J-Security Center

Title: Linux ptrace/execve Race Condition Vulnerability

Severity: MODERATE

Description:

The Linux kernel is the core of all distributions of the Linux Operating System. It was originally written by Linus Torvalds, and is maintained by a community of developers.

A problem in the kernel makes it possible for local users to gain elevated privileges. Successful exploitation of this vulnerability leads to root compromise.

The problem occurs in the handling of ptrace and execve in the kernel. Under normal circumstances, it is possible to launch a program with normal user privileges, and with the execve system call execute another program, which overlays the calling process and overwrites the text, data, heap, and stack of the process.

Under normal circumstances, a process being traced that attempts to execute another process will be sent a SIGTRAP, signal 5, which is a non-POSIX.1 compliant signal. The SIGTRAP signal stops process tracing, and the process launched by the execve() system call executes.

It is possible to trace a process after the execve() call has been executed, thus allowing a user executing a setuid program to monitor the actions of the setuid process, and change or alter functions during execution. This problem could also be used to beat the process to specific functions, thus allowing a change in flow of the program, or the execution of arbitrary code loaded in heap memory.

Affected Products:

  • Caldera OpenLinux 2.3.0
  • Caldera OpenLinux 2.4.0
  • Conectiva Linux 4.0.0
  • Conectiva Linux 4.0.0 es
  • Conectiva Linux 4.1.0
  • Conectiva Linux 4.2.0
  • Conectiva Linux 5.0.0
  • Conectiva Linux 5.1.0
  • Conectiva Linux 6.0.0
  • Conectiva Linux ecommerce
  • Conectiva Linux graficas
  • Debian Linux 2.2.0
  • Debian Linux 2.2.0 68k
  • Debian Linux 2.2.0 alpha
  • Debian Linux 2.2.0 arm
  • Debian Linux 2.2.0 powerpc
  • Debian Linux 2.2.0 sparc
  • Linux kernel 2.2.10
  • Linux kernel 2.2.14
  • Linux kernel 2.2.15
  • Linux kernel 2.2.16
  • Linux kernel 2.2.17
  • Linux kernel 2.2.18
  • MandrakeSoft Corporate Server 1.0.1
  • MandrakeSoft Linux Mandrake 6.0.0
  • MandrakeSoft Linux Mandrake 6.1.0
  • MandrakeSoft Linux Mandrake 7.0.0
  • MandrakeSoft Linux Mandrake 7.1.0
  • MandrakeSoft Linux Mandrake 7.2.0
  • Openwall patches 2.2.18ow4
  • RedHat Linux 6.0.0
  • RedHat Linux 6.0.0 alpha
  • RedHat Linux 6.0.0 sparc
  • RedHat Linux 6.1.0 alpha
  • RedHat Linux 6.1.0 i386
  • RedHat Linux 6.1.0 sparc
  • RedHat Linux 6.2.0
  • RedHat Linux 6.2.0 alpha
  • RedHat Linux 6.2.0 i386
  • RedHat Linux 6.2.0 sparc
  • RedHat Linux 7.0.0
  • RedHat Linux 7.0.0 alpha
  • RedHat Linux 7.0.0 i386
  • RedHat Linux 7.0.0 sparc
  • S.u.S.E. Linux 6.0.0
  • S.u.S.E. Linux 6.1.0
  • S.u.S.E. Linux 6.1.0 alpha
  • S.u.S.E. Linux 6.3.0
  • S.u.S.E. Linux 6.3.0 alpha
  • S.u.S.E. Linux 6.3.0 ppc
  • S.u.S.E. Linux 6.4.0
  • S.u.S.E. Linux 6.4.0 alpha
  • S.u.S.E. Linux 6.4.0 ppc
  • S.u.S.E. Linux 7.0.0
  • SCO eDesktop 2.4.0
  • SCO eServer 2.3.1
  • Slackware Linux 4.0.0
  • Slackware Linux 7.0.0
  • Slackware Linux 7.1.0
  • Sun Cobalt Qube 3
  • Sun Cobalt RaQ 4
  • Sun Cobalt RaQ XTR
  • Trustix Secure Linux 1.1.0
  • Trustix Secure Linux 1.2.0
  • WireX Immunix OS 6.2.0
  • WireX Immunix OS 7.0.0
  • WireX Immunix OS 7.0.0 -Beta

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.