xorl %eax, %eax

CVE-2010-4347: Linux kernel ACPI Incorrect File Permissions

leave a comment »

This is a straightforward vulnerability recently reported by Dave Jones of Red Hat. The vulnerability is easy to spot, the following sysfs file has world writable permissions by default.

/sys/kernel/debug/acpi/custom_method

The handling code for this file resides at drivers/acpi/debugfs.c and it can be used to insert custom ACPI (Advanced Configuration and Power Interface) methods. It was designed for debugging purposes as we can read in the official documentation at Documentation/acpi/method-customizing.txt.
But since unprivileged users can override kernel ACPI methods with custom ones this vulnerability is very likely to be an exploitable privilege escalation which was patched by simply correcting the file permissions from ‘S_IWUGO’ (Writable by User/Owner, User’s Group and Other Users which basically means everyone), to ‘S_IWUSR’ (standing for writable only by user/owner).

 
-       cm_dentry = debugfs_create_file("custom_method", S_IWUGO,
+       cm_dentry = debugfs_create_file("custom_method", S_IWUSR,
                                        acpi_dir, NULL, &cm_fops);
        if (!cm_dentry)

Written by xorl

December 17, 2010 at 18:29

Posted in bugs, linux

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s