Bug 782642 (CVE-2012-0056)
Summary: | CVE-2012-0056 kernel: proc: /proc/<pid>/mem mem_write insufficient permission checking | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | unspecified | CC: | agordeev, bhu, bressers, dhoward, dwalsh, eparis, fche, jkacur, jrieden, kernel-mgr, kzhang, lgoncalv, lwang, menthos, nobody, plougher, pmatouse, rfv781, rt-maint, the.ridikulus.rat, vgoyal, williams, wnix | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-09-15 17:08:33 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 782643, 782645, 782646, 782647, 782649, 782650, 782681 | ||||||
Bug Blocks: | 782636 | ||||||
Attachments: |
|
Description
Eugene Teo (Security Response)
2012-01-18 02:34:28 UTC
Statement: This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5 as it did not backport the upstream commit 198214a7ee. This has been addressed in Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2012-0052.html and https://rhn.redhat.com/errata/RHSA-2012-0061.html. For more information, please read https://access.redhat.com/kb/docs/DOC-69129. Created kernel tracking bugs for this issue Affects: fedora-all [bug 782681] Ensure that ASLR is enabled, see /proc/sys/kernel/randomize_va_space. Created attachment 556461 [details]
A reproducer that tests if we have commit 198214a7.
To mitigate the issue: 1) On the host, save the following in a file with the ".stp" extension: probe kernel.function("mem_write@fs/proc/base.c").call { $count = 0 } 2) Install the "systemtap" package and any required dependencies. Refer to the "2. Using SystemTap" chapter in the Red Hat Enterprise Linux 6 "SystemTap Beginners Guide" document, available from docs.redhat.com, for information on installing the required -debuginfo packages. 3) Run the "stap -g [filename-from-step-1].stp" command as root. If the host is rebooted, the changes will be lost and the script must be run again. Knowledgebase article for this issue: https://access.redhat.com/kb/docs/DOC-69129 Linux Local Privilege Escalation via SUID /proc/pid/mem Write http://blog.zx2c4.com/749 This was shared on oss-security list on Jan 18, http://seclists.org/oss-sec/2012/q1/178. All Linux distro representatives are (expected to be) subscribed to this list. Kees wrote a blog post about this, http://www.outflux.net/blog/archives/2012/01/22/fixing-vulnerabilities-with-systemtap/. Spender modified the reproducer to make it work on PaX, http://grsecurity.net/~spender/correct_proc_mem_reproducer.c Exploits published, http://www.exploit-db.com/exploits/18411/ or http://git.zx2c4.com/CVE-2012-0056/tree/mempodipper.c http://git.zx2c4.com/CVE-2012-0056/tree/shellcode-32.s http://git.zx2c4.com/CVE-2012-0056/tree/shellcode-64.s http://seclists.org/fulldisclosure/2012/Jan/354 http://ring0.me/exploits/procmem_CVE-2012-0056/cve2012-0056_procmem.tar On Red Hat Enterprise Linux 6, /bin/su (coreutils) and /usr/bin/gpasswd (shadow-utils) are protected at compile time by PIE. Android version... https://github.com/saurik/mempodroid This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0052 https://rhn.redhat.com/errata/RHSA-2012-0052.html Original report and exploit from Jüri Aedla: http://kodu.ut.ee/~asd/exp-0-aedla/report.html http://kodu.ut.ee/~asd/exp-0-aedla/exp-0-aedla.c This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2012:0061 https://rhn.redhat.com/errata/RHSA-2012-0061.html LWN: A /proc/PID/mem vulnerability https://lwn.net/Articles/476947/ |