An important memory corruption defense in Linux, OpenBSD, NetBSD, FreeBSD and Solaris can be bypassed by attackers to obtain root privileges and take complete control of affected systems.
The issue was discovered by researchers from security vendor Qualys and has been dubbed “Stack Clash” because it involves “clashing” the stack with another memory region, such as the heap. It was publicly disclosed Monday, in coordination with operating system maintainers who released patches for the vulnerability.
The security implications of overrunning the stack into another memory region have been known for at least 12 years. Security researcher Gaël Delalleau described the problem in a presentation at the CanSecWest security conference in 2005 and five years later, former Qubes OS developer Rafal Wojtczuk found a way to exploit it through the X server (CVE-2010-2240).
In response to these previous exploits, the Linux kernel developers added a protection mechanism called the stack guard page. This is a 4KB-large memory page that’s mapped below the stack — the stack grows down and the heap grows up — and writing to it during sequential overwrites should trigger a segmentation fault.
“The problem with this approach, as Qualys discovered, is that in cases where stack memory allocation can be controlled in certain non-sequential manners, it is possible to jump the stack guard page and manipulate adjacent memory regions,” said via email Carsten Eiram, the chief research officer at vulnerability intelligence firm Risk Based Security.
The Qualys researchers wrote seven proof-of-concept exploits that take advantage of the vulnerability through user-space applications to obtain full root privileges. While these are all local privilege escalation exploits, the existence of a remote exploitation vector is not excluded.
The latter was disclosed at the end of May and allowed Sudoers users to obtain full root privileges through the sudo tool. However, when combined with Stack Clash, this sudo flaw allows all local users to obtain root privileges on any Linux system.
The Qualys researchers and Risk Based Security advise system administrators to deploy patches for the Stack Clash vulnerability as soon as possible, as the risk of local privilege escalation to root is high.
A temporary workaround involves setting the hard RLIMIT_STACK and RLIMIT_AS of local users and remote services to “reasonably low values.” However, this is tricky to get right, because if the value is too large it might still allow some attacks and if it’s too low, it will break applications.
The good news is that the Qualys researchers plan to give users enough time to patch their systems before releasing their proof-of-concept exploits to the public.
Red Hat is a sponsor of The New Stack.
Feature image via Pixabay.