Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] COSEINC Linux Advisory #2: IA32 System Call Emulation

from [Wojciech Purczynski] Network Security [Permanent Link]
Subject: [Full-disclosure] COSEINC Linux Advisory #2: IA32 System Call Emulation Vulnerability
Date: Mon, 24 Sep 2007 11:17:48 +0200 
===[ ABSTRACT ]=========================================================

Insufficient validation of general-purpose register in IA32 system call
emulation code may lead to local system compromise on x86_64 platform.


===[ AFFECTED SOFTWARE ]================================================

Linux 2.6
Linux 2.4

For the exact kernel version please refer to an information provided by
your vendor.


===[ DESCRIPTION ]======================================================

On x86_64 platform the Linux kernel supports compatibility emulation for
IA32 userland applications providing 32-bit system calls amongst other
32-bit resources.

As a result of arch/x86_64/ia32/ia32entry.S code optimization invalid
opcodes was used in the low level assembler routines providing
insufficient validation of %RAX register in the following part of code
(2.6):

---8<---
sysenter_do_call:
        cmpl    $(IA32_NR_syscalls-1),%eax
        ja      ia32_badsys
        IA32_ARG_FIXUP 1
        call    *ia32_sys_call_table(,%rax,8)
---8<---
cstar_do_call:
        cmpl $IA32_NR_syscalls-1,%eax
        ja  ia32_badsys
        IA32_ARG_FIXUP 1
        call *ia32_sys_call_table(,%rax,8)
---8<---
ia32_do_syscall:
        cmpl $(IA32_NR_syscalls-1),%eax
        ja  ia32_badsys
        IA32_ARG_FIXUP
        call *ia32_sys_call_table(,%rax,8) # xxx: rip relative
---8<---

Improperly validated 64-bit values stored in the %RAX register may lead
to out-of-bounds system call table access resulting in the ability to
execute arbitrary code in the context of the Linux kernel.


===[ IMPACT ]===========================================================

Unprivileged local user may execute arbitrary code in the context of the
Linux kernel running on x86_64 platform.


===[ DISCLOSURE TIMELINE ]==============================================

18th September 2007     Vendor notification
24th September 2007     Public disclosure


===[ AUTHOR ]===========================================================

Wojciech Purczynski <cliph@research.coseinc.com>

Wojciech Purczynski is a Security Researcher at Vulnerability Research
Labs, COSEINC PTE Ltd. Wojciech Purczynski is also a member of iSEC
Security Research.


===[ LEGAL DISCLAIMER ]=================================================

Copyright (c) 2007 Wojciech Purczynski
Copyright (c) 2007 COSEINC PTE Ltd.

All Rights Reserved.

PUBLISHING, DISTRIBUTING, PRINTING, COPYING, SCANNING, DUPLICATING IN
ANY FORM, MODIFYING WITHOUT PRIOR WRITTEN PERMISSION IS STRICTLY
PROHIBITED.

THE DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. THE
CONTENT MAY CHANGE WITHOUT NOTICE. IN NO EVENT SHALL THE AUTHORS BE
LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES, INJURIES,
LOSSES OR UNLAWFUL OFFENCES.

USE AT YOUR OWN RISK.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] COSEINC Linux Advisory #2: IA32 System Call Emulation Vulnerability, Wojciech Purczynski <=
Previous by Date:  [Full-disclosure] iDefense Security Advisory 09.20.07: CA ARCServe Backup for Laptops and Desktops Multiple Buffer Overflow Vulnerabilities, iDefense Labs
Next by Date:  rPSA-2007-0198-1 kernel, rPath Update Announcements
Previous by Thread:  [Full-disclosure] iDefense Security Advisory 09.20.07: CA ARCServe Backup for Laptops and Desktops Multiple Buffer Overflow Vulnerabilities, iDefense Labs
Next by Thread:  rPSA-2007-0198-1 kernel, rPath Update Announcements
Indexes:  [Date] [Thread] [Top] [All Lists]