Root privileges through Linux kernel bug - Update
According to a report written by Rafal Wojtczuk, a conceptual problem in the memory management area of Linux allows local attackers to execute code at root level. The Linux issue is caused by potential overlaps between the memory areas of the stack and shared memory segments.
As a potential attack scenario, Wojtczuk describes the X Server, where the distance between the boundaries of the heap and stack can be made very small by filling the memory with data such as pixmaps. A subsequent request for a shared memory segment by the attacker will result in the segment being added to the end of the heap. If the attacker then manages to make the X Server call a recursive function, the stack will grow into the shared memory segment. By writing into the requested shared memory at the same moment, the attacker will also make changes to the content of the stack, for example, to return addresses. This allows code to be executed at root privilege level. Developer Brad Spengler, who works for grsecurity, has released an exploit which demonstrates a problem – although it only causes the X Server to crash.
Security expert Joanna Rutkowska says that the vulnerability has been present in the kernel for years, probably since the release of version 2.6 in December 2003. To solve the problem, Wojtczuk's paper suggests the introduction of a guaranteed minimum of one memory page (guard page) between the stack and other memory areas. This function has already been implemented in kernel versions 126.96.36.199, 188.8.131.52 and 184.108.40.206, but without the problem being explicitly pointed out. In addition, processes whose stack touches the boundaries of other memory areas are now terminated via SIGBUS. Another update is being prepared for inclusion in 220.127.116.11. User who don't run the kernel released by kernel.org should wait for their Linux distributors to provide an update for their specific distribution. Red Hat has already responded by releasing a dedicated bug report.
The vulnerability can be exploited in all older versions if an X Server is running on the system. To compromise a system remotely, an attacker would first have to exploit another hole to inject code and execute it on the system. As a second step, the attacker would then use the procedure described above to obtain root privileges. Kernel developer Greg Kroah-Hartman has sent a clear message to the Linux community: "All users [of the affected kernel series] must upgrade".
Update - In an email to The H, Joanna Rutowska clarifies that Spengler's exploit targets "some unrelated vulnerability" and her reference to it was in relation to guesses made by Spengler noted in the source code comments.
Update - As Marcus Meissner from the SUSE security team explained to heise Security, SUSE maintainer Andrea Arcangeli provided a fix for the problem in September 2004, but for unknown reasons this fix was not included in the Linux kernel. SUSE itself has the fix and SUSE Linux Enterprise 9, 10 and 11 as well as openSUSE 11.1 through 11.3 do not exhibit this vulnerability.