Another Logic Bug Found in Linux Kernel
Qualys has discovered a vulnerability in the Linux kernel that can be used to elevate standard user privileges.
The kernel function __ptrace_may_access() has been found to contain a vulnerability that is exploitable via a race condition. The function determines if one process is permitted to inspect another process and uses credential verification, process ancestry, and the "dumpable" flag to make the determination.
Qualys released an advisory that includes four proofs-of-concept (PoCs) that include exploits against chage, ssh-keysign, pkexec, and accounts-daemon that illustrate how the PoCs can be used by unprivileged attackers to read password hashes, steal SSH keys, and run random commands with root privileges. Qualys has also confirmed these PoCs work on Debian 13, Fedora 43 and 44, and Ubuntu 24.04 and 26.04.
It is important to note that Qualys stated in the advisory, "Please note that we have not exhaustively searched for exploitable userland programs (set-uid, set-gid, set-capabilities binaries, and root daemons); we simply remembered the four that we found from past research projects, and other, possibly better, exploitable programs may exist."
The report also points out how even SELinux can be skirted: "On Fedora, SELinux prevents accounts-daemon from starting a transient systemd unit, but we can send a request to another dbus-daemon instead; for example, we can send a request to accounts-daemon itself, to set an administrator's password (SetPassword) of our choice, and then su to this administrator, and then sudo to root."
The good news is that a patch has been issued by the Linux kernel developer team.
