How to get root on a Linux box, step 1: Make four billion system calls
Step 2: ??? Step 3: /#
Oh look, it's another Linux kernel bug that allows a local user to escalate themselves to root.
In exploiting CVE-2016-0728, discovered by Perception Point, “patience you must have,” because you have to cycle a 32-bit integer in the kernel around to zero. That means making 4,294,967,296 system calls to exploit the vulnerability.
Patches have been issued for affected distributions, which nixCraft lists as:
- Red Hat Enterprise Linux 7.
- CentOS Linux 7.
- Scientific Linux 7.
- Debian Linux 8.x (jessie) and 9.x (stretch).
- SUSE Enterprise 12 (desktop, server and workstation flavours).
- Ubuntu 14.04 LTS (Trusty Tahr), 15.04 (Vivid Vervet), and 15.10 (Wily Werewolf).
- OpenSUSE Linux LEAP and 13.2.
So, get updating your systems.
The problem exists in kernels compiled with the Kernel Key Retention Service (aka the keyring service) which requires the CONFIG_KEYS kernel configuration switch to be enabled. The bug has been present for a few years.
CVE-2016-0728 is a reference-counting bug in the keyring code: Perception Point found that 32-bit integer variable called usage can be wrapped around to zero, opening up a use-after-free() hole that the researchers describe in great detail.
To wrap a 32-bit integer to zero means the attack code has to loop around 232 times, which is going to take a while. Perception Point's exploit against the 3.18 kernel took half an hour on an Intel Core i7-5500 CPU, but the team said “usually time is not an issue in a privilege escalation exploit.”
The Register's confirmed that CONFIG_KEYS is enabled in at least Ubuntu and Debian – even though kernel chief Linus Torvalds' default kernel build config doesn't list it. Also, security defense mechanisms such as SMEP and SMAP, PaX, and SELinux, that should be enabled in kernels should defeat the exploit as it stands.
We're not so positive about Perception Point's statement that the vulnerability is present in 66 per cent of Android devices, though, because Android's kernel configuration guide doesn't enable keyrings – although manufacturers and custom ROM makers could twiddle CONFIG_KEYS on. The Register has asked Perception Point to clarify this point.
Exploiting the bug on Android would require a lot of patience, anyhow: if it takes a Core i7 30 minutes to cycle through the values of usage, imagine how long 232 system calls are going to take on an ARM-based phone. ®