Critical vulnerability in the Linux kernel affects all versions since 2001
Google security specialists Tavis Ormandy and Julien Tiennes report that a critical security vulnerability in the Linux kernel affects all versions of 2.4 and 2.6 since 2001, on all architectures. The vulnerability enables users with limited rights to get root rights on the system. The cause is a NULL pointer dereference in connection with the initialisation of sockets for rarely used protocols.
A pointer structure usually defines what operations a socket supports, for example accept, bind and so on. If, say, the accept operation is not implemented, it should point to a predefined component such as sock_no_accept. This is evidently not the case with all implemented protocols. The report mentions PF_BLUETOOTH, PF_IUCV, PF_INET6 (with IPPROTO_SCTP), PF_PPPOX and PF_ISDN, among others, as having unimplemented operations. Some pointers remain uninitialised, and this can be exploited in conjunction with the function sock_sendpage to execute code with root rights.
Ormandy and Tiennes believe that all Linux version 2.4 and 2.6 since May 2001 are affected, which means 2.4.4 up to and including 22.214.171.124, as well as 2.6.0 up to and including 126.96.36.199. Instead of fixing all incompletely implemented protocols, the kernel developers have simply remapped sock_sendpage to the function kernel_sendpage, which also handles the case of an uninitialised pointer. So far, this correction has only gone into the kernel repository.
However, a new official kernel version can be expected shortly since an exploit for the vulnerability is already publicly available. The author of the code is again Brad Spengler, who published a root exploit for the Linux kernel in mid-July. In a short test on a completely patched Ubuntu 8.10 in the heise Security office, The H's associates found that the new exploit gave root access to the system.
Ormandy and Tiennes say, however, that the exploit will not work on current kernels with mmap_min_addr support if a number greater than zero is defined by means of sysctl as the value for vm.mmap_min_addr.
- Linux NULL pointer dereference due to incorrect proto_ops initializations (CVE-2009-2692) cr0 blog posting by Julien Tiennes.
- Linux NULL pointer dereference due to incorrect proto_ops initializations, description by Tavis Ormandy.
- Root exploit for Linux kernel published, a report from The H Security.