lug-bg: Kernel Exploit for 2.4.x, 2.5.x, and 2.6.x kernel branches.
- Subject: lug-bg: Kernel Exploit for 2.4.x, 2.5.x, and 2.6.x kernel branches.
- From: yawa@xxxxxxxxxxx
- Date: Fri, 16 Apr 2004 13:38:28 -0300 (EEST)
- Importance: Normal
Linux Kernel ISO9660 Buffer Overflow Privilege Escalation Vulnerability
Date:
15 April 2004
Security Alert ID:
1007776
Overview:
Linux is a free Unix-type operating system originally created by Linus
Torvalds with the
assistance of developers around the world. Developed under the GNU General
Public License ,
the source code for Linux is freely available to everyone.
Description:
A vulnerability in the Linux kernel has been discovered, which can be
exploited by malicious,
local users to gain escalated privileges on a vulnerable system and may
allow arbitrary code
execution with root or kernel level privileges.
The Linux kernel performs no length checking on symbolic links stored on
an ISO9660 file
system, allowing a malformed CD to perform an arbitrary length overflow in
kernel memory.
Symbolic links on ISO9660 file systems are supported by the 'Rock Ridge'
extension to the
standard format. The vulnerability can be triggered by performing a
directory listing on a
maliciously constructed ISO file system, or attempting to access a file
via a malformed
symlink on such a file system. Many distributions allow local users to
mount CDs, which makes
them potentially vulnerable to local elevation attacks.
The relevant functions are as follows:
fs/isofs/rock.c: rock_ridge_symlink_readpage()
fs/isofs/rock.c: get_symlink_chunk()
There is no checking that the total length of the symlink being read is
less than the memory
space that has been allocated for storing it. By supplying many CE
(continuation) records,
each with another SL (symlink) chunk, it is possible for an attacker to
build an arbitrary
length data structure in kernel memory space.
Affected:
2.4.x, 2.5.x, and 2.6.x kernel branches.
Solution:
Update to Linux kernel versions 2.4.26 and 2.6.6-rc1.
http://kernel.org/
Õóáàâ Áúã .....
============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================
|