[SECURITY-L] *** IMPORTANTE: [S] Falha no mremap() sendo explorada
CSIRT - UNICAMP
security em unicamp.br
Sex Fev 27 08:51:00 -03 2004
----- Forwarded message from Cristine Hoepers <cristine em nic.br> -----
From: Cristine Hoepers <cristine em nic.br>
Subject: [S] Falha no mremap() sendo explorada
To: seguranca em pangeia.com.br
Date: Thu, 26 Feb 2004 21:19:41 -0300
Caros,
Na semana passada foi divulgada uma vulnerabilidade no mremap()
e lancado um patch para o Kernel do Linux, que corrige esta
vulnerabilidade. Embora nao tenha recebido ampla divulgacao,
esta falha esta' sendo utilizada para obtencao de acesso
privilegiado a sistemas Linux.
Os exploits disponiveis permitem que usuarios locais obtenham
acesso de root `as maquinas.
Abaixo segue um alerta da Universidade de Stanford que ressalta
a descoberta, hoje, de pelo menos uma maquina comprometida
atraves desta vulnerabilidade.
Ao final do alerta estao os links para as paginas de atualizacao
do RedHat e do Debian.
Atenciosamente,
Cristine
CERT Certified Computer Security Incident Handler
NBSO -- NIC BR Security Office
http://www.nbso.nic.br/
==========
[http://securecomputing.stanford.edu/alerts/linux-mremap-19feb2004.html]
ITSS Information Security Services
ITSS Security Alerts > Linux kernel patch fixes memory management
vulnerability -- 19 February 2004
On this page:
Summary
Technical Details
Countermeasures
References
Summary
UPDATE: As of 26 February 2004, at least three independent exploits
for this vulnerability are in circulation. We have evidence of the
attack being used at Stanford to compromise machines. Please update
your kernel promptly!
A new release of the Linux kernel fixes a memory management problem in
the kernel [1-3]. All users of SULinux, RedHat and Debian are strongly
encouraged to update their software quickly to avoid system
compromise.
For SULinux 9, su to root, and type
apt-get update
apt-get install kernel#2.4.20-30.9
Reboot your machine, and be sure it comes up gracefully. Once you've
tested the new kernel, run
apt-get remove kernel#2.4.20-28.9
to remove the old kernel.
Note: the minor kernel number may vary in the final command. To
determine your kernel version, type uname -r at the command line:
test-machine:~> uname -r
2.4.20-28.9smp
For SMP kernels:
apt-get update
apt-get install kernel-smp#2.4.20-30.9
Reboot your machine, and be sure it comes up gracefully. Once you've
tested the new kernel, run
apt-get remove kernel-smp#2.4.20-28.9
Kernel updates will be available for SULinux 7.3 and 8 later this week.
Technical Details
Linux uses virtual memory area descriptors (hereafter VMAs) to manage
user addressable memory locations for processes. VMAs include the
starting address of valid memory regions, the size of the region, and
flags like page protection. The mremap() system call allows the kernel
to modify the size and location of user addressable memory. mremap()
uses another system call, do_munmap(), to remove existing old memory
maps in the new location, but it fails to validate the return value of
do_munmap(). This may allow an attacker to achieve root privileges on
an unpatched system, or to disrupt the kernel sufficiently that the
system becomes unusable.
Countermeasures
A proof of concept exploit for vulnerable versions of the Linux kernel
has been submitted to the various operating system development teams,
and will be released publicly next week.
There are no workarounds available to prevent this attack from
succeeding. System administrators on multi-user machines should be
particularly careful of local privilege escalation attacks, but all
Linux users are strongly encouraged to update their kernels
immediately.
References
[1] Linux kernel do_mremap VMA limit local privilege escalation
vulnerability
http://www.isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt
[2] Updated kernel packages resolve security vulnerabilities
http://rhn.redhat.com/errata/RHSA-2004-065.html
[3] DSA-438-1 linux-kernel-2.4.18-alpha+i386+powerpc -- missing
function return value check
http://www.debian.org/security/2004/dsa-438
Last modified Thursday, 26-Feb-2004 15:35:29 PST
© 2003-2004, Stanford University. All rights reserved.
Comments about this document? Use the HelpSU submission form.
Need computing help? Visit HelpSU or call 5-HELP (650-725-4357).
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L