16 May 2013

Bug in Linux Kernel can Elevate Users from Untrusted to Root in No Time

A flaw in the Linux kernel that can escalate users’ privileges to root has been discovered in the wild. The bug - a zero-day since January 2011 - affects Linux kernel versions 2.6.37 through 3.8.8 compiled with the CONFIG_PERF_EVENTS kernel configuration option.

The flaw resides in the performance counters subsystem and can be used to, for example, elevate user privileges in shared hosting environments, among others. This could allow a rogue customer to elevate his privileges and seize control of other users’ files, or even perform changes to the server itself to subvert it.

To successfully root the server, an attacker needs to be able to download and execute the code on the target system, which would result in out-of-bounds access of the perf_swevent_enabled array in sw_perf_event_destroy(). The fix for the issue was introduced in mid-April, but its deployment requires kernel recompilation, which would result in unwanted downtime, so most webhosting providers have not deployed it.

"Because there's a public exploit already available, an attacker would simply need to download and run this exploit on a target machine," said senior security researcher Dan Rosenberg of Azimuth Security in an interview for Ars Technica. "The exploit may not work out-of-the-box on every affected machine, in which case it would require some fairly straightforward tweaks (for someone with exploit development experience) to work properly."