Erik Sjölund reported a race condition in systemtap where a user in the stapusr group can effectively elevate privileges to group stapdev or root by allowing for the execution of kernel objects outside of the root-owned /lib/modules/$VERSION/systemtap/ directory. This is due to checkpath() checking the path (the module_realpath variable), but not later using the path to open the file. Because of this, a user could tell stap to load a kernel module in the current directory that is a symlink to a valid kernel object, and, if able to quickly replace that symlink with one pointing to a malicious kernel object, execute the kernel object outside of the directory they should be restricted to. Acknowledgements: Red Hat would like to thank Erik Sjölund for reporting this issue.
Created attachment 334872 [details] Not a sufficient patch for this bug. This patch forces the canonicalization of the module directory to be done early, so that only the canonicalized path name is used for both permission checking and for actual module loading.
Comment on attachment 334872 [details] Not a sufficient patch for this bug. Note that this patch applies to upstream and recent systemtap versions. I'll post another one against RHEL5.3.
Comment on attachment 334872 [details] Not a sufficient patch for this bug. Sorry, a simpler patch will fix just this bug; we'll clean up this general area later.
Created attachment 334879 [details] Patch for RHEL5.3 and git/upstream systemtap.
RHEL4 (systemtap-0.6.2-1.el4 RPM) is also potentially affected. The same fix looks like it should fit there too.
Just to note some factors that need to be in place before this can be exploited (aside from controlling the race condition itself): - the user must be in the stapusr group - the /lib/modules/$VERSION/systemtap directory must exist (does not by default) - there must be a kernel object inside this directory to use to perform the race with None of these conditions are default, even with systemtap installed.
Lifting embargo.
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0784 to this vulnerability: Race condition in the SystemTap stap tool 0.0.20080705 and 0.0.20090314 allows local users in the stapusr group to gain privileges via unknown vectors. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0784 http://www.debian.org/security/2009/dsa-1755
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:0373 https://rhn.redhat.com/errata/RHSA-2009-0373.html
Fedora updates to fixed upstream version 0.9.5: https://admin.fedoraproject.org/updates/F9/FEDORA-2009-3106 https://admin.fedoraproject.org/updates/F10/FEDORA-2009-3152