Bug 63427 (CVE-2004-1068)

Summary: VUL-0: CVE-2004-1068: kernel: race condition in unix_dgram_recvmsg()
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Marcus Meissner <meissner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: aj, ihno, klaus, mfrueh, patch-request, security-team, smueller
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-1068: CVSS v2 Base Score: 6.2 (AV:L/AC:H/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: mail.txt
BK changeset for 2.4 kernels
BK changeset for 2.6 kernels

Description Thomas Biege 2004-11-22 19:26:36 UTC 
Hi, 
the following "warning" from Paul Starzetz was posted to Bugtraq: 
 
Date: Fri, 19 Nov 2004 20:26:21 +0100 (CET) 
From: Paul Starzetz <ihaquer@isec.pl> 
Reply-To: security@isec.pl 
To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, 
        vulnwatch@vulnwatch.org 
Subject: Addendum, recent Linux <= 2.4.27 vulnerabilities 
 
-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
 
Hi, 
 
while looking at the changelog for 2.4.28, I've found, that a bug I 
independently came over some days ago has been fixed in that release: 
 
David S. Miller: 
  o [AF_UNIX]: Serialize dgram read using semaphore just like stream 
 
That fixes missing serialization in unix_dgram_recvmsg(). 
 
I was slightly suprised reading the 2.4.27 code and I strongly believe 
that the flaw is fully exploitable to gain elevated privileges. 
 
There is a subtle race condition finally permitting a non-root user to 
increment (up to 256 times) any arbitrary location(s) in kernel space. 
 
The condition is not easy to exploit since an attacker must trick 
kmalloc() to sleep on allocation of a special chunk of memory and then 
convince the scheduler to execute another thread. But it is feasible. 
 
Conclusion: update as quick as possible to 2.4.28. 
 
- -- 
Paul Starzetz 
iSEC Security Research 
http://isec.pl/ 
 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.0.7 (GNU/Linux) 
 
iD8DBQFBnkjiC+8U3Z5wpu4RAiCJAKCpqAD3jD/Ih6CSVxOUW0wnkXVY8QCgs584 
x03r/RbphAViQPJrM8Fqj28= 
=Adi4 
-----END PGP SIGNATURE-----
Comment 1 Thomas Biege 2004-11-22 19:26:36 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Marcus Meissner 2004-11-25 21:32:12 UTC 
Created attachment 26455 [details]
mail.txt
Comment 3 Marcus Meissner 2004-11-25 21:34:32 UTC 
atached mail with samle DoS program...
Comment 4 Marcus Meissner 2004-11-25 21:45:26 UTC 
actually the program is not for this bug. 
 
important is just the line of Paul: 
 
|Btw. we have a working proof-of-concept root exploit for the AF_UNIX issue 
|http://lists.netsys.com/pipermail/full-disclosure/2004-November/029055.html 
| 
|preapre upgrades for your users.
Comment 5 Hubert Mantel 2004-11-25 21:49:45 UTC 
Who can extract the needed fix from 2.4.28? Will we delay the kernels that are
already in the update queue for this one?
Comment 6 Andreas Gruenbacher 2004-11-25 22:01:49 UTC 
Created attachment 26457 [details]
BK changeset for 2.4 kernels

All those bitkeeper changesets can be downloaded from http://linux.bkbits.net.
Comment 7 Marcus Meissner 2004-11-25 22:43:46 UTC 
we will not delay the current kernels. 
 
hubert, can you merge the fix into the affected kernels (everything up 
to 9.0 i think)
Comment 8 Marcus Meissner 2004-11-30 17:27:36 UTC 
CAN-2004-1068 for http://www.securityfocus.com/bid/11715                                
Missing serialization in unix_dgram_recvmsg() could lead                 
        to elevated privileges.  Affects 2.4.27 and earlier,                     
        Affects 2.6.9 and earlier.
Comment 9 Roman Drahtmueller 2004-12-02 00:53:51 UTC 
Sorry to interrupt: I need to know if SLES9 is affected. Seems no, right?
Comment 10 Andreas Gruenbacher 2004-12-02 00:58:43 UTC 
It does. Argh.
Comment 11 Andreas Gruenbacher 2004-12-02 01:38:00 UTC 
I have now checked the fix into the SLES9_BRANCH, SLES9_SP1_BRANCH, and HEAD.
Hubert, can you please update the 2.4 repositories?  Marcus, how to proceed?
Comment 12 Roman Drahtmueller 2004-12-02 01:50:31 UTC 
Andreas, could you please, for completeness, attach the 2.6 patch to this bug?
Comment 13 Andreas Gruenbacher 2004-12-02 01:53:06 UTC 
Created attachment 26667 [details]
BK changeset for 2.6 kernels
Comment 14 Roman Drahtmueller 2004-12-02 01:54:30 UTC 
Danke!
Comment 15 Marcus Meissner 2004-12-02 21:50:26 UTC 
next step is to apply the patch to all 2.4 based kernels
Comment 16 Hubert Mantel 2004-12-03 23:13:22 UTC 
Ok, it is in all trees now (9.2 was still missing). Re-assigning to
security-team. Kernels will be submitted for autobuild after I also checked in
the ELF fix.
Comment 17 Marcus Meissner 2004-12-08 23:38:37 UTC 
-> marcus is tracking the kernel update.
Comment 18 Marcus Meissner 2004-12-22 04:37:05 UTC 
updates and advisory released.
Comment 19 Thomas Biege 2009-10-13 19:59:57 UTC 
CVE-2004-1068: CVSS v2 Base Score: 6.2 (AV:L/AC:H/Au:N/C:C/I:C/A:C)