J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1537
    posted: 11/06/09
  • NSM Daily Update #1537
    posted: 11/06/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1537
    posted: 11/06/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/06/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/05/09

Title: PaX VMA Mirroring Privilege Escalation Vulnerability

Severity: CRITICAL

Description:

PaX is an anti-intrusion kernel level patch for Linux based operating systems. It provides functionality to help prevent arbitrary code execution that may result from memory corruption vulnerabilities.

It is reported that PaX contains a privilege escalation vulnerability.

Details regarding this vulnerability in 2.2, and 2.4 kernel trees is available. It should be noted that this vulnerability might be drastically different for 2.6 kernel trees.

It is reported that the vulnerability exists in the PaX VMA mirroring code. Specifically, when VMA mirroring is enabled, a looped 'free_pgtables()' call is made for each entry in the mirrored VMA list. It is reported that 'free_pgtables()' accepts a virtual address region as an argument and it checks the specified region for 'vm_area_struct' structures. It accomplishes this using the 'mm->mmap' list. However it is reported that 'free_pgtables()' will only check the 'mm->mmap' list for overlapping VMAs, and will ignore VMAs that exist on the mirrored list.

This is a problem because, if two mirrored VMAs exist in the same 4MB virtual address page, only the first VMA list will have its entries freed while the second VMA will remain intact in the freed page table. This issue may be exploited to potentially leak data, other attacks may also be possible.

Additionally, it is reported that the impact of this issue is magnified because the page table pages that are not properly zeroed, and are potentially controlled by an attacker, are entered into a kernel 'quick-list' of available page table pages. When this non-zeroed attacker-controlled page table page is allocated by an alternate task the data that is contained within, i.e.: malicious virtual and physical address mappings, will be introduced into the alternate task. This may ultimately lead to the introduction of malicious code into an arbitrary task, and the execution of said code within the security context of that task.

This issue is only exploitable if SEGMEXEC or RANDEXEC are enabled in the kernel configuration.

Local unprivileged users may exploit this vulnerability to execute arbitrary code with the privileges of any targeted user. It is also conjectured that remote attackers may also be able to exploit this vulnerability, but exploitability depends on the ability of an attacker to control the executable file mappings of a targeted application.

This vulnerability is reported to affect all versions of PaX since September, 2003, when VMA mirroring was introduced.

Affected Products:

  • The PaX Team PaX 0.0.0linux 2.2.x
  • The PaX Team PaX 0.0.0linux 2.4.20
  • The PaX Team PaX 0.0.0linux 2.4.21
  • The PaX Team PaX 0.0.0linux 2.4.22
  • The PaX Team PaX 0.0.0linux 2.4.23
  • The PaX Team PaX 0.0.0linux 2.4.24
  • The PaX Team PaX 0.0.0linux 2.4.25
  • The PaX Team PaX 0.0.0linux 2.4.26
  • The PaX Team PaX 0.0.0linux 2.4.27
  • The PaX Team PaX 0.0.0linux 2.4.28
  • The PaX Team PaX 0.0.0linux 2.6.5

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.