The advisory for this vulnerability has been updated to include a suggested workaround: Preventing the RDS kernel module from loading is an effective workaround. This can be accomplished by executing the following command as root: echo "alias net-pf-21 off" > /etc/modprobe.d/disable-rds In addition, I've uploaded a new version of the exploit which should be slightly more stable. The previous version overwrote a security ops function pointer to ptrace_traceme, which was a poor choice, especially since Google Chrome uses ptrace regularly. The new version overwrites a function pointer in the socket operations for RDS, which will most likely not be used by other processes. The updated advisory is available at: http://www.vsecurity.com/resources/advisory/20101019-1/ And the updated exploit is available at: http://www.vsecurity.com/download/tools/linux-rds-exploit.c -Dan On Tue, Oct 19, 2010 at 2:22 PM, VSR Advisories <advisories@xxxxxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > VSR Security Advisory > http://www.vsecurity.com/ > > - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > Advisory Name: Linux RDS Protocol Local Privilege Escalation > Release Date: 2010-10-19 > Application: Linux Kernel > Versions: 2.6.30 - 2.6.36-rc8 > Severity: High > Author: Dan Rosenberg < drosenberg (at) vsecurity (dot) com > > Vendor Status: Patch Released [3] > CVE Candidate: CVE-2010-3904 > Reference: http://www.vsecurity.com/resources/advisory/20101019-1/ > > - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > > Product Description > - ------------------- > - From [1]: > > "Linux is a free Unix-type operating system originally created by Linus > Torvalds with the assistance of developers around the world. Developed under > the GNU General Public License, the source code for Linux is freely available > to everyone." > > - From [2]: > > "Reliable Datagram Sockets (RDS) provide in order, non-duplicating, > highly available, low overhead, reliable delivery of datagrams between > hundreds of thousands of non-connected endpoints." > > Vulnerability Overview > - ---------------------- > On October 13th, VSR identified a vulnerability in the RDS protocol, as > implemented in the Linux kernel. Because kernel functions responsible for > copying data between kernel and user space failed to verify that a > user-provided address actually resided in the user segment, a local attacker > could issue specially crafted socket function calls to write abritrary values > into kernel memory. By leveraging this capability, it is possible for > unprivileged users to escalate privileges to root. > > Vulnerability Details > - --------------------- > On Linux, recvmsg() style socket calls are performed using iovec structs, which > allow a user to specify a base address and size for a buffer used to receive > socket data. Each packet family is responsible for defining functions that > copy socket data, which is received by the kernel, back to user space to allow > user programs to process and handle received network data. > > When performing this copying of data to user space, the RDS protocol failed to > verify that the base address of a user-provided iovec struct pointed to a valid > userspace address before using the __copy_to_user_inatomic() function to copy > the data. As a result, by providing a kernel address as an iovec base and > issuing a recvmsg() style socket call, a local user could write arbitrary data > into kernel memory. This can be leveraged to escalate privileges to root. > > Proof-of-Concept Exploit > - ------------------------ > VSR has developed a proof-of-concept exploit [4] to both demonstrate the > severity of this issue as well as allow users and administrators to verify the > existence of the vulnerability. The exploit leverages the ability to write > into kernel memory to reset the kernel's security operations structure and gain > root privileges. The exploit requires that kernel symbol resolution is > available to unprivileged users, via /proc/kallsyms or similar, as is the case > on most stock distributions. It has been tested on both 32-bit and 64-bit x86 > platforms. While this exploit has been reliable during testing, it is not > advised to run kernel exploits on production systems, as there is a risk of > causing system instability and crashing the affected machine. > > Versions Affected > - ----------------- > This vulnerability affects unpatched versions of the Linux kernel, starting > from 2.6.30, where the RDS protocol was first included. Installations are only > vulnerable if the CONFIG_RDS kernel configuration option is set, and if there > are no restrictions on unprivileged users loading packet family modules, as is > the case on most stock distributions. > > Vendor Response > - --------------- > The following timeline details Linux's response to the reported issue. > > 2010-10-13 Vulnerability reported to Linux security team > 2010-10-13 Response, agreement on disclosure date > 2010-10-19 Fix publicly committed [3] > 2010-10-19 Coordinated disclosure > > Recommendation > - -------------- > Users should either install updates provided by downstream distributions, or > apply the committed patch [3] and recompile their kernel. > > Common Vulnerabilities and Exposures (CVE) Information > - ------------------------------------------------------ > The Common Vulnerabilities and Exposures (CVE) project has assigned > the number CVE-2010-3904 to this issue. This is a candidates for > inclusion in the CVE list (http://cve.mitre.org), which standardizes > names for security problems. > > Acknowledgements > - ---------------- > Thanks to Andrew Morton, Linus Torvalds, Andy Grover, and Eugene Teo for their > prompt responses and patch. > > - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > References: > > 1. Linux kernel > http://www.linux.org > > 2. Reliable Datagram Sockets > http://oss.oracle.com/pipermail/rds-devel/2007-November/000228.html > > 3. GIT patch > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=799c10559d60f159ab2232203f222f18fa3c4a5f > > 4. RDS protocol privilege escalation exploit > http://www.vsecurity.com/download/tools/linux-rds-exploit.c > > - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > This advisory is distributed for educational purposes only with the sincere > hope that it will help promote public safety. This advisory comes with > absolutely NO WARRANTY; not even the implied warranty of merchantability or > fitness for a particular purpose. Virtual Security Research, LLC nor the author > accepts any liability for any direct, indirect, or consequential loss or damage > arising from use of, or reliance on, this information. > > See the VSR disclosure policy for more information on our responsible > disclosure practices: http://www.vsecurity.com/company/disclosure > > - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Copyright 2010 Virtual Security Research, LLC. All rights reserved. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iEYEARECAAYFAky93O8ACgkQQ1RSUNR+T+gXiwCgkVifvjPHDD+Xf6JrQJ4NisSW > UKEAn0Rh+XhN3kGUne5sCAGFeGln+qM0 > =cKv/ > -----END PGP SIGNATURE----- >
