The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[UNIX] Linux Kernel 2.6.x PRCTL Core Dump Handling


<< Previous INDEX Search src / Print Next >>
From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 13 Jul 2006 19:57:23 +0200
Subject: [UNIX] Linux Kernel 2.6.x PRCTL Core Dump Handling
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20060716065321.A406F5A3D@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -




  Linux Kernel 2.6.x PRCTL Core Dump Handling
------------------------------------------------------------------------


SUMMARY

Improper handling of Core Dump allows attackers to gain local root 
privileges in Linux, allowing attackers to execute arbitrary programs as 
root.

DETAILS

Vulnerable Systems:
 * Linux Kernel 2.6.17.4 and prior
 * Linux Kernel 2.6.16.24 and prior

The prctl() function allows to set the value 2 for PR_SET_DUMPABLE by 
unprivileged processes. In case of a segmentation fault the core dump will 
then be owned by the user root.
This could lead to a denial of service (disk consumption) or allow a local 
user to gain root privileges.
The suid_dumpable support and prctl(PR_SET_DUMPABLE, 2) have been added 
with the 2.6.13 kernel and Red Hat Enterprise Linux 4 contains a back port 
of it.

Vendor Status:
The vendor has issued a fix:  
<http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git;a=commit;h=0af184bb9f80edfbb94de46cb52e9592e5a547b0> http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git;a=commit;h=0af184bb9f80edfbb94de46cb52e9592e5a547b0

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2451>; 
CVE-2006-2451


ADDITIONAL INFORMATION

The information has been provided by Red Hat.
The original article can be found at:  
<http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=195902>; 
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=195902




This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: [email protected] In order to subscribe to the mailing list, simply forward this email to: [email protected]

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру