[UNIX] Linux Kernel i386 SMP Page Fault Handler Privilege Escalation

From: SecuriTeam (support_at_securiteam.com)
Date: 01/12/05

  • Next message: SecuriTeam: "[EXPL] Veritas Backup Exec Agent Browser Registration Request Exploit"
    To: list@securiteam.com
    Date: 12 Jan 2005 14:59:31 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Linux Kernel i386 SMP Page Fault Handler Privilege Escalation
    ------------------------------------------------------------------------

    SUMMARY

    Locally exploitable flaw has been found in the Linux page fault handler
    code that allows users to gain root privileges if running on
    multiprocessor machine.

    DETAILS

    Vulnerable Systems:
     * Linux version 2.2 up to and including 2.2.27-rc1
     * Linux version 2.4 up to and including 2.4.29-rc1
     * Linux version 2.6 up to and including 2.6.10

    The Linux kernel is the core software component of a Linux environment and
    is responsible for handling of machine resources. One of the functions of
    an operating system kernel is handling of virtual memory. On Linux virtual
    memory is provided on demand if an application accesses virtual memory
    areas.

    One of the core components of the Linux VM subsystem is the page fault
    handler that is called if applications try to access virtual memory
    currently not physically mapped or not available in their address space.

    The page fault handler has the function to properly identify the type of
    the requested virtual memory access and take the appropriate action to
    allow or deny application's VM request. Actions taken may also include a
    stack expansion if the access goes just below application's actual stack
    limit.

    An exploitable race condition exists in the page fault handler if two
    concurrent threads sharing the same virtual memory space request stack
    expansion at the same time. It is only exploitable on multiprocessor
    machines (that also includes systems with hyperthreading).

    Discussion:
    The vulnerable code resides for the i386 architecture in
    arch/i386/mm/fault.c in your kernel source code tree:

    [186] down_read(&mm->mmap_sem);

           vma = find_vma(mm, address);
           if (!vma)
                  goto bad_area;
           if (vma->vm_start <= address)
                  goto good_area;
           if (!(vma->vm_flags & VM_GROWSDOWN))
                  goto bad_area;
           if (error_code & 4) {
                  /*
                   * accessing the stack below %esp is always a bug.
                   * The "+ 32" is there due to some instructions (like
                   * pusha) doing post-decrement on the stack and that
                   * doesn't show up until later..
                   */
    [*] if (address + 32 < regs->esp)
                         goto bad_area;
           }
           if (expand_stack(vma, address))
                  goto bad_area;

    where the line number has been given for the kernel 2.4.28 version.

    Since the page fault handler is executed with the mmap_sem semaphore held
    for reading only, two concurrent threads may enter the section after the
    line 186.

    The checks following line 186 ensure that the VM request is valid and in
    case it goes just below the actual stack limit [*], that the stack is
    expanded accordingly. On Linux the notion of stack includes any
    VM_GROWSDOWN virtual memory area, that is, it need not to be the actual
    process's stack.

    The exploitable race condition scenario looks as follows:

    A. thread_1 accesses a VM_GROWSDOWN area just below its actual starting
    address, lets call it fault_1,

    B. thread_2 accesses the same area at address fault_2 where fault_2 +
    PAGE_SIZE <= fault_1, that is:

    [ NOPAGE ] [fault_1 ] [ VMA ] ---> higher addresses
    [fault_2 ] [ NOPAGE ] [ VMA ]

    where one [] bracket pair stands for a page frame in the application's
    page table.

    C. if thread_2 is slightly faster than thread_1 following happens:
    [ PAGE2 ] [PAGE1 VMA ]

    that is, the stack is first expanded inside the expand_stack() function to
    cover fault_2, however it is right after 'expanded' to cover only fault_1
    since the necessary checks have already been passed. In other words, the
    process's page table includes now two page references (PTEs) but only one
    is covered by the virtual memory area descriptor (namely only page1). The
    race window is very small but it is exploitable.

    Once the reference to page2 is available in the page table, it can be
    freely read or written by both threads. It will also not be released to
    the virtual memory management on process termination. Similar techniques
    like in <http://www.isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt>
    http://www.isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt may be
    further used to inject these lost page frames into a setuid application in
    order to gain elevated privileges (due to kmod this is also possible
    without any executable setuid binaries).

    Impact:
    Unprivileged local users can gain elevated (root) privileges on SMP
    machines.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:ihaquer@isec.pl> Paul
    Starzetz.
    The original article can be found at:
    <http://isec.pl/vulnerabilities/isec-0022-pagefault.txt>
    http://isec.pl/vulnerabilities/isec-0022-pagefault.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[EXPL] Veritas Backup Exec Agent Browser Registration Request Exploit"

    Relevant Pages

    • [UNIX] Computer Associates BrightStor ARCserve Backup UniversalAgent Backdoor Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... protection for all classes of Windows, NetWare, Linux and UNIX servers, as ... * BAB 9.0 Linux Japanese ... * BEB 10.0 HPUX ...
      (Securiteam)
    • [UNIX] Linux Kernel Socket Buffer Memory Exhaustion DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Local exploitation of a memory exhaustion vulnerability in Linux Kernel ... system memory resources can be ...
      (Securiteam)
    • [NT] PicoWebServer Unicode Stack Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A buffer overflow vulnerability has been discovered in PicoWebServer, ... exploiting this vulnerability allows a remote attacker to run arbitrary ... an attacker can trigger a stack overflow and cause the ...
      (Securiteam)
    • [UNIX] Libsafe Safety Check Bypass Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Due to a bug in libsafe ... As a example look at the code situated at the safe function strcpy(): ... Function _libsafe_stackVariableP() checked length beetwen buffor and stack ...
      (Securiteam)
    • [NT] Webcam Watchdog Stack Overflow Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Webcam Watchdog is vulnerable to a remotely exploitable stack based buffer ... 0040AEAA 8BF1 MOV ESI,ECX ... and code execution resumes ...
      (Securiteam)