Vulnerability in the kernel allows privilege escalation through directory manipulation

Recently Qualys security researchers (a cloud security, compliance and related services company) released details of a vulnerability what they detected and what they affect the Linux kernel.

CVE-2021-33909 affects the kernel and allows a local user to achieve code execution and escalate privileges by manipulating highly nested directories.

The vulnerability is due to the lack of validation of the result of converting size_t to type int before performing operations on the seq_file code, which creates files from a sequence of records. Lack of validation can result in writes to an area outside the buffer limits when creating, mounting, and dropping a directory structure with a very high level of nesting (path size greater than 1GB).

Any non-privileged user can gain root privileges on a vulnerable host by exploiting this vulnerability in a default configuration.

As a result, an attacker can get a 10-byte string “// deleted” with an offset of “- 2 GB – 10 bytes”, pointing to the area immediately before the allocated buffer.

The threat of vulnerability is compounded by the fact that researchers were able to prepare functional exploits on Ubuntu 20.04, Debian 11 and Fedora 34 in the default settings. It is noted that other distributions have not been tested, but theoretically, they are also susceptible to the problem and can be attacked.

Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and gain full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Other Linux distributions are likely to be vulnerable and probably exploitable.

The work of the exploit boils down to creating a hierarchy of roughly a million directories nested via mkdir () call to achieve a file path size greater than 1GB.

This directory is bind-mount mounted in a separate user namespace, after which the rmdir () function is run to remove it. In parallel, a thread is created that loads a small eBPF program, which hangs at the stage after verifying the eBPF pseudocode, but before its JIT compilation.

In the unprivileged user ID namespace, the / proc / self / mountinfo file opens and reads the long directory path mounted with bind-mount, resulting in the line “// deleted” being written in the region before the start of the buffer. The position for writing the line is chosen in such a way that it overwrites the instruction in the already tested but not yet compiled eBPF program.

Furthermore, at the eBPF program level, uncontrolled writing out of the buffer is transformed into a read / write capability controlled in other kernel structures by manipulating the btf and map_push_elem structures.

The exploit then places the modprobe_path [] buffer in kernel memory and overwrites the path “/ sbin / modprobe” in it, allowing any executable file to be launched as root if a request_module () call is made, which is executed for example when creating a netlink socket ..

Researchers have provided several solutions that are effective only for a specific exploit, but they do not fix the problem itself.

As such it is recommended to set the parameter “/ proc / sys / kernel / unprivileged_userns_clone” to 0 to disable mounting of directories in a separate userid namespace and “/ proc sys / kernel / unprivileged_bpf_disabled” to 1 to disable the loading of eBPF programs into the kernel.

In addition to the fact that all users of a Linux distribution are also recommended to update their system to have the corresponding patch. The problem has been evident since July 2014 and it affects kernel versions since 3.16. The vulnerability patch was coordinated with the community and accepted in the kernel on July 19.

Finally, if you are interested in knowing more about it, you can consult the details in the following link.