Bug 198973
Summary: | CVE-2006-3626 Nasty /proc privilege escalation | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Mark J. Cox <mjc> |
Component: | kernel | Assignee: | Ernie Petrides <petrides> |
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> |
Severity: | high | Docs Contact: | |
Priority: | urgent | ||
Version: | 4.0 | CC: | eteo, jbaron, k.georgiou, lwang, security-response-team, tao |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047907.html | ||
Whiteboard: | impact=important,source=fulldisclosure,reported=20060714,public=20060714 | ||
Fixed In Version: | RHSA-2006-0617 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-08-22 18:51:05 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Mark J. Cox
2006-07-15 07:11:15 UTC
Created attachment 132495 [details]
Upstream's quick fix which removes S_ISUID/ISGID from i_mode
Q: Is Red Hat Enterprise Linux vulnerable to the /proc privilege escalation (CVE-2006-3626) exploit? The CVE-2006-3626 describes a race condition in Linux kernel 2.6.18-rc1 (including 2.6.17.4 and 2.6.16.24) and earlier that allows a local user to gain root privileges. It is possible to change the mode of /proc/self/environ to 4755 (suid) and including a small a.out binary into it. After that it is possible through prctl() with PR_SET_DUMPABLE to flip the owner and group to root:root. This allows the user get a root shell. A working exploit has been posted to Full Disclosure on 14th of July, 2006 [1]. To make this exploit work it is important that the running Linux kernel supports the a.out (Assembler.OUTput) binary format. The a.out binary format got replaced by ELF (Executable and Linkable Format) starting back in 1995 and every modern Linux distribution uses ELF only binaries. This issue does not affect Red Hat Enterprise Linux 2.1 or 3 as they are based on 2.4 kernels which are not vulnerable to this issue. The Red Hat Enterprise Linux 4 is based on the Linux kernel 2.6.9 and the race condition also exists, but the a.out format is not enabled. The kernel option CONFIG_BINFMT_AOUT is set to "n". Since the a.out format is not available, the available exploit won't succeed. The exploit will fail with the message "failed: Exec format error" which indicates the missing a.out support of the RHEL4 kernel. We are not currently aware of any way to exploit this vulnerability if a.out format is not enabled. One key attack vector of this exploit is, that it is possible to change the mode of the /proc file to any possible mode (including suid). The change to suid shouldn't be allowed and a RHEL4 installation with activated SELinux in enforcing mode with targeted policy will prevent it. This is the mode SELinux will be in for a default installation. In this case the exploit will never succeed and fail with a "failed: Permission denied" error. We recommend that SELinux should be activated. It effectively protect systems against this exploit. The current SELinux status can be checked with "getenforce" and changed through "system-config-securitylevel" [2]. Attempts to run this exploit on RHEL4 with SELinux in enforcing mode will fail and they will be logged through the audit subsystem. The system log files will show messages like this: audit(1152957171.464:5): avc: denied { setattr } for pid=6291 comm="h00lyshit" name="environ" dev=proc ino=412286986 scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t tclass=file The "setattr" is used to change the mode of a file or directory and this messages shows the attempt of the exploit to change /proc/self/environ to suid which is not allowed by the targeted SELinux policy. In addition, another workaround for this problem is to mount the /proc filesystem with the the nosuid option. On a running system this can be done with the command "mount -o remount,nosuid /proc". To make this permanent the mount options in /etc/fstab should be changed. [1] http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047907.html [2] http://kbase.redhat.com/faq/FAQ_93_4844.shtm The Red Hat Security response team have therefore rated this as having moderate security severity for Enterprise Linux 4. No kernel update is currently planned, the fix for the flaw will be included in a later scheduled update. Created attachment 132603 [details]
Proposed patch for 2.6.17-stable inclusion
This patch is a backport of the upstream patch for 2.6.17. The backport was
needed, because fs/proc/base.c changed a lot between 2.6.17 and 2.6.18-rc2.
This patch doesn't obsoletes the quick fix. Both should be applied to increase
the security.
Fix posted for internal review on 28-Jul-2006. committed in stream E5 build 42.0.1 Confirmed to be fixed in 42.0.1 After further investigation, Red Hat discovered an alternative method of exploiting this vulnerability that does not rely on either ELF or a.out embedded code. On some systems (depending on other functionality installed) it is possible to use this race condition to gain root privileges on Red Hat Enterprise Linux 4 systems. The RHSA-2006:0617 errata fixes the behavioral flaw of the /proc filesystem. On systems with enabled SELinux in enforcing mode this alternative method will fail and all attemtps will be logged through the audit subsystem. The systems running Red Hat Enterprise Linux 2.1 and 3 are not vulnerable to any of these attack methods. The 2.4 Linux kernel doesn't allow to change the mode of /proc/<pid>/ files. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0617.html committed in stream U5 build 42.4. A test kernel with this patch is available from http://people.redhat.com/~jbaron/rhel4/ |