BID:12729

PaX VMA Mirroring Privilege Escalation Vulnerability

Info

PaX VMA Mirroring Privilege Escalation Vulnerability

Bugtraq ID:	12729
Class:	Failure to Handle Exceptional Conditions
CVE:
Remote:	Yes
Local:	Yes
Published:	Mar 05 2005 12:00AM
Updated:	Mar 05 2005 12:00AM
Credit:	This vulnerability was disclosed by <[email protected]>.
Vulnerable:	The PaX Team PaX linux 2.6.5 The PaX Team PaX linux 2.4.28 The PaX Team PaX linux 2.4.27 The PaX Team PaX linux 2.4.26 The PaX Team PaX linux 2.4.25 The PaX Team PaX linux 2.4.24 The PaX Team PaX linux 2.4.23 The PaX Team PaX linux 2.4.22 The PaX Team PaX linux 2.4.21 The PaX Team PaX linux 2.4.20 The PaX Team PaX linux 2.2.x

Not Vulnerable:	The PaX Team PaX linux 2.6.11 The PaX Team PaX linux 2.4.29 The PaX Team PaX linux 2.2.26

Discussion

PaX VMA Mirroring Privilege Escalation Vulnerability

It is reported that PaX contains a privilege escalation vulnerability.

Local unprivileged users may exploit this vulnerability to execute arbitrary code with the privileges of any targeted user. It is also conjectured that remote attackers may also be able to exploit this vulnerability, but exploitability depends on the ability of an attacker to control the executable file mappings of a targeted application.

This issue is only exploitable if SEGMEXEC or RANDEXEC are enabled in the kernel configuration.

This vulnerability is reported to affect all versions of PaX since September, 2003, when VMA mirroring was introduced.

Exploit / POC

PaX VMA Mirroring Privilege Escalation Vulnerability

Local exploit code (paxomatic.c) has been released:

/data/vulnerabilities/exploits/paxomatic.c

Solution / Fix

PaX VMA Mirroring Privilege Escalation Vulnerability

Solution:
The vendor has released patches to address this issue:

The PaX Team PaX linux 2.4.21

The PaX Team pax-linux-2.4.29-200503050030.patch
http://pax.grsecurity.net/pax-linux-2.4.29-200503050030.patch

The PaX Team PaX linux 2.4.24

The PaX Team pax-linux-2.4.29-200503050030.patch
http://pax.grsecurity.net/pax-linux-2.4.29-200503050030.patch

The PaX Team PaX linux 2.4.20

The PaX Team pax-linux-2.4.29-200503050030.patch
http://pax.grsecurity.net/pax-linux-2.4.29-200503050030.patch

The PaX Team PaX linux 2.4.28

The PaX Team pax-linux-2.4.29-200503050030.patch
http://pax.grsecurity.net/pax-linux-2.4.29-200503050030.patch

The PaX Team PaX linux 2.4.25

The PaX Team pax-linux-2.4.29-200503050030.patch
http://pax.grsecurity.net/pax-linux-2.4.29-200503050030.patch

The PaX Team PaX linux 2.2.x

The PaX Team pax-linux-2.2.26-200503050030.patch
http://pax.grsecurity.net/pax-linux-2.2.26-200503050030.patch

The PaX Team PaX linux 2.6.5

The Pax Team pax-linux-2.6.11-200503050030.patch
http://pax.grsecurity.net/pax-linux-2.6.11-200503050030.patch

The PaX Team PaX linux 2.4.27

The PaX Team pax-linux-2.4.29-200503050030.patch
http://pax.grsecurity.net/pax-linux-2.4.29-200503050030.patch

The PaX Team PaX linux 2.4.26

The PaX Team pax-linux-2.4.29-200503050030.patch
http://pax.grsecurity.net/pax-linux-2.4.29-200503050030.patch

The PaX Team PaX linux 2.4.23

The PaX Team pax-linux-2.4.29-200503050030.patch
http://pax.grsecurity.net/pax-linux-2.4.29-200503050030.patch

The PaX Team PaX linux 2.4.22

The PaX Team pax-linux-2.4.29-200503050030.patch
http://pax.grsecurity.net/pax-linux-2.4.29-200503050030.patch

References

PaX VMA Mirroring Privilege Escalation Vulnerability

References:

PaX Homepage (The PaX Team)
PaX privilege elevation security bug ([email protected])