44006 – Linux kernel do_mremap local privilege escalation vulnerability

Bug 44006 - Linux kernel do_mremap local privilege escalation vulnerability

Summary: Linux kernel do_mremap local privilege escalation vulnerability

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	GLSA Errors (show other bugs)
Hardware:	x86 Linux

Importance:	High critical (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2004-03-07 22:40 UTC by Romang
Modified:	2011-10-30 22:45 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Romang 2004-03-07 22:40:03 UTC

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200403-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
~                                            http://security.gentoo.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

~  Severity: High
~     Title: Linux kernel do_mremap local privilege escalation
~            vulnerability
~      Date: March 06, 2004
~      Bugs: #42024
~        ID: 200403-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Reproducible: Always
Steps to Reproduce:
Hello,

You say that the gentoo-sources-2.4.22-r7 is not affected
by do_mremap local privilege escalation vulnerability.

I have read the mail on FullDisclosure :

Synopsis:  Linux kernel do_mremap VMA limit local privilege escalation
           vulnerability
Product:   Linux kernel
Version:   2.2 up to and including 2.2.25, 2.4 up to to and including 2.4.24, 	
           2.6 up to to and including 2.6.2
Vendor:    http://www.kernel.org/
URL:       http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt
CVE:       CAN-2004-0077
Author:    Paul Starzetz <ihaquer@isec.pl>
Date:      March 1, 2004

I decide to test the code source on my gentoo box.

me@dell me $ uname -a
Linux dell.zataz.net 2.4.22-gentoo-r7 #1 Thu Feb 19 09:51:03 CET 2004 i686   GNU/Linux

me@dell me $ id
uid=1000(me) gid=407(untrusted) groups=407(untrusted),10(wheel),440(cvs)

me@dell me $ ./mremap2 

[+] kernel 2.4.22-gentoo-r7  vulnerable: YES  exploitable YES
    MMAP #56832  0x4ea00000 - 0x4ea01000Segmentation fault
me@dell me $ 
Message from syslogd@dell at Mon Mar  8 07:35:57 2004 ...
dell kernel: grsec: From xxx.xxx.xxx.xxx: signal 11 sent to (mremap2:7016) UID(1000) EUID(1000), parent (bash:2768) UID(1000) EUID(1000)

Message from syslogd@dell at Mon Mar  8 07:35:57 2004 ...
dell kernel: grsec: From xxx.xxx.xxx.xxx: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by (mremap2:7016) UID(1000) EUID(1000), parent (bash:2768) UID(1000) EUID(1000)

How can you explain this results ?

Regards.

Eric

Comment 1 Cameron Logie 2004-03-08 04:06:44 UTC

Same problem on recently emerged wolk-sources-4.9r4.

[+] kernel 2.4.20-wolk4.9s  vulnerable: YES  exploitable YES
    MMAP #65530  0x50bfa000 - 0x50bfb000
[-] Failed

Regards,
Cammy.

Comment 2 Tim Yamin (RETIRED) gentoo-dev

2004-03-08 08:44:43 UTC

OK; a few people have already asked about the strange output given so I'll just paste in a mail reply I sent out.

---
> Hello,
> 
> You say that the gentoo-sources-2.4.22-r7 is not affected
> by do_mremap local privilege escalation vulnerability.
> 
> I have read the mail on FullDisclosure :
> 
> Version:   2.2 up to and including 2.2.25, 2.4 up to to and including
> 2.4.24,     ~           2.6 up to to and including 2.6.2

Yes, I released 2.4.22-r7 with the patch for the vulnerability.

> I decide to test the code source on my gentoo box.
> 
> me@dell me $ uname -a
> Linux dell.zataz.net 2.4.22-gentoo-r7 #1 Thu Feb 19 09:51:03 CET 2004
> i686   GNU/Linux
> 
> me@dell me $ id
> uid=1000(me) gid=407(untrusted) groups=407(untrusted),10(wheel),440(cvs)
> 
> me@dell me $ ./mremap2
> 
> [+] kernel 2.4.22-gentoo-r7  vulnerable: YES  exploitable YES
> ~    MMAP #56832  0x4ea00000 - 0x4ea01000Segmentation fault
> me@dell me $
> Message from syslogd@dell at Mon Mar  8 07:35:57 2004 ...
> dell kernel: grsec: From xxx.xxx.xxx.xxx: signal 11 sent to
> (mremap2:7016) UID(1000) EUID(1000), parent (bash:2768) UID(1000)
> EUID(1000)
> 
> Message from syslogd@dell at Mon Mar  8 07:35:57 2004 ...
> dell kernel: grsec: From xxx.xxx.xxx.xxx: attempted resource overstep
> by requesting 4096 for RLIMIT_CORE against limit 0 by (mremap2:7016)
> UID(1000) EUID(1000), parent (bash:2768) UID(1000) EUID(1000)
> 
> How can you explain this results ?

The "vulnerable: YES  exploitable YES" line is a bad way of testing the 
vulnerability of the kernel by the code posted to Full-Disclosure by 
iSEC - what it does; basically; is that it just checks the kernel 
version { whether it's 2.4.25+ } and gives a result from that; rather 
than actually checking whether it's vulnerable or a vulnerable version 
but with the patch to make it unaffected by the issue. So you should 
just ignore that line.

The reason you get a Segmentation Fault is because GRSecurity zaps the 
application before it even has time to test the exploit: basically, that 
exploit would end up with a result of "Failed" on 2.4.22-gentoo-r7 
without GRSecurity; and it should just segfault as it did if you have 
GRSecurity.

As you don't get a "Success" output, you're safe from the issue.

Thanks.
---

Comment 3 Tim Yamin (RETIRED) gentoo-dev

2004-03-08 08:45:45 UTC

Closing; please see comment #2.