CVE 2018-8781 Privilege Escalation flaw was introduced in Linux Kernel 8 years ago

Haythem Elmir
0 1
Read Time3 Minute, 27 Second

Researchers from security firm Check Point discovered a security vulnerability in a driver in the Linux kernel, tracked as CVE 2018-8781, that leads to local privilege escalation.

The CVE 2018-8781 flaw, introduced 8 years ago, could be exploited by a local user with access to a vulnerable privileged driver to escalate local privileges and read from and write to sensitive kernel memory.

Experts explained that it is common for drivers to implement their own version of file operation functions, this is visible by analyzing the file_operations struct of a driver.

Such kind of implementations could introduce flaws such as Integer-Overflows and the lack of input validations.

TheCVE 2018-8781 flaw revealed by CheckPoint affects the internal mmap() function defined in the fb_helper file operations of the “udl” driver of “DisplayLink.”

” A classic driver should probably look like this:

  1. The driver will hold an internal buffer that represents the shared memory region with the peripheral device.
  2. The driver should only let the user access memory ranges that fall inside this buffer.” states the analysis published by CheckPoint.

The prototype of the mmap() function from user-space confirms the presence of numerous fields that could be used by the attacker to potentially trigger the vulnerabilities.

According to the experts, developers should perform at least the following checks to avoid possible Integer-Overflows:

  1. Region start: 0 <= offset < buffer’s end
  2. Region end: buffer’s start <= offset + length <= buffer’s end
  3. Region start <= Region End

“In actual fact, the last check can be spared since the Linux kernel will sanitize the supplied length, making it practically impossible to pass the first two checks while still passing the third check,” continues Check Point.

The experts discovered the CVE 2018-8781 vulnerability while analyzing a function that maps physical memory pages to the user, the remap_pfn_range().

The experts searched for all the modules using the remap_pfn_range function (GREP for “remap_pfn_range) and contained 158 results, then filtering for drivers the list was restricted to six possible candidates.

CVE 2018-8781

“The video/drm module in the kernel defines a default mmap() wrapper that calls that real mmap()handler defined by the specific driver. In our case the vulnerability is in the internal mmap() defined in the fb_helper file operations of the “udl” driver of “DisplayLink”.” discovered the researchers.

In this way, the researchers spotted an Integer-Overflow in the driver.

“This is a classic example for an Integer-Overflow. Since offset is unsigned the programmer skipped check #1 and went directly to check #2. However, the calculation “offset + size” could wrap-around to a low value, allowing us to bypass the check while still using an illegal “offset” value.” continues 

“on 64 bit machines there are only 48 bits of accessible memory, meaning that if we use a huge “offset” to bypass this check we will also have to make sure that “info->fix.smem_start + offset” will wrap-around to a valid mapable physical address.”

The experts verified the flaw on an Ubuntu 64-bit virtual machine using a simulated vulnerable driver. The driver’s mmap() handler contained the implementation to check in each test performed by the researchers.

The user-mode code preformed 2 consecutive calls to mmap() on the vulnerable driver:

  1. length = 0x1000, offset = 0x0 -> sanity check
  2. length = 0x1000, offset = 0xFFFFFFFFFFFFFFFF – 0x1000 + 1 -> vulnerability check

Setting the buffer’s address at the page-aligned physical address of the kernel’s /dev/urandom implementation results were the expected ones.

Additional checks revealed that it is possible for the user to read and write from/to the mapped pages. Thus, an attacker could eventually trigger code execution in kernel space, the researchers explain.

“While the vulnerability was found using a simple search, it was introduced to the kernel eight years ago. This fact can teach us that even on a popular open source project as the Linux Kernel, you could always hope to find vulnerabilities if you know where to search.” concluded CheckPoint.

To read the original article:

https://securityaffairs.co/wordpress/72022/hacking/cve-2018-8781-linux-flaw.html

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
100 %

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Laisser un commentaire

Next Post

SamSam operators switch tactic and are more focused on targeted organizations

SamSam ransomware made the headlines again, crooks now spreading thousands of copies of the ransomware at once into individual targeted organizations. Ransomware continues to be one of the most dangerous cyber threat and incident like the one suffered by the city of Atlanta demonstrates that their economic impact on victims could be severe. SamSam ransomware made […]