Home page logo
/

oss-sec logo oss-sec mailing list archives

CVE Request: linux-kernel priviledge escalation on ARM/perf
From: Vince Weaver <vincent.weaver () maine edu>
Date: Wed, 14 Aug 2013 17:37:32 -0400 (EDT)

Hello

I'm not really a security researcher, so hopefully I'm reporting this in 
the proper way.

I have a fuzzer tool for the perf_event_open() syscall that found
a few oopses on the ARM platform, which I reported to lkml a week ago.

One of the oopses can lead to a local privilege escalation on ARM-perf.
This fix can be found here:
  http://www.arm.linux.org.uk/developer/patches/viewpatch.php?id=7809/1
The discussion thread is:
  https://lkml.org/lkml/2013/8/7/259 

The hope is this appears in 3.11-rc6 but my attempts to get the people at 
security () vger kernel org to take this seriously didn't really go very 
well.

I do have code that will exploit the kernel and give me a root shell
on an ARM Pandaboard machine running 3.11-rc4.  The exploit is a bit 
fragile though:
  + Only works on ARM
  + Elevates from normal user to root, no special config required.
    perf_event syscalls run as regular users, not sure why some
    think you need root.
  + It does need a user-mappable address at an exact byte offset
    from a pmu_struct in memory.  This limits things somewhat; in
    my testing 3.11-rc kernels have INT_MIN at exactly the right place 
    but the exploit doesn't work on a 3.7.6 kernel,
    it just oopses or crashes the machine.

Thanks,

Vince


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault