Vulnerability title: Kernel Memory Leak And Denial Of Service Condition In IBM AIX
|Affected version:|| 5.3, 6.1 and 7.1 releases
|Reported by:||Tim Brown|
It has been identified that the ptrace() system call can be manipulated by an unprivileged user into leaking uninitialised kernel memory and that the method by which this is achieved may also lead to a denial of service condition. This can be achieved by manipulating the parameters that are passed to the ptrace() system call when performing the PT_LDINFO operation.
By calling ptrace(PT_LDINFO, childpid, leakbuffer, maximumleak, NULL) with a value of maximumleak that greater than that required for the expected result of the PT_LDINFO operation, the AIX kernel will xmalloc() this space (without initialising it), populate it and then perform a copy operation that returns the result within leakbuffer.
This can be exploited like so:
$ id uid=208(tmb) gid=1(staff) $ while :; do ./tmb-vs-PT_LDINFO 1024 $$ > tmb-vs-PT_LDINFO.out; if [ -n "`grep root tmb-vs-PT_LDINFO.out`" ]; then cat tmb-vs-PT_LDINFO.out; fi; done ...LOGNAME=root...USER=root...PWD=/...
Whilst ptrace() has checks for the various operations that can be performed, in the case of the PT_LDINFO operation, the check is equivalent to (signed) maximumleak < (signed) MAXLDINFO. By passing in a maximumleak of value -1 we bypass this check, and cause the AIX kernel to attempt to xmalloc(-1), which as a very large number causes the kernel to panic and the system to crash.
It should also be noted that this vulnerability can be triggered from within a WPAR where it can utilised to leak uninitialised kernel memory that may previously have been utilised by another WPAR or even the global environment.
This vulnerability may allow an attacker to leak privileged information from uninitialised portions of kernel memory.
The proof of concept exploit is available.
|15/04/2014||Vendor working on a fix|
Copyright © Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.