Serious privilege escalation bug in Unix imperils servers everywhere
A raft of Unix-based operating systems—including Linux, OpenBSD, and FreeBSD—contain flaws that let attackers elevate low-level access on a vulnerable computer to unfettered root. Security experts are advising administrators to install patches or take other protective actions as soon as possible.
Stack Clash, as the vulnerability is being called, is most likely to be chained to other vulnerabilities to make them more effectively execute malicious code, researchers from Qualys, the security firm that discovered the bugs, said in a blog post published Monday. Such local privilege escalation vulnerabilities can also pose a serious threat to server host providers because one customer can exploit the flaw to gain control over other customer processes running on the same server. Qualys said it is also possible that Stack Clash could be exploited in a way that allows it to remotely execute code directly.
This is a fairly straightforward way to get root after you have already gotten some sort of user-level access, Jimmy Graham, director of product management at Qualys, told Ars. The attack works by causing a region of computer memory known as the stack to collide into separate memory regions that store unrelated code or data. The concept is not new, but this specific exploit is definitely new.
Developers of affected OSes are in the process of releasing patches now. An advisory published Monday morning by Linux distributor Red Hat said the mitigations may cause performance issues in the form of overlapping values in /proc/meminfo, but they are not likely to affect normal operations. Developers may release a fix for these problems later.
A Qualys representative told Ars that company researchers worked with developers of FreeBSD, NetBSD, OpenBSD, Solaris, and the main Linux distributions including Red Hat and SuSE, Debian, and Ubuntu. The representative said company researchers did not research Microsoft or Apple products, but that they did contact both companies beforehand so they could investigate. The effect the vulnerability may have on Googles Android mobile OS is not clear.
The OS stack is a dynamic chunk of memory that grows and shrinks depending on the applications and functions that run at a given moment. If the stack expands too much, it may get close enough to other memory regions to let attackers overwrite the stack with a nearby region or vice versa. Stack Clash got its name because the first step in an exploit is bumping the stack into another chunk of memory. Not closed after all
Stack Clash vulnerabilities have slowly gained widespread awareness, first in 2005 with the findings of security researcher Gaël Delalleau and five years later with the release of a Linux vulnerability by researcher Rafal Wojtczuk. Linux developers introduced a protection that was intended to prevent stack clashes, but todays research demonstrates that it is relatively easy for attackers to bypass that measure.
The primary proof-of-concept attack developed by Qualys exploits a vulnerability indexed as CVE-2017-1000364. Qualys researchers also developed attacks that use Stack Clash to exploit separate vulnerabilities, including CVE-2017-1000365 and CVE-2017-1000367. For example, when combined with CVE-2017-1000367, a recently fixed flaw in Sudo also discovered by Qualys, local users can exploit Sudo to obtain full root privileges on a much wider range of OSes. Qualys has so far been unable to make the exploits remotely execute code. The sole remote application they investigated was the Exim mail server, which coincidentally turned out to be unexploitable. Qualys said it can not rule out the possibility that such remote code-execution exploits exist. Qualys said it will release the proof-of-concept exploits at a later date, once people have had time to protect against the vulnerabilities.
Anyone running a Unix-based OS should check with the developer immediately to find out if a patch or security advisory is available. The best bet is to install a patch if one is available or, as a temporary workaround, set the hard RLIMIT STACK and RLIMIT_AS of local users and remote services to a low value. Much more information is available in this detailed technical advisory from Qualys and this technical analysis from grsecurity.