When writing security tests for ICE Linux I recently bumped into a quite interesting albeit old local Linux privilege elevation exploit. So here we go, please allow me to briefly introduce CVE-2012-0056.
Basically, the exploit introduces a clever way how to abuse a local SUID binary via a control-flow hijacking attack to gain administrative privileges on the local machine.
Under the hood, the exploit does the a clever trick of redirecting process standard I/O streams to overwrite its own executable memory into a carefully selected memory address using /proc/PID/mem special kernel device, spawns a SUID binary via execlv() syscall, and finally feeds it carefully designed hostile input to overwrite critical memory regions to perform a control-flow hijacking attack to spawn a root shell.
This kind of innovative abuse of critical operating system utilities emphasizes, how potentially dangerous any SUID binaries present on Linux systems are. Non-privileged users attempting to gain administrative privileges have a disturbingly versatile control over many important aspects of the privileged operating system container responsible for making decisively critical security decisions. Fortunately, any debugger based SUID control-flow hijacking attack vectors seemingly have been properly mitigated in contemporary Linux distributions based on a very brief penetration testing effort.
In my personal opinion, the entire SUID mechanism in itself is such a reckless construct for delegating sensitive security decisions into the less reliable user space, decisions that would naturally belong to the kernel domain. In a more secure design the kernel domain would assume the responsibility to perform appropriate verification of presented cryptographic credentials, before actually granting any privilege elevation requests. This kind of security design would seemingly eliminate a number of entire classes of attacks related to privilege escalation via SUID binaries.
As the described attack, and its not yet discovered even more evil cousins, rely extensively on custom executable binaries, the kernel level software whitelisting implementation by ICE Linux virtually guarantees immunity against this class of privilege elevation attacks.
Basically, the exploit introduces a clever way how to abuse a local SUID binary via a control-flow hijacking attack to gain administrative privileges on the local machine.
Under the hood, the exploit does the a clever trick of redirecting process standard I/O streams to overwrite its own executable memory into a carefully selected memory address using /proc/PID/mem special kernel device, spawns a SUID binary via execlv() syscall, and finally feeds it carefully designed hostile input to overwrite critical memory regions to perform a control-flow hijacking attack to spawn a root shell.
This kind of innovative abuse of critical operating system utilities emphasizes, how potentially dangerous any SUID binaries present on Linux systems are. Non-privileged users attempting to gain administrative privileges have a disturbingly versatile control over many important aspects of the privileged operating system container responsible for making decisively critical security decisions. Fortunately, any debugger based SUID control-flow hijacking attack vectors seemingly have been properly mitigated in contemporary Linux distributions based on a very brief penetration testing effort.
In my personal opinion, the entire SUID mechanism in itself is such a reckless construct for delegating sensitive security decisions into the less reliable user space, decisions that would naturally belong to the kernel domain. In a more secure design the kernel domain would assume the responsibility to perform appropriate verification of presented cryptographic credentials, before actually granting any privilege elevation requests. This kind of security design would seemingly eliminate a number of entire classes of attacks related to privilege escalation via SUID binaries.
As the described attack, and its not yet discovered even more evil cousins, rely extensively on custom executable binaries, the kernel level software whitelisting implementation by ICE Linux virtually guarantees immunity against this class of privilege elevation attacks.
