Vulnerability in the kernel allows privilege escalation through directory manipulation

Recently Qualys security researchers (a cloud security, compliance and related services company) released details of a vulnerability what they detected and what they affect the Linux kernel.

CVE-2021-33909 affects the kernel and allows a local user to achieve code execution and escalate privileges by manipulating highly nested directories.

The vulnerability is due to the lack of validation of the result of converting size_t to type int before performing operations on the seq_file code, which creates files from a sequence of records. Lack of validation can result in writes to an area outside the buffer limits when creating, mounting, and dropping a directory structure with a very high level of nesting (path size greater than 1GB).

Any non-privileged user can gain root privileges on a vulnerable host by exploiting this vulnerability in a default configuration.

As a result, an attacker can get a 10-byte string “// deleted” with an offset of “- 2 GB – 10 bytes”, pointing to the area immediately before the allocated buffer.

The threat of vulnerability is compounded by the fact that researchers were able to prepare functional exploits on Ubuntu 20.04, Debian 11 and Fedora 34 in the default settings. It is noted that other distributions have not been tested, but theoretically, they are also susceptible to the problem and can be attacked.

Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and gain full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Other Linux distributions are likely to be vulnerable and probably exploitable.

The work of the exploit boils down to creating a hierarchy of roughly a million directories nested via mkdir () call to achieve a file path size greater than 1GB.

This directory is bind-mount mounted in a separate user namespace, after which the rmdir () function is run to remove it. In parallel, a thread is created that loads a small eBPF program, which hangs at the stage after verifying the eBPF pseudocode, but before its JIT compilation.

In the unprivileged user ID namespace, the / proc / self / mountinfo file opens and reads the long directory path mounted with bind-mount, resulting in the line “// deleted” being written in the region before the start of the buffer. The position for writing the line is chosen in such a way that it overwrites the instruction in the already tested but not yet compiled eBPF program.

Furthermore, at the eBPF program level, uncontrolled writing out of the buffer is transformed into a read / write capability controlled in other kernel structures by manipulating the btf and map_push_elem structures.

The exploit then places the modprobe_path [] buffer in kernel memory and overwrites the path “/ sbin / modprobe” in it, allowing any executable file to be launched as root if a request_module () call is made, which is executed for example when creating a netlink socket ..

Researchers have provided several solutions that are effective only for a specific exploit, but they do not fix the problem itself.

As such it is recommended to set the parameter “/ proc / sys / kernel / unprivileged_userns_clone” to 0 to disable mounting of directories in a separate userid namespace and “/ proc sys / kernel / unprivileged_bpf_disabled” to 1 to disable the loading of eBPF programs into the kernel.

In addition to the fact that all users of a Linux distribution are also recommended to update their system to have the corresponding patch. The problem has been evident since July 2014 and it affects kernel versions since 3.16. The vulnerability patch was coordinated with the community and accepted in the kernel on July 19.

Finally, if you are interested in knowing more about it, you can consult the details in the following link.

WordPress best plugin for website security

  • Sucuri

Sucuri is the multi-functioned high profile security plugins which help you to notify the login attempts via email or other means. It helps to detect the malware or any malicious virus codes and clean it on time. It can be scheduled to check your entire website in hours, days or weeks. It provides complete security to WordPress blogs. This plugin usually includes all the security options so you do not have to install any other security plugin, also using too many plugins will slow down your website.

  • Login LockDown

This plugin is used to protect your website from brute force attacks. Brute force attacks usually attempt a thousand times to login to your dashboard using the different password combinations. Once they get the right one, they’ll take it all. Login LockDown

helps your website to limit the login attempts so that you can only login once, twice or thrice. You can set the number of login attempts to be made while logging in. It automatically blocks the IP which will try to fake login more than 2-3 times in the dashboard.

  • WP Security Scan

WP security scan is the free WordPress plugin easily available in the WordPress plugin directory. It helps the user to easily monitor the login attempts via email, password change notifications also helps to optimize the website data. It helps you to change the login form links and other secure area by changing their directory or names. It can be programmed to change the .htaccess and other secure files so that it cannot be shown publicly.

  • Wordfence

The Wordfence WordPress security plugin provides free enterprise-class WordPress security, protecting your website from hacks and malware. It helps to scan the viruses and malware data in your wp directories and files. This is the most popular security plugin for WordPress. Wordfence starts by checking if your site is already infected or not. If it has been infected it scans it and clears all the complications in your blog. It is a free plugin and also has an open-source license. Its features usually include:

      • Blocking Features
      • Login Security
      • Security Scanning
      • WordPress Firewall
      • Monitoring & Caching
      • Compatibility
  • Akismet

Last but not the least plugin which is very very important for every blogging website. The attackers are inventing new techniques daily to hack the growing blogs. This is a web server based plugin for checking the spam comments on your blog. When any hacker post a spam comment on your blog, Akismet
will check and verify that whether it is infected or not. It automatically checks all comments and filters the spam one. Comment hacking was newly discovered in the hacking technique. If someone post that code in your blog and you saw it mistakenly, they will get the .htaccess of your website from which they can easily reveal the Username and Password of your wp-admin dashboard.

Systron Micronix offers SiteLock, cWatch Security Solutions for websites.