Linux kernel CAPABILITY LSM module Process privilege trust local permissions lifting vulnerability (Linux, defect) involving procedures: Linux kernel program description: Linux kernel Capability LSM module process privilege trust local permissions lifting vulnerability Details: Linux kernel is open source operating system Linux The kernel. Linux Kernel has problems in processing the Capability module implementation, and local attackers can use this vulnerability to improve permissions. When the privileged operation is controlled by the Capability LSM module, the system is based on the process trust (CREDs) arbitrated privilege operations. When CapAbility is not compiled into the kernel, the kernel uses the default security module (Security / Dummy.c) arbitration privilege, the mechanism is very simple, only check the process EUID, FSUID (when file system related privileges) is 0. In this case, the Dummy module does not care about the trust of the process, and the trust of each process is copied. Chasing the source, each process trustworthy whether the process user is a super user, and the trust of the init process is all copied, the trust contains all the power of the superuser process. This error is not excited in the case of privileged judgment according to user ID. However, after inserting the Capability module, the privilege mechanism is converted to the process trust, and the trust of any process before that exists is consistent with the init process, causing these processes to have the privilege of superuser root. The essence of this error is to recalculate the trust of the existing process when loading the Capability module. Recalcate the requirements of the Capability mechanism. Tests show that this error occurs in 2.6. * Linux kernel. <* Source: liangbin (liangbin@venustech.com.cn) Link: http://marc.theaimsgroup.com/? L = bugtraq & m = 110384535113035 & w = 2 *> Affected system: Linux kernel 2.6.9linux kernel 2.6.8linux kernel 2.6.7linux kernel 2.6.6linux kernel 2.6.5linux kernel 2.6.4linux kernel 2.6.3linux kernel 2.6.2linux kernel 2.6.1linux kernel 2.6 Attack Method: The following procedure may bring an aggressive, only for security research and teaching use. Users are at your own risk! When the Capability module is not compiled into the kernel, (if you have compiled into the kernel, you must recompile the kernel after DISABLE. Before loading the Capability module, allow a VIM editor as a normal user, in the VIM input command:: r / etc / shadowvim will respond to "can't open file / etc / shadow, this access to the root file operation is Refuse. Do not end VIM, go to other console to log in as root, insert the Capability module: #MODPROBE CAPABILITY After the module is reproduced, return to the VIM to try to open the shadow file again, will find the ability to read and write with ordinary users (W! ) Shadow file! The fundamental reason is that the trust of the VIM process contains power CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH, so it is possible to perform privileged operations that transcend access control policies.
Use the following command to view VIM trust: $ cat / proc / 2454 / status (2454 is a VIM process PID) Name: Vim State: s (Sleeping) Sleepavg: 91% TGID: 2454 PID: 2454 PPID: 1552 TracerPid: 0 Uid: 500 500 500 500 FDSIZE: 256 Groups: 500 VMSIZE: 9356 KB VMLCK: 0 KB VMRS: 2728 KB VMData: 856 KB VMSTK: 16 KB VMEXE: 1676 KB VMLIB: 3256 KB Threads: 1 SigPnd: 0000000000000000 ShdPnd: 0000000000000000 SigBlk: 0000000000000000 SigIgn: 8000000000003000 SigCgt: 00000000ef824eff CapInh: 0000000000000000 CapPrm: 00000000ffffffff CapEff: 00000000fffffeff last three lines of credentials that is vim, you can see that it has all the capabilities capability in addition to the CAP_SETPCAP. The above test is passed in 2.6. * And 2.5.72-LSM1.
