CVE-2012-4530 : Detail

CVE-2012-4530

A01-Broken Access Control
0.05%V3
Local
2013-02-18
01h00 +00:00
2013-03-08
09h00 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The load_script function in fs/binfmt_script.c in the Linux kernel before 3.7.2 does not properly handle recursion, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Metrics

Metrics Score Severity CVSS Vector Source
V2 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 41767

Publication date : 2014-01-13 23h00 +00:00
Author : halfdog
EDB Verified : No

Source: http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/ ## Introduction Problem description: Linux kernel binfmt_script handling in combination with CONFIG_MODULES can lead to disclosure of kernel stack data during execve via copy of data from dangling pointer to stack to growing argv list. Apart from that, the BINPRM_MAX_RECURSION can be exceeded: the maximum of 4 recursions is ignored, instead a maximum of roughly 2^6 recursions is in place. ## Method Execution of a sequence of crafted scripts causes bprm->interp pointer to be set to data within current stack frame. When frame is left, data at location of dangling pointer can be overwritten before it is added to argv-list in next run and then exported to userspace. ## Results, Discussion The overwrite is triggered when executables with special names handled by binfmt_script call each other until BINPRM_MAX_RECURSION is reached. During each round, load_script from fs/binfmt_script.c extracts the interpreter name for the next round and stores it within the current stack frame. The pointer to this name is also copied to bprm->interp and used during execution of the next interpreter (also a script) within search_binary_handler function. This is not problematic unless CONFIG_MODULES is also defined. When BINPRM_MAX_RECURSION is reached, load_script returns, thus leaving bprm->interp pointing to a now non-existing stack frame. Due to CONFIG_MODULES and the special interpreter name, search_binary_handler will trigger request for loading of module via request_module and invoke load_script again. The function will then append the data from dangling pointer bprm->interp to exec args, thus disclosing some kernel stack bytes. Output on 64-bit system might contain: 0000170: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0000180: 4141 4141 2d35 3600 7878 7800 ffff ffff AAAA-56.xxx..... 0000190: ffff ff7f ffff ffff ffff ff7f 809a ac1d ................ 00001a0: 0078 7878 000d 6669 6c65 2d41 4141 4141 .xxx..file-AAAAA 00001b0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA Apart from memory disclosure, reaching BINPRM_MAX_RECURSION will not terminate execve call with error, but invocation of load_script is triggered more than the intended maximum of loader invocations, leading to higher CPU consumption from single call to execve. Impact: Impact is low, since exploitation would need local code execution anyway. Only disclosure of kernel addresses when System.map is not readable seems interesting. The increased CPU load itself could be deemed unproblematic, an attacker in the same position but without this POC would need to fork more processes instead to get same load, which is quite feasable in most situations. Affected versions: Not clear right now, bug might have been introduced recently. Ubuntu Oneiric i386 kernel (3.0.0-24-generic): Not affected, test script does not cause excessive recursion. Not clear if bug could be triggered using other conditions. Ubuntu precise i386 and amd64 kernel (3.2.0-29-generic): Both affected Further analysis: It seems, that this scheme with only binfmt_elf and binfmt_script cannot lead to kernel OOPS or problematic stack writes. It could be investigated, if additional modules, e.g. binfmt_misc could open such a hole.

Products Mentioned

Configuraton 0

Linux>>Linux_kernel >> Version To (including) 3.7.1

Linux>>Linux_kernel >> Version 3.0

Linux>>Linux_kernel >> Version 3.0

Linux>>Linux_kernel >> Version 3.0

Linux>>Linux_kernel >> Version 3.0

Linux>>Linux_kernel >> Version 3.0

Linux>>Linux_kernel >> Version 3.0

Linux>>Linux_kernel >> Version 3.0

Linux>>Linux_kernel >> Version 3.0.1

Linux>>Linux_kernel >> Version 3.0.2

Linux>>Linux_kernel >> Version 3.0.3

Linux>>Linux_kernel >> Version 3.0.4

Linux>>Linux_kernel >> Version 3.0.5

Linux>>Linux_kernel >> Version 3.0.6

Linux>>Linux_kernel >> Version 3.0.7

Linux>>Linux_kernel >> Version 3.0.8

Linux>>Linux_kernel >> Version 3.0.9

Linux>>Linux_kernel >> Version 3.0.10

Linux>>Linux_kernel >> Version 3.0.11

Linux>>Linux_kernel >> Version 3.0.12

Linux>>Linux_kernel >> Version 3.0.13

Linux>>Linux_kernel >> Version 3.0.14

Linux>>Linux_kernel >> Version 3.0.15

Linux>>Linux_kernel >> Version 3.0.16

Linux>>Linux_kernel >> Version 3.0.17

Linux>>Linux_kernel >> Version 3.0.18

Linux>>Linux_kernel >> Version 3.0.19

Linux>>Linux_kernel >> Version 3.0.20

Linux>>Linux_kernel >> Version 3.0.21

Linux>>Linux_kernel >> Version 3.0.22

Linux>>Linux_kernel >> Version 3.0.23

Linux>>Linux_kernel >> Version 3.0.24

Linux>>Linux_kernel >> Version 3.0.25

Linux>>Linux_kernel >> Version 3.0.26

Linux>>Linux_kernel >> Version 3.0.27

Linux>>Linux_kernel >> Version 3.0.28

Linux>>Linux_kernel >> Version 3.0.29

Linux>>Linux_kernel >> Version 3.0.30

Linux>>Linux_kernel >> Version 3.0.31

Linux>>Linux_kernel >> Version 3.0.32

Linux>>Linux_kernel >> Version 3.0.33

Linux>>Linux_kernel >> Version 3.0.34

Linux>>Linux_kernel >> Version 3.0.35

Linux>>Linux_kernel >> Version 3.0.36

Linux>>Linux_kernel >> Version 3.0.37

Linux>>Linux_kernel >> Version 3.0.38

Linux>>Linux_kernel >> Version 3.0.39

Linux>>Linux_kernel >> Version 3.0.40

Linux>>Linux_kernel >> Version 3.0.41

Linux>>Linux_kernel >> Version 3.0.42

Linux>>Linux_kernel >> Version 3.0.43

Linux>>Linux_kernel >> Version 3.0.44

Linux>>Linux_kernel >> Version 3.1

Linux>>Linux_kernel >> Version 3.1

Linux>>Linux_kernel >> Version 3.1

Linux>>Linux_kernel >> Version 3.1

Linux>>Linux_kernel >> Version 3.1

Linux>>Linux_kernel >> Version 3.1.1

Linux>>Linux_kernel >> Version 3.1.2

Linux>>Linux_kernel >> Version 3.1.3

Linux>>Linux_kernel >> Version 3.1.4

Linux>>Linux_kernel >> Version 3.1.5

Linux>>Linux_kernel >> Version 3.1.6

Linux>>Linux_kernel >> Version 3.1.7

Linux>>Linux_kernel >> Version 3.1.8

Linux>>Linux_kernel >> Version 3.1.9

Linux>>Linux_kernel >> Version 3.1.10

Linux>>Linux_kernel >> Version 3.2

Linux>>Linux_kernel >> Version 3.2

Linux>>Linux_kernel >> Version 3.2

Linux>>Linux_kernel >> Version 3.2

Linux>>Linux_kernel >> Version 3.2

Linux>>Linux_kernel >> Version 3.2

Linux>>Linux_kernel >> Version 3.2

Linux>>Linux_kernel >> Version 3.2.1

Linux>>Linux_kernel >> Version 3.2.2

Linux>>Linux_kernel >> Version 3.2.3

Linux>>Linux_kernel >> Version 3.2.4

Linux>>Linux_kernel >> Version 3.2.5

Linux>>Linux_kernel >> Version 3.2.6

Linux>>Linux_kernel >> Version 3.2.7

Linux>>Linux_kernel >> Version 3.2.8

Linux>>Linux_kernel >> Version 3.2.9

Linux>>Linux_kernel >> Version 3.2.10

Linux>>Linux_kernel >> Version 3.2.11

Linux>>Linux_kernel >> Version 3.2.12

Linux>>Linux_kernel >> Version 3.2.13

Linux>>Linux_kernel >> Version 3.2.14

Linux>>Linux_kernel >> Version 3.2.15

Linux>>Linux_kernel >> Version 3.2.16

Linux>>Linux_kernel >> Version 3.2.17

Linux>>Linux_kernel >> Version 3.2.18

Linux>>Linux_kernel >> Version 3.2.19

Linux>>Linux_kernel >> Version 3.2.20

Linux>>Linux_kernel >> Version 3.2.21

Linux>>Linux_kernel >> Version 3.2.22

Linux>>Linux_kernel >> Version 3.2.23

Linux>>Linux_kernel >> Version 3.2.24

Linux>>Linux_kernel >> Version 3.2.25

Linux>>Linux_kernel >> Version 3.2.26

Linux>>Linux_kernel >> Version 3.2.27

Linux>>Linux_kernel >> Version 3.2.28

Linux>>Linux_kernel >> Version 3.2.29

Linux>>Linux_kernel >> Version 3.2.30

Linux>>Linux_kernel >> Version 3.3

Linux>>Linux_kernel >> Version 3.3

Linux>>Linux_kernel >> Version 3.3

Linux>>Linux_kernel >> Version 3.3

Linux>>Linux_kernel >> Version 3.3

Linux>>Linux_kernel >> Version 3.3

Linux>>Linux_kernel >> Version 3.3

Linux>>Linux_kernel >> Version 3.3

Linux>>Linux_kernel >> Version 3.3.1

Linux>>Linux_kernel >> Version 3.3.2

Linux>>Linux_kernel >> Version 3.3.3

Linux>>Linux_kernel >> Version 3.3.4

Linux>>Linux_kernel >> Version 3.3.5

Linux>>Linux_kernel >> Version 3.3.6

Linux>>Linux_kernel >> Version 3.3.7

Linux>>Linux_kernel >> Version 3.3.8

Linux>>Linux_kernel >> Version 3.4

Linux>>Linux_kernel >> Version 3.4

Linux>>Linux_kernel >> Version 3.4

Linux>>Linux_kernel >> Version 3.4

Linux>>Linux_kernel >> Version 3.4

Linux>>Linux_kernel >> Version 3.4

Linux>>Linux_kernel >> Version 3.4

Linux>>Linux_kernel >> Version 3.4

Linux>>Linux_kernel >> Version 3.4.1

Linux>>Linux_kernel >> Version 3.4.2

Linux>>Linux_kernel >> Version 3.4.3

Linux>>Linux_kernel >> Version 3.4.4

Linux>>Linux_kernel >> Version 3.4.5

Linux>>Linux_kernel >> Version 3.4.6

Linux>>Linux_kernel >> Version 3.4.7

Linux>>Linux_kernel >> Version 3.4.8

Linux>>Linux_kernel >> Version 3.4.9

Linux>>Linux_kernel >> Version 3.4.10

Linux>>Linux_kernel >> Version 3.4.11

Linux>>Linux_kernel >> Version 3.4.12

Linux>>Linux_kernel >> Version 3.4.13

Linux>>Linux_kernel >> Version 3.4.14

Linux>>Linux_kernel >> Version 3.4.15

Linux>>Linux_kernel >> Version 3.4.16

Linux>>Linux_kernel >> Version 3.4.17

Linux>>Linux_kernel >> Version 3.4.18

Linux>>Linux_kernel >> Version 3.4.19

Linux>>Linux_kernel >> Version 3.4.20

Linux>>Linux_kernel >> Version 3.4.21

Linux>>Linux_kernel >> Version 3.4.22

Linux>>Linux_kernel >> Version 3.4.23

Linux>>Linux_kernel >> Version 3.4.24

Linux>>Linux_kernel >> Version 3.5.1

Linux>>Linux_kernel >> Version 3.5.2

Linux>>Linux_kernel >> Version 3.5.3

Linux>>Linux_kernel >> Version 3.5.4

Linux>>Linux_kernel >> Version 3.5.5

Linux>>Linux_kernel >> Version 3.5.6

Linux>>Linux_kernel >> Version 3.5.7

Linux>>Linux_kernel >> Version 3.6

Linux>>Linux_kernel >> Version 3.6.1

Linux>>Linux_kernel >> Version 3.6.2

Linux>>Linux_kernel >> Version 3.6.3

Linux>>Linux_kernel >> Version 3.6.4

Linux>>Linux_kernel >> Version 3.6.5

Linux>>Linux_kernel >> Version 3.6.6

Linux>>Linux_kernel >> Version 3.6.7

Linux>>Linux_kernel >> Version 3.6.8

Linux>>Linux_kernel >> Version 3.7

References

http://rhn.redhat.com/errata/RHSA-2013-0223.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.openwall.com/lists/oss-security/2012/10/19/3
Tags : mailing-list, x_refsource_MLIST