileges escalation. This is especially bad for people who don’t fully control content on and access to their servers – e.g. web hosting companies. The other bad news is that vmsplice() is part of the core kernel and there is no configuration option to exclude it.

Two separate exploits have been publicly released which exploit each of the two issues respectively.

The first issue was classified as CVE-2008-0009 and CVE-2008-0010 and was fixed by linux kernels 2.6.23.15 and 2.6.24.1.

The situation with the second issue, classified as CVE-2008-0600 was much worse. It was introduced with the initial implementation of vmsplice() and affects all kernels after 2.6.17 inclusively. There was an exploit in the wild for more than 24 hours without proper fix for the problem. I’m sure that even though there are patched versions now – linux 2.6.24.2 and 2.6.23.16 – at least 2-3 more days will pass before the number of vulnerable systems is reduced enough.

IMHO this is one of the worst 0-day Linux kernel exploits in years. I hope it won’t happen again soon. But you should be careful because all this has happened before and will definitely happen again someday.