The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[UNIX] Linux Kernel cpuset tasks Information Disclosure Vulnerability


<< Previous INDEX Search src / Print Next >>
From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 11 Jun 2007 09:57:24 +0200
Subject: [UNIX] Linux Kernel cpuset tasks Information Disclosure Vulnerability
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20070611071230.E0183573F@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -




  Linux Kernel cpuset tasks Information Disclosure Vulnerability
------------------------------------------------------------------------


SUMMARY

Linux is "a clone of the UNIX operating system, written from scratch by 
Linus Torvalds with assistance from a loosely-knit team of hackers across 
the Internet. The cpuset functionality allows process to be assigned to 
processors on multi-processor machines".

Local exploitation of an information disclosure vulnerability within the 
Linux Kernel allows attackers to obtain sensitive information from kernel 
memory.

DETAILS

Vulnerable Systems:
 * Linux Kernel version 2.6.20 installed with Fedora CORE 6.
 * It is suspected that previous versions, at least until 2.6.12, are also 
vulnerable.

This vulnerability specifically exists in the "cpuset_tasks_read" 
function. This function is responsible for supplying user-land processes 
with data when they read from the /dev/cpuset/tasks file. The code excerpt 
below shows the problem area.

  1754          if (*ppos + nbytes > ctr->bufsz)
  1755                  nbytes = ctr->bufsz - *ppos;
  1756          if (copy_to_user(buf, ctr->buf + *ppos, nbytes))

By reading from an offset (*ppos) larger than the contents of the file, an 
attacker can cause an integer underflow to occur in the subtraction on 
line 1755. This will result in the "copy_to_user" function on line 1756 to 
be called with a memory address located at a lower address than the start 
of the intended buffer. This memory could potentially contain sensitive 
information such as security tokens or passwords.

Exploitation of this vulnerability allows attackers to obtain sensitive 
information from kernel memory.

In order to exploit this vulnerability, an attacker would need access to 
open the /dev/cpuset/tasks file. It is important to note that this file 
does not exist unless the cpuset file system has been mounted. 
Additionally, this functionality is not included by default in a vanilla 
kernel build.

Furthermore, because of checks at the VFS layer and in the 
'copy_to_user()' function, an attacker cannot use arbitrary values. 
However, on 32-bit systems it is easily exploitable.

Workaround:
In order to prevent exploitation of this vulnerability, discontinue use of 
the cpuset file system. This can be accomplished by un-mounting the file 
system using the "umount" command.

Vendor Status:
The Linux kernel team has released versions 2.6.20.13 and 2.6.21.4 to 
address this vulnerability. More information can be found via the 
following URLs.
 <http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.13>; 
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.13
 <http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.21.4>; 
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.21.4

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2875>; 
CVE-2007-2875

Disclosure Timeline:
 * 04/27/2007 - Initial vendor notification
 * 06/04/2007 - Second vendor notification
 * 06/04/2007 - Initial vendor response
 * 06/07/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:
 
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=541>; 
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=541




This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: [email protected] In order to subscribe to the mailing list, simply forward this email to: [email protected]

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру