mailing list archives
Addendum, recent Linux <= 2.4.27 vulnerabilities
From: Paul Starzetz <ihaquer () isec pl>
Date: Fri, 19 Nov 2004 20:26:21 +0100 (CET)
-----BEGIN PGP SIGNED MESSAGE-----
while looking at the changelog for 2.4.28, I've found, that a bug I
independently came over some days ago has been fixed in that release:
David S. Miller:
o [AF_UNIX]: Serialize dgram read using semaphore just like stream
That fixes missing serialization in unix_dgram_recvmsg().
I was slightly suprised reading the 2.4.27 code and I strongly believe
that the flaw is fully exploitable to gain elevated privileges.
There is a subtle race condition finally permitting a non-root user to
increment (up to 256 times) any arbitrary location(s) in kernel space.
The condition is not easy to exploit since an attacker must trick
kmalloc() to sleep on allocation of a special chunk of memory and then
convince the scheduler to execute another thread. But it is feasible.
Conclusion: update as quick as possible to 2.4.28.
iSEC Security Research
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
- Addendum, recent Linux <= 2.4.27 vulnerabilities Paul Starzetz (Nov 19)