what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

do_brk.txt

do_brk.txt
Posted Dec 3, 2003
Authored by Wojciech Purczynski, Paul Starzetz | Site isec.pl

Detailed information on the linux kernel v2.4 prior to v2.4.23 local root vulnerability in the do_brk() kernel function. Kernels 2.4.20-18.9, 2.4.22 (vanilla), and 2.4.22 with grsecurity patch are confirmed vulnerable.

tags | advisory, kernel, local, root
systems | linux
SHA-256 | 43a76479ec2e92c678e1e79c86fa11a5609b490ba6e29b4d220c64300a875126

do_brk.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Synopsis: Linux kernel do_brk() lacks argument bound checking
Product: Linux
Version: up to 2.4.23, others
Vendor: https://www.kernel.org/

URL: https://isec.pl/vulnerabilities/isec-0012-do_brk.txt
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0961
Author: Paul Starzetz <ihaquer@isec.pl>
Wojciech Purczynski <cliph@isec.pl>
Date: December 1, 2003


Issue:
======

Critical security bug has been discovered in the Linux kernel within
do_brk() function that may lead to full compromise of vulnerable system.


Details:
========

The physical memory of a x86 machine running one of the recent Linux
kernels is managed in a simplified flat memory model. Each user process
may address a memory ranging from 0 up to TASK_SIZE bytes. Memory above
this limit is not accessible to the user and contains kernel code with
its data structures. User process is divided into logical sections,
called virtual memory areas. The kernel keeps tracks and manages user
process's virtual memory areas to provide proper memory management and
memory protection faults handling. More details of Linux memory
management are out of the scope of this article and can be found in [3].

The do_brk() is an internal kernel function that is called indirectly to
manage process's memory heap (brk), growing or shrinking it accordingly.
It is simplified version of mmap(2) system call that only handles
anonymous mappings (i.e. not initialized data). The function lacks of
bound checks of its parameters and may be exploited to create arbitrary
large virtual memory area, exceeding user accessible memory limit. Thus,
the kernel memory above this limit may become part of user process's
memory as visible to the kernel memory manager.

Typical memory layout of user process may look like:

bash$ cat /proc/self/maps
08048000-0804c000 r-xp 00000000 03:02 207935 /bin/cat
0804c000-0804d000 rw-p 00003000 03:02 207935 /bin/cat
0804d000-0804e000 rwxp 00000000 00:00 0
40000000-40015000 r-xp 00000000 03:02 207495 /lib/ld-2.3.2.so
40015000-40016000 rw-p 00014000 03:02 207495 /lib/ld-2.3.2.so
40016000-40017000 rw-p 00000000 00:00 0
40020000-40021000 rw-p 00000000 00:00 0
42000000-4212f000 r-xp 00000000 03:02 319985 /lib/tls/libc-2.3.2.so
4212f000-42132000 rw-p 0012f000 03:02 319985 /lib/tls/libc-2.3.2.so
42132000-42134000 rw-p 00000000 00:00 0
bfffe000-c0000000 rwxp fffff000 00:00 0

The do_brk() function is called from within ELF and a.out loaders as
well as from brk(2) syscall. These are three different vectors which may
be used to exploit do_brk() bug. After successful exploitation process
memory may contain a large memory mapping, i.e.:

080a5000-c891d000 rwxp 00000000 00:00 0


Impact:
=======

Successful exploitation of do_brk() leads to full compromise of
vulnerable system, including gaining full uid 0 privileges, possibility
of kernel code and data structures modification as well as kernel-level
(ring0) code execution.

Tested and successfully exploited kernel versions include:

o 2.4.20-18.9 as shipped with RedHat 9.0
o 2.4.22 (vanila)
o 2.4.22 with grsecurity patch

There is no known reliable workaround for this vulnerability except. We
recommend upgrading to the most recent kernel version (so far the 2.4.23
kernel) on all vulnerable systems.

Limiting maximum size of user process's data segment with ulimit -d
command provides some workaround for exploit based on brk system call.
However, there are at least two other attack vectors that can not be
disabled without patching the system.

We have succesfully created proof-of-concept exploit. Unfortunately we
guess that our exploit may have leaked to the underground.


Credits:
========

Paul Starzetz <ihaquer@isec.pl> has indenpendently discovered the bug,
Wojciech Purczynski <cliph@isec.pl> invented and provided numerous
techniques to automatically and efficiently exploit the bug.


References:
===========

[1] Intel Architecture Software Developer's Manual Volume 2
"Instruction Set Reference"

[2] Intel Architecture Software Developer's Manual Volume 3
"System Programming Guide"

[3] Daniel P. Bovet, Marco Cesati,
"Understanding the Linux Kernel"


- --
Paul Starzetz
iSEC Security Research
https://isec.pl/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/y8jRC+8U3Z5wpu4RAnHvAKDEC0/e5xr7s61wMSsr4XUDl5+S8ACfQTqe
CsfpNtUMoLW7xDS22JSAJP0=
=dpRp
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close