Linux RDS Protocol
Local Privilege Escalation

Release Date 2010-10-19
Application Linux Kernel
Versions 2.6.30 - 2.6.36-rc8
Severity High
Discovered by Dan Rosenberg <drosenberg {at} vsecurity.com>
Vendor Status Patch Released [3]
CVE Candidate CVE-2010-3904
Reference Original Advisory

Product Description

From [1]:

"Linux is a free Unix-type operating system originally created by Linus Torvalds with the assistance of developers around the world. Developed under the GNU General Public License, the source code for Linux is freely available to everyone."

From [2]:

"Reliable Datagram Sockets (RDS) provide in order, non-duplicating, highly available, low overhead, reliable delivery of datagrams between hundreds of thousands of non-connected endpoints."

Vulnerability Overview

On October 13th, VSR identified a vulnerability in the RDS protocol, as implemented in the Linux kernel. Because kernel functions responsible for copying data between kernel and user space failed to verify that a user-provided address actually resided in the user segment, a local attacker could issue specially crafted socket function calls to write abritrary values into kernel memory. By leveraging this capability, it is possible for unprivileged users to escalate privileges to root.

Vulnerability Details

On Linux, recvmsg() style socket calls are performed using iovec structs, which allow a user to specify a base address and size for a buffer used to receive socket data. Each packet family is responsible for defining functions that copy socket data, which is received by the kernel, back to user space to allow user programs to process and handle received network data.

When performing this copying of data to user space, the RDS protocol failed to verify that the base address of a user-provided iovec struct pointed to a valid userspace address before using the __copy_to_user_inatomic() function to copy the data. As a result, by providing a kernel address as an iovec base and issuing a recvmsg() style socket call, a local user could write arbitrary data into kernel memory. This can be leveraged to escalate privileges to root.

Proof-of-Concept Exploit

VSR has developed a proof-of-concept exploit [4] to both demonstrate the severity of this issue as well as allow users and administrators to verify the existence of the vulnerability. The exploit leverages the ability to write into kernel memory to reset the kernel's security operations structure and gain root privileges. The exploit requires that kernel symbol resolution is available to unprivileged users, via /proc/kallsyms or similar, as is the case on most stock distributions. It has been tested on both 32-bit and 64-bit x86 platforms. While this exploit has been reliable during testing, it is not advised to run kernel exploits on production systems, as there is a risk of causing system instability and crashing the affected machine.

Versions Affected

This vulnerability affects unpatched versions of the Linux kernel, starting from 2.6.30, where the RDS protocol was first included. Installations are only vulnerable if the CONFIG_RDS kernel configuration option is set, and if there are no restrictions on unprivileged users loading packet family modules, as is the case on most stock distributions.

Vendor Response

The following timeline details Linux's response to the reported issue:

2010-10-13 Vulnerability reported to Linux security team
2010-10-13 Response, agreement on disclosure date
2010-10-19 Fix publicly committed [3]
2010-10-19 Coordinated disclosure

Recommendation

Users should install updates provided by downstream distributions or apply the committed patch [3] and recompile their kernel.

Preventing the RDS kernel module from loading is an effective workaround. This can be accomplished by executing the following command as root:

echo "alias net-pf-21 off" > /etc/modprobe.d/disable-rds

Common Vulnerabilities and Exposures (CVE) Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2010-3904 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Acknowledgements

Thanks to Andrew Morton, Linus Torvalds, Andy Grove, and Eugene Teo for their prompt responses and patch.


References

1. Linux kernel
http://www.linux.org
2. Reliable Datagram Sockets
http://oss.oracle.com/pipermail/rds-devel/2007-November/000228.html
3. GIT patch
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=799c10559d60f159ab2232203f222f18fa3c4a5f
4. RDS protocol privilege escalation exploit
http://www.vsecurity.com/download/tools/linux-rds-exploit.c

This advisory is distributed for educational purposes only with the sincere hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible disclosure practices.


Copyright 2010 Virtual Security Research, LLC. All rights reserved.

2014-05-20
XML Schema, DTD, and Entity Attacks

2013-06-19
IBM WebSphere Commerce: Encrypted URL Parameter Vulnerable to POA

2012-10-23
Timothy D. Morgan presents No Crack Required: Cryptanalysis in Real-World Applications at OWASP AppSecUSA 2012.

2012-07-29
Michael Coppola presents Owning the Network: Adventures in Router Rootkits at DEF CON 20 [slides].

more...

Contact us by phone,
fax or e-mail:

Phone: 617.933.8919
Fax: 617.933.8920
Email: inquiry@vsecurity.com