[SECURITY-L] *** IMPORTANTE: [S] Falha no mremap() sendo explorada

CSIRT - UNICAMP security em unicamp.br
Sex Fev 27 08:51:00 -03 2004 

----- Forwarded message from Cristine Hoepers <cristine em nic.br> -----

From: Cristine Hoepers <cristine em nic.br>
Subject: [S] Falha no mremap() sendo explorada
To: seguranca em pangeia.com.br
Date: Thu, 26 Feb 2004 21:19:41 -0300

Caros,

Na semana passada foi divulgada uma vulnerabilidade no mremap()
e lancado um patch para o Kernel do Linux, que corrige esta 
vulnerabilidade.  Embora nao tenha recebido ampla divulgacao,
esta falha esta' sendo utilizada para obtencao de acesso 
privilegiado a sistemas Linux.

Os exploits disponiveis permitem que usuarios locais obtenham
acesso de root `as maquinas.

Abaixo segue um alerta da Universidade de Stanford que ressalta
a descoberta, hoje, de pelo menos uma maquina comprometida
atraves desta vulnerabilidade.

Ao final do alerta estao os links para as paginas de atualizacao
do RedHat e do Debian.


Atenciosamente,
Cristine
CERT Certified Computer Security Incident Handler
NBSO -- NIC BR Security Office
http://www.nbso.nic.br/

==========

[http://securecomputing.stanford.edu/alerts/linux-mremap-19feb2004.html]

ITSS Information Security Services
ITSS Security Alerts > Linux kernel patch fixes memory management
vulnerability -- 19 February 2004

On this page:
Summary
Technical Details
Countermeasures
References

Summary

UPDATE: As of 26 February 2004, at least three independent exploits
for this vulnerability are in circulation. We have evidence of the
attack being used at Stanford to compromise machines. Please update
your kernel promptly!

A new release of the Linux kernel fixes a memory management problem in
the kernel [1-3]. All users of SULinux, RedHat and Debian are strongly
encouraged to update their software quickly to avoid system
compromise.

For SULinux 9, su to root, and type

    apt-get update
    apt-get install kernel#2.4.20-30.9

Reboot your machine, and be sure it comes up gracefully. Once you've
tested the new kernel, run

    apt-get remove kernel#2.4.20-28.9

to remove the old kernel.

Note: the minor kernel number may vary in the final command. To
determine your kernel version, type uname -r at the command line:

    test-machine:~> uname -r
    2.4.20-28.9smp

For SMP kernels:

    apt-get update
    apt-get install kernel-smp#2.4.20-30.9

Reboot your machine, and be sure it comes up gracefully. Once you've
tested the new kernel, run

    apt-get remove kernel-smp#2.4.20-28.9

Kernel updates will be available for SULinux 7.3 and 8 later this week.

Technical Details

Linux uses virtual memory area descriptors (hereafter VMAs) to manage
user addressable memory locations for processes. VMAs include the
starting address of valid memory regions, the size of the region, and
flags like page protection. The mremap() system call allows the kernel
to modify the size and location of user addressable memory. mremap()
uses another system call, do_munmap(), to remove existing old memory
maps in the new location, but it fails to validate the return value of
do_munmap(). This may allow an attacker to achieve root privileges on
an unpatched system, or to disrupt the kernel sufficiently that the
system becomes unusable.  

Countermeasures

A proof of concept exploit for vulnerable versions of the Linux kernel
has been submitted to the various operating system development teams,
and will be released publicly next week.

There are no workarounds available to prevent this attack from
succeeding. System administrators on multi-user machines should be
particularly careful of local privilege escalation attacks, but all
Linux users are strongly encouraged to update their kernels
immediately.

References

[1] Linux kernel do_mremap VMA limit local privilege escalation
    vulnerability
    http://www.isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt

[2] Updated kernel packages resolve security vulnerabilities
    http://rhn.redhat.com/errata/RHSA-2004-065.html

[3] DSA-438-1 linux-kernel-2.4.18-alpha+i386+powerpc -- missing
    function return value check
    http://www.debian.org/security/2004/dsa-438

 
Last modified Thursday, 26-Feb-2004 15:35:29 PST

© 2003-2004, Stanford University. All rights reserved.
Comments about this document? Use the HelpSU submission form.
Need computing help? Visit HelpSU or call 5-HELP (650-725-4357).


----- End forwarded message -----

Mais detalhes sobre a lista de discussão SECURITY-L