(CVE-2012-0056) CVE-2012-0056 kernel: proc: /proc/<pid>/mem mem_write insufficient permission checking

From Linus' patch:
"Jüri Aedla reported that the /proc/<pid>/mem handling really isn't very robust, and it also doesn't match the permission checking of any of the other related files.

This changes it to do the permission checks at open time, and instead of tracking the process, it tracks the VM at the time of the open. That simplifies the code a lot, but does mean that if you hold the file descriptor open over an execve(), you'll continue to read from the _old_ VM."

A local, unprivileged user could use this flaw to escalate their privileges.

Upstream commit:
http://git.kernel.org/linus/e268337dfe26dfc7efd422a804dbb27977a3cccc

Acknowledgements:

Red Hat would like to thank Jüri Aedla for reporting this issue.

Statement:

This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5 as it did not backport the upstream commit 198214a7ee. This has been addressed in Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2012-0052.html and https://rhn.redhat.com/errata/RHSA-2012-0061.html. For more information, please read https://access.redhat.com/kb/docs/DOC-69129.

Created kernel tracking bugs for this issue

Affects: fedora-all [bug 782681]

Ensure that ASLR is enabled, see /proc/sys/kernel/randomize_va_space.

Created attachment 556461
A reproducer that tests if we have commit 198214a7.

To mitigate the issue:

1) On the host, save the following in a file with the ".stp" extension:

probe kernel.function("mem_write@fs/proc/base.c").call {
  $count = 0
}

2) Install the "systemtap" package and any required dependencies. Refer to
the "2. Using SystemTap" chapter in the Red Hat Enterprise Linux 6
"SystemTap Beginners Guide" document, available from docs.redhat.com, for
information on installing the required -debuginfo packages.

3) Run the "stap -g [filename-from-step-1].stp" command as root.

If the host is rebooted, the changes will be lost and the script must be
run again.

Knowledgebase article for this issue: https://access.redhat.com/kb/docs/DOC-69129

Linux Local Privilege Escalation via SUID /proc/pid/mem Write
http://blog.zx2c4.com/749

This was shared on oss-security list on Jan 18, http://seclists.org/oss-sec/2012/q1/178. All Linux distro representatives are (expected to be) subscribed to this list.

Kees wrote a blog post about this, http://www.outflux.net/blog/archives/2012/01/22/fixing-vulnerabilities-with-systemtap/.

Spender modified the reproducer to make it work on PaX, http://grsecurity.net/~spender/correct_proc_mem_reproducer.c

Exploits published,
http://www.exploit-db.com/exploits/18411/ or
http://git.zx2c4.com/CVE-2012-0056/tree/mempodipper.c
http://git.zx2c4.com/CVE-2012-0056/tree/shellcode-32.s
http://git.zx2c4.com/CVE-2012-0056/tree/shellcode-64.s
http://seclists.org/fulldisclosure/2012/Jan/354
http://ring0.me/exploits/procmem_CVE-2012-0056/cve2012-0056_procmem.tar

On Red Hat Enterprise Linux 6, /bin/su (coreutils) and
/usr/bin/gpasswd (shadow-utils) are protected at compile time by PIE.

Android version...
https://github.com/saurik/mempodroid

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0052 https://rhn.redhat.com/errata/RHSA-2012-0052.html

Original report and exploit from Jüri Aedla:

http://kodu.ut.ee/~asd/exp-0-aedla/report.html
http://kodu.ut.ee/~asd/exp-0-aedla/exp-0-aedla.c

This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:0061 https://rhn.redhat.com/errata/RHSA-2012-0061.html

LWN: A /proc/PID/mem vulnerability
https://lwn.net/Articles/476947/