Local Root Exploit in Udev
The udev subsystem allows the Linux kernel, together with a userland program, to manage device nodes dynamically, adding and removing them at will. It has now been revealed that the communication channel between the kernel and program fails to authenticate, so that users can assume root privileges.
The udev subsystem and the udevd daemon communicate in userspace over the netlink interface. Sending KOBJECT_UEVENT messages unfortunately doesn't verify who sent them. The result is that normal users can assume read privileges for a random device. If the device has a major and minor number of the root block device, invasive code can be applied to alter the system. A root exploit could then be quite simple for an attacker.
The root exploit was discovered by Sebastian Krahmer of the SUSE Security Team, which had become apprised of the CVE-2009-1185 spoofing exposure. The udev “trickery" exploit also points to another vulnerability in the CVE-2009-1186 stack buffer overflow exposure. Unfortunately, MITRE has not released further details on these vulnerabilities. All larger Linux distros have openly declared to be affected by them, so the distros are now providing updated packages.
Issue 161/2014
Buy this issue as a PDF
Digital Issue: Price $9.99
(incl. VAT)
Tag Cloud
News
-
Munich Adopts Kolab
The Bavarian capital shuns Microsoft, Google, and other alternatives to implement an open-source groupware solution.
-
Canonical Announces Ubuntu Smartphones
Phone vendor partnerships bring Mark Shuttleworth's dream of Ubuntu on a phone a step closer to reality.
-
Piviti Seeks Funding
Donors will get to vote on new features for the free video editor.
-
Debian Tech Committee Votes for systemd
Debian project puts init out to pasture and says no to Ubuntu's Upstart.
-
The Mask: Scary New Face of Internet Intrusion
Ultra-sophisticated attack tool might have originated from a state-sponsored intelligence service.
-
Epoch 1.0 Released
New alternative for init comes with a small footprint and minimal configuration.
-
Wayland 1.4 Challenges X11
X marks the target for the next-generation windowing system.
-
Red Hat Adopts CentOS
Super-clone CentOS Linux gets beamed up to the mother ship.
-
W3C Promotes Media Source Extensions
HTML technology will enable new video editing and playback options.
-
Valve Announces SteamOS Beta
New Linux distro is optimzed for gaming.