Bug 198973 - CVE-2006-3626 Nasty /proc privilege escalation
CVE-2006-3626 Nasty /proc privilege escalation
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
urgent Severity high
: ---
: ---
Assigned To: Ernie Petrides
Brian Brock
: Reopened, Security
Depends On:
  Show dependency treegraph
Reported: 2006-07-15 03:11 EDT by Mark J. Cox
Modified: 2007-11-30 17:07 EST (History)
6 users (show)

See Also:
Fixed In Version: RHSA-2006-0617
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-08-22 14:51:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox 2006-07-15 03:11:15 EDT
CVE description "A race condition in Linux kernel and earlier allows
local users to gain root privileges by using prctl with PR_SET_DUMPABLE in a way
that causes /proc/self/environ to become setuid root."

An exploit was posted to full-disclosure and other lists that can gain root
privileges on some 2.6 kernels.  Whilst the exploit as published will not work
on RHEL4 systems, it may well be exploitable in different ways.
Comment 5 Marcel Holtmann 2006-07-15 12:13:01 EDT
Created attachment 132495 [details]
Upstream's quick fix which removes S_ISUID/ISGID from i_mode
Comment 10 Marcel Holtmann 2006-07-17 04:38:43 EDT
Q: Is Red Hat Enterprise Linux vulnerable to the /proc privilege
escalation (CVE-2006-3626) exploit?

The CVE-2006-3626 describes a race condition in Linux kernel 2.6.18-rc1
(including and and earlier that allows a local
user to gain root privileges. It is possible to change the mode of
/proc/self/environ to 4755 (suid) and including a small a.out binary
into it. After that it is possible through prctl() with PR_SET_DUMPABLE
to flip the owner and group to root:root. This allows the user get a
root shell. A working exploit has been posted to Full Disclosure on
14th of July, 2006 [1].

To make this exploit work it is important that the running Linux
kernel supports the a.out (Assembler.OUTput) binary format. The a.out
binary format got replaced by ELF (Executable and Linkable Format)
starting back in 1995 and every modern Linux distribution uses ELF
only binaries.

This issue does not affect Red Hat Enterprise Linux 2.1 or 3 as they
are based on 2.4 kernels which are not vulnerable to this issue.

The Red Hat Enterprise Linux 4 is based on the Linux kernel 2.6.9
and the race condition also exists, but the a.out format is not
enabled. The kernel option CONFIG_BINFMT_AOUT is set to "n". Since the
a.out format is not available, the available exploit won't succeed. The
exploit will fail with the message "failed: Exec format error" which
indicates the missing a.out support of the RHEL4 kernel. We are not
currently aware of any way to exploit this vulnerability if a.out
format is not enabled.

One key attack vector of this exploit is, that it is possible to
change the mode of the /proc file to any possible mode (including
suid). The change to suid shouldn't be allowed and a RHEL4 installation
with activated SELinux in enforcing mode with targeted policy will
prevent it. This is the mode SELinux will be in for a default
installation. In this case the exploit will never succeed and fail
with a "failed: Permission denied" error.

We recommend that SELinux should be activated. It effectively
protect systems against this exploit. The current SELinux status
can be checked with "getenforce" and changed through
"system-config-securitylevel" [2].

Attempts to run this exploit on RHEL4 with SELinux in enforcing mode
will fail and they will be logged through the audit subsystem. The
system log files will show messages like this:

audit(1152957171.464:5): avc:  denied  { setattr } for  pid=6291
comm="h00lyshit" name="environ" dev=proc ino=412286986
scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t

The "setattr" is used to change the mode of a file or directory
and this messages shows the attempt of the exploit to change
/proc/self/environ to suid which is not allowed by the targeted
SELinux policy.

In addition, another workaround for this problem is to mount the /proc
filesystem with the the nosuid option. On a running system this can
be done with the command "mount -o remount,nosuid /proc". To make
this permanent the mount options in /etc/fstab should be changed.

[1] http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047907.html
[2] http://kbase.redhat.com/faq/FAQ_93_4844.shtm
Comment 11 Mark J. Cox 2006-07-17 04:41:09 EDT
The Red Hat Security response team have therefore rated this as having moderate
security severity for Enterprise Linux 4.  No kernel update is currently
planned, the fix for the flaw will be included in a later scheduled update.
Comment 16 Marcel Holtmann 2006-07-18 10:02:04 EDT
Created attachment 132603 [details]
Proposed patch for 2.6.17-stable inclusion

This patch is a backport of the upstream patch for 2.6.17. The backport was
needed, because fs/proc/base.c changed a lot between 2.6.17 and 2.6.18-rc2.

This patch doesn't obsoletes the quick fix. Both should be applied to increase
the security.
Comment 28 Ernie Petrides 2006-07-28 17:43:21 EDT
Fix posted for internal review on 28-Jul-2006.
Comment 30 Jason Baron 2006-08-07 15:11:33 EDT
committed in stream E5 build 42.0.1
Comment 32 Joshua Giles 2006-08-21 00:05:53 EDT
Confirmed to be fixed in 42.0.1
Comment 33 Marcel Holtmann 2006-08-21 03:57:16 EDT
After further investigation, Red Hat discovered an alternative method of
exploiting this vulnerability that does not rely on either ELF or a.out embedded
code. On some systems (depending on other functionality installed) it is
possible to use this race condition to gain root privileges on Red Hat
Enterprise Linux 4 systems. The RHSA-2006:0617 errata fixes the behavioral flaw
of the /proc filesystem.

On systems with enabled SELinux in enforcing mode this alternative method will
fail and all attemtps will be logged through the audit subsystem.

The systems running Red Hat Enterprise Linux 2.1 and 3 are not vulnerable to any
of these attack methods. The 2.4 Linux kernel doesn't allow to change the mode
of /proc/<pid>/ files.
Comment 35 Red Hat Bugzilla 2006-08-22 14:51:11 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Comment 36 Jason Baron 2006-08-30 13:50:47 EDT
committed in stream U5 build 42.4. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/

Note You need to log in before you can comment on or make changes to this bug.