Ubuntu

Local root exploit via CVE-2009-2692 (incorrect proto_ops initializations)

Reported by Mike Green on 2009-08-14
298
This bug affects 5 people
Affects Status Importance Assigned to Milestone
linux (Fedora)
Confirmed
Unknown
linux (Ubuntu)
Medium
Unassigned
Dapper
Undecided
Unassigned
Hardy
Medium
Unassigned
Intrepid
Medium
Unassigned
Jaunty
Medium
Unassigned
Karmic
Medium
Unassigned
linux-source-2.6.15 (Ubuntu)
Undecided
Unassigned
Dapper
Medium
Unassigned
Hardy
Undecided
Unassigned
Intrepid
Undecided
Unassigned
Jaunty
Undecided
Unassigned
Karmic
Undecided
Unassigned

Bug Description

Binary package hint: linux-image-2.6.15-54-server

CVE Candidate is CVE-2009-2692

Exploit:

http://seclists.org/fulldisclosure/2009/Aug/0180.html

Patch:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98

WORK-AROUND:

Ubuntu 8.04 and later have a default setting of 65536 in /proc/sys/vm/mmap_min_addr. When set, this issue is blocked. If your value is 0, please purge the "wine" and "dosemu" packages, and reset the value:

sudo apt-get purge wine dosemu
echo 65536 | sudo tee /proc/sys/vm/mmap_min_addr

On Ubuntu 6.06 (Dapper), the following configuration will work around the issue (note this disables IPv6):

sudo -s
cat > /etc/modprobe.d/mitigate-2692.conf << EOM
install ppp_generic /bin/true
install pppoe /bin/true
install pppox /bin/true
install slhc /bin/true
install bluetooth /bin/true
install ipv6 /bin/true
install irda /bin/true
install ax25 /bin/true
install x25 /bin/true
install ipx /bin/true
install appletalk /bin/true
EOM
/etc/init.d/bluez-utils stop
rmmod pppoe pppox ppp_generic slhc ax25 x25 irda crc_ccitt ipx ipv6 appletalk rfcomm l2cap bluetooth

CVE References

Kees Cook (kees) wrote :

Ubuntu 8.04 and later have a default setting of 65536 in /proc/sys/vm/mmap_min_addr. When set, this issue is blocked. If your value is 0, please purge the "wine" and "dosemu" packages, and reset the value:

  sudo apt-get purge wine dosemu
  echo 65536 | sudo tee /proc/sys/vm/mmap_min_addr

On Ubuntu 6.06, we recommend the work-around detailed above. Kernel are being built shortly to address the issue directly.

description: updated
visibility: private → public
Changed in linux-source-2.6.15 (Ubuntu Dapper):
status: New → Triaged
Changed in linux-source-2.6.15 (Ubuntu Hardy):
status: New → Invalid
Changed in linux-source-2.6.15 (Ubuntu Jaunty):
status: New → Invalid
Changed in linux-source-2.6.15 (Ubuntu Karmic):
status: New → Invalid
Changed in linux-source-2.6.15 (Ubuntu Intrepid):
status: New → Invalid
Changed in linux (Ubuntu Dapper):
importance: Undecided → Medium
Changed in linux (Ubuntu Hardy):
importance: Undecided → Medium
Changed in linux (Ubuntu Karmic):
importance: Undecided → Medium
Changed in linux-source-2.6.15 (Ubuntu Intrepid):
importance: Undecided → Medium
Changed in linux-source-2.6.15 (Ubuntu Dapper):
importance: Undecided → Medium
Changed in linux-source-2.6.15 (Ubuntu Karmic):
importance: Undecided → Medium
Changed in linux-source-2.6.15 (Ubuntu Hardy):
importance: Undecided → Medium
Changed in linux (Ubuntu Hardy):
status: New → Triaged
Changed in linux-source-2.6.15 (Ubuntu Jaunty):
importance: Undecided → Medium
Kees Cook (kees) on 2009-08-14
Changed in linux (Ubuntu Karmic):
status: New → Triaged
Changed in linux (Ubuntu Jaunty):
status: New → Triaged
importance: Undecided → Medium
Changed in linux (Ubuntu Dapper):
status: New → Invalid
Changed in linux (Ubuntu Intrepid):
importance: Undecided → Medium
status: New → Triaged
Changed in linux-source-2.6.15 (Ubuntu Hardy):
importance: Medium → Undecided
Changed in linux-source-2.6.15 (Ubuntu Jaunty):
importance: Medium → Undecided
Changed in linux (Ubuntu Dapper):
importance: Medium → Undecided
Changed in linux-source-2.6.15 (Ubuntu Intrepid):
importance: Medium → Undecided
Kees Cook (kees) on 2009-08-14
Changed in linux-source-2.6.15 (Ubuntu Karmic):
importance: Medium → Undecided
Changed in linux (Fedora):
status: Unknown → Confirmed
Kees Cook (kees) on 2009-08-14
description: updated
Kees Cook (kees) on 2009-08-14
description: updated
description: updated
Kees Cook (kees) on 2009-08-14
description: updated
Mike Green (mikey-badpenguins) wrote :

Not sure about 8.04 and above with mmap_min_addr set > 0 if SELinux is implemented, according to the Mitigation section of the following post:

http://seclists.org/fulldisclosure/2009/Aug/0173.html

Kees Cook (kees) wrote :

SELinux is not a default on Ubuntu, but if it is enabled, the work-arounds above could be used instead.

description: updated
Mike Green (mikey-badpenguins) wrote :

From my admittedly limited understanding mmap_min_addr can be gotten around with suid executables, pulseaudio is used in the published exploits. If this is the case, wouldn't 8.04 and above, unpatched, be exploitable via suid executables, even with the mmap_min_addr set above 0?

http://lwn.net/Articles/342330/

Kees Cook (kees) wrote :

That issue was fixed in the last kernel update (USN-807-1) as CVE-2009-1895.

Julian Kranz (juliankranz) wrote :

Why THE HELL is bug "Medium"? Every idiot is able to get root privileges within a minute on every ubuntu system world wide and you think this just a "medium" problem?

And why is this hole still gaping wide open, even more then 48 hours after debian released a fix for the bug?

Kees Cook (kees) wrote :

Hi, it's medium because it's local-only, and is not, as you say, an issue for all Ubuntu systems -- only those with a non-default /proc/sys/vm/mmap_min_addr setting. Additionally, there are work-around available while the fix is being worked oni. Debian was more vulnerable, so they acted more quickly. The Ubuntu kernels are currently building, and we expect them to publish after they pass QA today.

Julian Kranz (juliankranz) wrote :

Your statement is false; I've just successfully used the famous exploit ( http://grsecurity.net/~spender/wunderbar_emporium.tgz ) to gain root privileges on a fresh bootet Ubuntu 9.04 x86 Live CD.

Julian Kranz (juliankranz) wrote :

I must apologise: After a little more research I found out that this might actually be connected to some older bug, that is already fixed. I didn't know that this exploit tries out more than one way to break the security ;-)

But even given that I don't really change my opinion - I do not have a very special configuration; I think installing wine already sets /proc/sys/vm/mmap_min_addr to zero. So this will actually affect the utter most part of the ubuntu installations and is also caused by an application inside the repository, which is therefor a part of ubuntu.

Kees Cook (kees) wrote :

Correct, the Live CD does not contain an updated kernel for the personality-via-pulse exploit (CVE-2009-1895), fixed in USN-807-1, which allowed mmap_min_addr to be bypassed. Ubuntu with Wine installed are most likely to be single-user systems, which helps reduce the number of people in real danger from this vulnerability.

This current bug is certainly important, which is why it's not being ignored. Kernels take a while to build for all releases on all architectures, and will be completed later today.

Kees Cook (kees) wrote :
Changed in linux (Ubuntu Hardy):
status: Triaged → Fix Released
Changed in linux (Ubuntu Intrepid):
status: Triaged → Fix Released
Changed in linux (Ubuntu Jaunty):
status: Triaged → Fix Released
Changed in linux-source-2.6.15 (Ubuntu Dapper):
status: Triaged → Fix Released
Kees Cook (kees) on 2009-08-19
Changed in linux (Ubuntu Karmic):
status: Triaged → Fix Released
Bremm (bremm) wrote :

Hi everyone,

I noticed before kernel update (15.49) that sctp and libcrc32 modules were loaded (2.6.28-15-generic) and AFAIK, SCTP stills experimental. Well, since config.gz isn't available under /proc, could I use /usr/src/linux-headers-2.6.28-15-generic/.config as reference?

Thanks in advance

(Sidenote: I've just lost my previous text -- it was much better but a bit longer -- because lauchpad logged me off before I submit this posting)

Kees Cook (kees) wrote :

You need to reboot for the kernel to be reloaded. As for config, see /boot/config-$(uname -r)

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.