From: SecuriTeam <support@securiteam.com.>
To: list@securiteam.com
Date: 26 Dec 2005 18:47:04 +0200
Subject: [UNIX] Linux procfs Information Disclosure
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20051227121413.EB19957D7@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Linux procfs Information Disclosure
------------------------------------------------------------------------
SUMMARY
"The process file system, or procfs, implements a view of the system
process table inside the file system. It is normally mounted on /proc,
and is required for the complete operation of programs such as ps(1) and
w(1)."
The Linus kernel procfs code does not validate its user provided
variables, allowing local attackers to retrieve sensitive information from
memory such as the root's password.
DETAILS
Vulnerable Systems:
* Linux version 2.6.14.4 and prior
The /proc file system (procfs) is a special file system in the Linux
kernel. It's a virtual file system: it is not associated with a block
device but exists only in memory. The files in the procfs are there to
allow users' programs access to certain information from the kernel (like
process information in /proc/[0-9]+/), but also for debug purposes (like
/proc/ksyms).
The function proc_calc_metrics does not properly validate variables,
allowing attackers enter restricted memory and obtaining information that
could not be gathered otherwise.
Vulnerable Code:
fs/proc/proc_misc.c:
static int proc_calc_metrics(char *page, char **start, off_t off,
int count, int *eof, int len)
{
if (len <= off+count) *eof = 1;
*start = page + off;
len -= off;
if (len>count) len = count;
if (len<0) len = 0;
return len;
}
In the above code we can see that the values of 'off' and 'count' are not
checked to see if they contain negative number.
An attacker can place a negative number, pointing the 'start' variable to
a memory that may contain sensitive information.
ADDITIONAL INFORMATION
The information has been provided by <mailto:karl@utopiafoundation.org.>
Karl Janmar.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
