that can be used for privilege escalation. If you have support for one
of several less-common network protocols, a malicious user with local
access can become root very easily.
It has to do with how the kernel allocates network sockets and sets up
protocol listeners on those sockets. There are some functions that are
implemented for some protocols but not others, and when the function is
not implemented, it's supposed to raise a "Not Implemented" exception.
Instead, it references a null pointer. Vulnerable kernels have support
for Appletalk, IPX, bluetooth, pppoe, irda, isdn, and a few others.
>From Linus's commit:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98
kernel_sendpage() does the proper default case handling for when the
socket doesn't have a native sendpage implementation.
Now, arguably this might be something that we could instead solve by
just specifying that all protocols should do it themselves at the
protocol level, but we really only care about the common protocols.
Does anybody really care about sendpage on something like Appletalk?
Not likely.
Even better is RedHat's mitigation advice:
https://bugzilla.redhat.com/show_bug.cgi?id=516949#c10
Best of all is this post I saw on PlanetDebian:
http://blog.bofh.it/debian/id_294 which reads:
cd /lib/modules/$(uname -r)/kernel/ && \
rm net/ipx/ipx.ko net/irda/irda.ko net/x25/x25.ko \
net/ax25/ax25.ko net/bluetooth/bluetooth.ko \
net/sctp/sctp.ko drivers/net/pppoe.ko drivers/net/pppox.ko
Basically, if you use bluetooth or some obscure networking protocol in
your kernel and someone else has local access, you might be vulnerable.
If you remove the modules for those vulnerable protocols, you're fine.
-Barry
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug
No comments:
Post a Comment