Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 139475

Summary: Kernel: Privilege escalation through prctl() and suid_dumpable (CVE-2006-2451)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen <jaervosz>
Component: KernelAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: agriffis, chrb, gentoo, kang, kumba, langthang, passnet, raistlin, sgtphou
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commit;h=9e4e45f19bdd41b4091e5fe556f816f4046c7598
Whiteboard: [linux <2.6.16.24] [linux >=2.6.17 <2.6.17.4]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
unofficial workaround LKM for this behavior none

Description Sune Kloppenborg Jeppesen gentoo-dev 2006-07-06 13:14:30 UTC
During security research, Red Hat discovered a behavioral flaw in core
dump handling. A local user could create a program that would cause a
core file to be dumped into a directory they would not normally have
permissions to write to. This could lead to a denial of service (disk
consumption), or allow the local user to gain root privileges.


--- linux-2.6.9/kernel/sys.c.orig
+++ linux-2.6.9/kernel/sys.c
@@ -1702,7 +1702,7 @@ asmlinkage long sys_prctl(int option, un
                                error = 1;
                        break;
                case PR_SET_DUMPABLE:
-                       if (arg2 < 0 || arg2 > 2) {
+                       if (arg2 < 0 || arg2 > 1) {
                                error = -EINVAL;
                                break;
                        }
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2006-07-06 13:15:19 UTC
*** Bug 137627 has been marked as a duplicate of this bug. ***
Comment 2 Tim Yamin (RETIRED) gentoo-dev 2006-07-06 13:34:31 UTC
Dan; please add to genpatches and commit new gentoo-sources as soon as possible. Thanks.
Comment 3 Jakub Moc (RETIRED) gentoo-dev 2006-07-08 07:52:15 UTC
*** Bug 139668 has been marked as a duplicate of this bug. ***
Comment 4 Kelly Price 2006-07-08 07:56:25 UTC
Please bump vanilla-sources to 2.6.17.4, which fixes this problem.
Comment 5 Pavel Shirov 2006-07-12 02:04:30 UTC
Proof of Concept can be found here: http://www.rs-labs.com/exploitsntools/rs_prctl_kernel.c

I've tryed it, but it doesn't works for me:
user@host ~ $ ./rs_prctl_kernel
Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t
By: dreyer & RoMaNSoFt
[ 10.Jul.2006 ]

[*] Creating Cron entry
[*] Sleeping for aprox. one minute (** please wait **)
[*] Running shell (remember to remove /tmp/sh when finished) ...
sh: /tmp/sh: No such file or directory
user@host ~ $ uname -a
Linux linux 2.6.16-gentoo-r7 #2 Mon May 22 14:19:25 MSD 2006 i686 Pentium Pro GNU/Linux
Comment 6 Pavel Shirov 2006-07-12 02:25:30 UTC
I was pointed out that this exploit acctually may create /tmp/sh more 1 minute. So I've modified sleep() time in exploit to 3 minutes. It creates suid root /tmp/sh:

nstorm@linux ~ $ ./rs_prctl_kernel
Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t
By: dreyer & RoMaNSoFt
[ 10.Jul.2006 ]

[*] Creating Cron entry
[*] Sleeping for aprox. sleep(180) (** please wait **)
[*] Running shell (remember to remove /tmp/sh when finished) ...
sh-3.1$ ls -l /tmp/sh
-rwsr-xr-x 1 root root 659552 Jul 12 13:19 /tmp/sh
Comment 7 Wolf Giesen (RETIRED) gentoo-dev 2006-07-12 02:28:06 UTC
Fromm looking at the patch I changed

- prctl(PR_SET_DUMPABLE, 2);
+ prctl(PR_SET_DUMPABLE, 3);

Then it works, unfortunately:

./pop
Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t
By: dreyer & RoMaNSoFt
[ 10.Jul.2006 ]

[*] Creating Cron entry
[*] Sleeping for aprox. one minute (** please wait **)
[*] Running shell (remember to remove /tmp/sh when finished) ...
$sh-3.1$ ls -l /tmp/sh
-rwsr-xr-x 1 root root 632016 12. Jul 11:21 /tmp/sh

:((
Comment 8 Wolf Giesen (RETIRED) gentoo-dev 2006-07-12 02:42:37 UTC
This is freaky. There is obviously something seriously wrong. The code is supposed to back out if the parameter is invalid, right? So the patch won't work at all, IMHO :(
Comment 9 Tim Yamin (RETIRED) gentoo-dev 2006-07-12 06:32:58 UTC
(In reply to comment #8)
> This is freaky. There is obviously something seriously wrong. The code is
> supposed to back out if the parameter is invalid, right? So the patch won't
> work at all, IMHO :(

You need to upgrade to the new kernel which is actually patched against this vulnerability :)

Comment 10 Wolf Giesen (RETIRED) gentoo-dev 2006-07-12 06:51:28 UTC
We were actually trying to mark this as valid, I believe :D
And it is, obviously.
Comment 11 Alex Unleashed 2006-07-13 03:43:05 UTC
That patch is not a real fix unless prctl(PR_SET_DUMPABLE, 2) isn't expected to work anymore. In that case manpages should be updated.

Otherwise a better fix maintaining functionality would be to dump core on user writable directories only.
Comment 12 Philip Walls (RETIRED) gentoo-dev 2006-07-13 10:50:03 UTC
A temporary workaround to the local root escalation is to chmod o-rx /etc/cron.d - This prevents the program from calling chdir("/etc/cron.d"), thus preventing the core file from being dumped there, and so on. I'm sure there are other ways this kernel bug could be exploited, but at least this prevents root escalations from the method described in the example.
Comment 13 Wolf Giesen (RETIRED) gentoo-dev 2006-07-13 11:08:34 UTC
Does anybody know if PR_SET_DUMPABLE,2 is going to be supported in the future (since it's quite a new feature so it possibly just got pulled in order to hotfix it)?
Comment 14 Tim Yamin (RETIRED) gentoo-dev 2006-07-13 17:29:22 UTC
(In reply to comment #11)
> That patch is not a real fix unless prctl(PR_SET_DUMPABLE, 2) isn't expected to
> work anymore. In that case manpages should be updated.

The manpages never said anything other than zero or one should ever work. At least the one I'm looking at here dated 2002-06-27, anyway. The issue was that the check didn't enforce this correctly due to an off-by-one and hence the bug.
Comment 15 Wolf Giesen (RETIRED) gentoo-dev 2006-07-13 22:03:11 UTC
Huh? From man-pages-2.34:

PR_SET_DUMPABLE
   [...]
   Since kernel 2.6.13, the value 2 is also permitted; this  causes  any
   binary  which normally would not be dumped to be dumped readable by
   root only. (See also the description of /proc/sys/fs/suid_dumpable in
   proc(5).)

Comment 16 Tim Yamin (RETIRED) gentoo-dev 2006-07-14 02:01:05 UTC
*** Bug 140303 has been marked as a duplicate of this bug. ***
Comment 17 Wolf Giesen (RETIRED) gentoo-dev 2006-07-14 13:21:51 UTC
Whatever, new versions don't exhibit the problem.
Comment 18 Tim Yamin (RETIRED) gentoo-dev 2006-07-15 07:06:53 UTC
CCing maintainers; please bump:

mips-sources: Kumba
rsbac-sources: kang
sh-sources: sh
usermode-sources: dang
xbox-sources: chrb
xen-sources: chrb, agriffis
Comment 19 Mike Doty (RETIRED) gentoo-dev 2006-07-15 07:22:58 UTC
(In reply to comment #18)
> CCing maintainers; please bump:
> 
> mips-sources: Kumba
> rsbac-sources: kang
> sh-sources: sh
> usermode-sources: dang
> xbox-sources: chrb
> xen-sources: chrb, agriffis
> 
you guys might want to use genpatches-2.6.16-15 instead of -14, because it addresses bug 140444 as well...
Comment 20 Gregor Lawatscheck 2006-07-15 09:04:40 UTC
Tested patch by reporter on vanilla, works fine.

Just to make this clear:
+ prctl(PR_SET_DUMPABLE, 3); 
in the exploit code as written in comment #7 does not work to exploit a patched kernel! Caused quite some FUD to me so I checked.
Comment 21 Gregor Lawatscheck 2006-07-15 09:45:57 UTC
Two things just out of interest and then I'll shut up:

< 2.6.13 is not exploitable from what the "case PR_SET_DUMPABLE" looks like in sys.c
(securityfocus appears to be wrong on their 

The 2.4.x branch doesn't appear to be vulnerable to this either - same
if (arg2 != 0 && arg2 != 1) like 2.6.12
Comment 22 Daniel Gryniewicz (RETIRED) gentoo-dev 2006-07-15 11:42:55 UTC
usermode-sources bumped to -15
Comment 23 Stefano 2006-07-16 02:56:58 UTC
(In reply to comment #12)
> A temporary workaround to the local root escalation is to chmod o-rx
> /etc/cron.d - This prevents the program from calling chdir("/etc/cron.d"), 

Well, this obviously doesn't help much. It just prevents this particular exploit from executing, but if you can write files in that way, there's a bunch of other ways for breaking root.

Anothere, not much better, "workaround" is to specify the core dump location:
echo /root/core > /proc/sys/kernel/core_pattern
(you create a denial of service possibility then)

Or put a limit:
in /etc/limits.conf
*               hard    core    0 

Or set it to /dev/null ... you can use fantasy.

Another temporary workaround for those who cannot update a system right now for whatever reason is to load the LKM I upload... please beware, it comes straight from an infosec list, so usual precautions against unofficial patches apply.
Comment 24 Stefano 2006-07-16 02:58:41 UTC
Created attachment 91871 [details]
unofficial workaround LKM for this behavior
Comment 25 Tim Yamin (RETIRED) gentoo-dev 2006-08-08 15:05:40 UTC
All fixed, closing.