Exploits Emerge For Linux Privilege Escalation Flaw

angry tapir writes "Linux vendors are rushing to patch a privilege escalation vulnerability in the Linux kernel that can be exploited by local attackers to gain root access on the system. The vulnerability, which is identified as CVE-2012-0056, was discovered by Jüri Aedla and is caused by a failure of the Linux kernel to properly restrict access to the '/proc//mem' file."

Re:Local exploit?

[Lumpio-]

A weak SSH user account/PHP script/whatever + local privilege escalation = instant remote root

Link to more info

[milbournosphere]

It's a geekier breakdown, but is quite informative.

http://blog.zx2c4.com/749

Gets into the memory specifics of the bug. I found it to be far better than the actual article.

Re:Hrrm

[Anonymous Coward]

I was with you up until Rule #3 which is nonsense.

Debian (mostly) not affected

[Trogre]

Since this bug was introduced in Linux 2.6.39 Debian Stable (squeeze, Linux 2.6.32) is not affected. Unstable(sid, Linux 3.1) has already been patched, though Testing (wheezy) is still vulnerable.

More information here [debian.org]

Simple explanation

[Chemisor]

There is /proc/pid/mem, a pseudofile referring to the memory of process pid. It has 0600 permissions so you can't write to the memory of other users' processes. The bug occurs when you exec an suid executable and the kernel does not change open fds for /proc/pid/mem. This way, you can open mem, dup it to stderr, and exec su with a garbage parameter. su will duly print an error, quoting the offending parameter, writing to its process memory. With a properly selected shellcode you can get root.

Re:Broken on Android too

[bfree]

Really? This bug was only present in kernel releases 2.6.39 and newer. Do any Android devices use kernel's based on a Linux this current? A quick search says Android 2.3. used 2.6.35 and 3.0 used 2.6.36 so the number of devices this might possibly help you root looks miniscule.

Re:Broken on Android too

[slack_justyb]

Someone has already beaten every one else to the punch. [github.com]

However, you need Ice Cream Sandwich and you will need access to a disassembler. Also, you cannot use this exploit for "one-click" root access as the only program that is in the Android stack that runs setuid root, is run-as. That command is statically linked so you will still need adb access so that you can disassemble the program to find it's exit call.

So there is still a fair amount of work left to be done to make this an exploit that can be used in the "wild" for Android devices. However, as a fair note. A little crowd sourcing to compile a list of offsets for different devices could greatly speed up the process. I'm actually curious if Google will patch this in there kernel.

What'd "//" be ?

[aglider]

/proc//mem

is the very wrong quotation!
The original source [techworld.com.au] quotes instead:

/proc/<pid>/mem

which is the memory as seen by a certain process whose PID is <pid>.
Moreover, there's no "/proc/mem" file and the "//" whould be interpreted as "/".
But maybe that'd be just the Slashdot editor.