|The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.|
Linux kernel: memory corruption via /proc/pid/mem
Synthesis of the vulnerability
A local attacker can use /proc/$pid/mem, in order to change the memory of a process, and to elevate his privileges.
Impacted products: Fedora, Linux, openSUSE, RHEL.
Creation date: 18/01/2012.
Revisions dates: 20/01/2012, 23/01/2012.
Identifiers: BID-51625, CERTA-2012-AVI-034, CVE-2012-0056, FEDORA-2012-0861, FEDORA-2012-0876, openSUSE-SU-2013:0927-1, RHSA-2012:0052-01, RHSA-2012:0061-01, VIGILANCE-VUL-11300, VU#470151.
Description of the vulnerability
The /proc/$pid/mem file is used to access to the memory of a process. A user can read /proc/$pid/mem, in order to read the memory of the $pid process, but he should not be allowed to write into the memory.
The mem_write() function of the fs/proc/base.c file was commented, so users were not allowed to alter the memory by writing to /proc/$pid/mem. However, in march 2011 (2.6.39), the mem_write() function was uncommented. Since this change, a user can thus modify the memory of a running process. If the attacker choses a privileged process (suid root), he can thus gain elevated privileges.
A local attacker can therefore use /proc/$pid/mem, in order to change the memory of a process, and to elevate his privileges.
Complete Vigil@nce bulletin.... (free trial)
Computer vulnerabilities tracking service
Vigil@nce provides a computers vulnerabilities database. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.