Local-Privilege Escalation Flaw in Linux Kernel Allows Root Access

Researchers said the vulnerability “is very easy to exploit.”

A local-privilege escalation vulnerability in the Linux kernel affects all current versions of Red Hat Enterprise Linux and CentOS, even in their default/minimal installations. It would allow an attacker to obtain full administrator privileges over the targeted system, and from there potentially pivot to other areas of the network.

It also affects the Debian “oldstable” version, according to researchers from Qualys, who uncovered the issue.

“This vulnerability is very easy to exploit on any affected 64-bit system that has 32GB of memory or more,” the firm told Threatpost. “An attacker who has local access to a system (either through username/password guessing, or any form of remote code/command execution) but no special privileges on that system, can exploit this [flaw].”

The researchers added that “local access” in this context “only means non-privileged access to a shell, such as a non-root user or a service account, which could be accessed remotely.”

Qualys said in a technical analysis that the issue arises from an integer overflow in the Linux kernel’s create_elf_tables() function, exploitable via a SUID-root binary.

SUID is a way in UNIX-like and Linux operating systems of running a command as another user without providing credentials. As Pen Test Partners explained, “When an executable file is run, the kernel checks its file permissions and, if it sees a bit (known as the SUID bit) on the file, it sets the effective user id of the resultant process to the owner of the file…A good example of why you’d want to do this, is the passwd command, which needs to do things that the user who is changing password can’t directly do themselves.”

Since it offers credential-less command execution, it’s a ripe vector for exploitation.

In the Tuesday analysis, Qualys explained: “We can increase the userland stack pointer instead of decreasing it (at lines 288 and 295 — the stack normally grows down on x86_64), redirect the userland stack to the middle of our argument and environment strings (which were copied to the top of the stack in fs/exec.c), and hence overwrite these strings during the userland execution of a SUID-root binary.”

The attacker can gain full root access to the exploited system, compromising the entirety of the system and data on the system. However, the danger doesn’t stop there.

“This type of vulnerability is often used in conjunction with other kinds of attacks,” Qualys told Threatpost. “If an attacker has an existing foothold on a system, but is unable to escalate to root/administrator, they may utilize a vulnerability like this to fully compromise the system. It is important to understand that multiple lower-severity vulnerabilities are often used together to create a very functional attack.”

On a further technical note, Linux distributions that have backported commit da029c11e6b1 to their long-term-supported kernels are safe.

“Only kernels with commit b6a2fea39318 (‘mm: variable length argument support’, from July 19, 2007) but without commit da029c11e6b1 (‘exec: Limit arg stack to at most 75% of _STK_LIM’, from July 7, 2017) are exploitable,” researchers said.

Qualys’ primary advice is to upgrade the kernel to a patched version, if available; users also can leverage the “SystemTap” script provided by Red Hat. Another option is to lower the “RLIMIT_STACK” resource limit for all users and system users, the researchers told us.

“This [flaw is an example of why] proper vulnerability and patch management is crucial, and should not be limited only to remediation of ‘critical’ vulnerabilities,” they noted.

 

Suggested articles