They found a VFS vulnerability in Linux that allows privilege escalation

Few days ago news was released that the vulnerability was identified (already cataloged under CVE-2022-0185) andn the file system context API provided by the linux kernel which could allow a local user to gain root privileges on the system.

It is mentioned that the problem is that an unprivileged user can get such permissions in an isolated container if support for user namespaces is enabled on the system.

For example, user namespaces are enabled by default on Ubuntu and Fedora, but are not enabled on Debian and RHEL (unless container isolation platforms are used). In addition to privilege escalation, the vulnerability can also be used to break out of an isolated container if the container has CAP_SYS_ADMIN authority.

Vulnerability exists in function legacy_parse_param() in VFS and is due to a lack of proper validation of the maximum size of supplied parameters on file systems that do not support the file system context API.

Recently several friends on my CTF Crusaders of Rust team and I encountered a 0-day Linux kernel heap overflow. We found the bug through fuzzing with syzkaller and quickly developed it into an Ubuntu LPE exploit. We then rewrote it to escape and root Google's hardened Kubernetes CTF infrastructure. This bug affects all kernel versions since 5.1 (5.16 is currently in progress) and has been assigned CVE-2022-0185. We have already reported this to the Linux distribution and security mailing list, and the bug was fixed as of this article's release.

Passing too large a parameter can cause an overflow of the integer variable used to calculate the size of the data being written; the code has an "if (len > PAGE_SIZE - 2 - size)" buffer overflow check, which does not work if the size value is greater than 4094 due to integer overflow through the lower bound (integer overflow, when converts 4096 – 2 – 4095 to unsigned int, gets 2147483648).

This bug allows, when accessing a specially crafted FS image, cause a buffer overflow and overwrite kernel data following the allocated memory area. To exploit the vulnerability, CAP_SYS_ADMIN rights, ie administrator authority, are required.

As of 2022, our teammates resolved to find a day 0 in 2022. We weren't quite sure exactly how to start, but since our team had a high degree of familiarity with Linux kernel vulnerabilities, we decided to just buy some dedicated servers. and run Google's syzkaller fuzzer. On January 6 at 22:30 PM PST, chop0 received the following report of a KASAN failure in legacy_parse_param: slab-out-of-bounds Write in legacy_parse_param. It seems that syzbot found this problem only 6 days earlier when fuzzing Android, but the problem was not handled and we naively thought that no one else noticed.

Finally, it is worth mentioning that the problem has been manifesting itself since Linux kernel version 5.1 and was solved in the updates that were released a few days ago in versions 5.16.2, 5.15.16, 5.10.93, 5.4.173.

Besides that vulnerability package updates have already been released to RHELDebianfedora and Ubuntu. While the solution is not yet available in Arch LinuxGentooSUSE y openSUSE.

In the case of these, it is mentioned that as a security solution for systems that do not use container isolation, you can set the value of sysctl "user.max_user_namespaces" to 0:

The researcher who identified the problem has published a demo of an exploit que allows running code as root on Ubuntu 20.04 in the default configuration. It is planned that the exploit code is published on GitHub within a week after that distributions release an update that fixes the vulnerability.

Finally if you are interested in knowing more about it, you can check the details in the following link


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

A comment, leave yours

Leave a Comment

Your email address will not be published.

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   galician said

    Yet another reason not to touch snap with a stick.