An interesting exploit for the Linux kernel that enables an attacker to escalate his privileges on a local machine has popped up on the Full Disclosure mailing list. The exploit chains together three separate bugs to get root on a vulnerable machine.
The exploit was posted Tuesday by Dan Rosenberg on Full Disclosure and he explains in his post that the exploit is specifically designed to be somewhat limited so that itβs not easily usable by low-level attackers. The exploit affects Linux kernel version 2.6.37, however two of the bugs that Rosenberg uses in the exploit have been patched by two of the major Linux distributions.
βIn the interest of public safety, this exploit was specifically designed to be limited:
The most interesting of the three vulnerabilities, however, is a recent one that is still unpatched in the Linux kernel. The bug is a local address limit override vulnerability.
βThis is the interesting one, and the reason I wrote this exploit. If a thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL word will be written to a user-specified pointer when that thread exits. This write is done using put_user(), which ensures the provided destination resides in valid userspace by invoking access_ok(). However, Nelson discovered that when the kernel performs an address limit override via set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault, etc.), this override is not reverted before calling put_user() in the exit path, allowing a user to write a NULL word to an arbitrary kernel address. Note that this issue requires an additional vulnerability to trigger,β Rosenberg wrote in his advisory.