From: SecuriTeam <support@securiteam.com.>
To: list@securiteam.com
Date: 13 Jul 2006 19:57:23 +0200
Subject: [UNIX] Linux Kernel 2.6.x PRCTL Core Dump Handling
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20060716065321.A406F5A3D@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Linux Kernel 2.6.x PRCTL Core Dump Handling
------------------------------------------------------------------------
SUMMARY
Improper handling of Core Dump allows attackers to gain local root
privileges in Linux, allowing attackers to execute arbitrary programs as
root.
DETAILS
Vulnerable Systems:
* Linux Kernel 2.6.17.4 and prior
* Linux Kernel 2.6.16.24 and prior
The prctl() function allows to set the value 2 for PR_SET_DUMPABLE by
unprivileged processes. In case of a segmentation fault the core dump will
then be owned by the user root.
This could lead to a denial of service (disk consumption) or allow a local
user to gain root privileges.
The suid_dumpable support and prctl(PR_SET_DUMPABLE, 2) have been added
with the 2.6.13 kernel and Red Hat Enterprise Linux 4 contains a back port
of it.
Vendor Status:
The vendor has issued a fix:
<http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git;a=commit;h=0af184bb9f80edfbb94de46cb52e9592e5a547b0> http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git;a=commit;h=0af184bb9f80edfbb94de46cb52e9592e5a547b0
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2451>;
CVE-2006-2451
ADDITIONAL INFORMATION
The information has been provided by Red Hat.
The original article can be found at:
<http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=195902>;
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=195902
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
