Thursday, April 16, 2009
udev trickery (CVE-2009-1185 and CVE-2009-1186)
While the security industry is making weird statements about
no-more-free-hugs and OSX vs. Windows exploitation fun,
I add my two cents on UNIX exploitation.
There have been two problems in all currently running udevd's
which are shipped on all major Linux distributions. Even if you
install selinux or other hardening mechanisms, you are at risk
(please see above screenshot on a targeted selinux config).
The first problem (CVE-2009-1185) appears since the origin of
KOBJECT_UEVENT messages are not verified, so any user can spoof
messages that udevd takes as granted from kernel. This allows
some trickery to create a device named /dev/random with permission
0666 but major and minor number of your root blockdevice. The rest
is code. Alternatively, CVE-2009-1186 could be exploited
which is a standard stack buffer overflow. Depending on the
configuration of the system CVE-2009-1185 can also be exploited
with weird network interface-names and alike so at the end,
chrooted/jailed or PrivSep'ed users have good chance to get a full rootshell.