BID:22823

Linux Kernel Sys_Tee Local Privilege Escalation Vulnerability

Info

Linux Kernel Sys_Tee Local Privilege Escalation Vulnerability

Bugtraq ID:	22823
Class:	Race Condition Error
CVE:
Remote:	No
Local:	Yes
Published:	Mar 05 2007 12:00AM
Updated:	Mar 05 2007 10:56PM
Credit:	Michael Kerrisk reported this issue to the vendor.
Vulnerable:	Linux kernel 2.6.17 .6 Linux kernel 2.6.17 .5 Linux kernel 2.6.17 .4 Linux kernel 2.6.17 .3 Linux kernel 2.6.17 .2 Linux kernel 2.6.17 .1 Linux kernel 2.6.17

Not Vulnerable:	Linux kernel 2.6.17 .7

Discussion

Linux Kernel Sys_Tee Local Privilege Escalation Vulnerability

The Linux kernel is prone to a local privilege-escalation vulnerability.

Exploiting this issue allows local attackers to gain superuser privileges, facilitating the complete compromise of affected computers.

Exploit / POC

Linux Kernel Sys_Tee Local Privilege Escalation Vulnerability

The following exploit is available:

/data/vulnerabilities/exploits/22823.tgz

Solution / Fix

Linux Kernel Sys_Tee Local Privilege Escalation Vulnerability

Solution:
The vendor has released Linux kernel version 2.6.17.7 to address this issue. Please see the references for more information.

Linux kernel 2.6.17

Linux linux-2.6.17.7.tar.bz2
http://kernel.org/pub/linux/kernel/v2.6/linux-2.6.17.7.tar.bz2

Linux kernel 2.6.17 .1

Linux linux-2.6.17.7.tar.bz2
http://kernel.org/pub/linux/kernel/v2.6/linux-2.6.17.7.tar.bz2

Linux kernel 2.6.17 .3

Linux linux-2.6.17.7.tar.bz2
http://kernel.org/pub/linux/kernel/v2.6/linux-2.6.17.7.tar.bz2

Linux kernel 2.6.17 .6

Linux linux-2.6.17.7.tar.bz2
http://kernel.org/pub/linux/kernel/v2.6/linux-2.6.17.7.tar.bz2

Linux kernel 2.6.17 .2

Linux linux-2.6.17.7.tar.bz2
http://kernel.org/pub/linux/kernel/v2.6/linux-2.6.17.7.tar.bz2

Linux kernel 2.6.17 .4

Linux linux-2.6.17.7.tar.bz2
http://kernel.org/pub/linux/kernel/v2.6/linux-2.6.17.7.tar.bz2

Linux kernel 2.6.17 .5

Linux linux-2.6.17.7.tar.bz2
http://kernel.org/pub/linux/kernel/v2.6/linux-2.6.17.7.tar.bz2

References

Linux Kernel Sys_Tee Local Privilege Escalation Vulnerability

References:

[Dailydave] On exploiting null ptr derefs, disabling SELinux, and silently fixed (Brad Spengler)
[PATCH] splice: fix problems with sys_tee() (Linux Kernel)
Linux 2.6.17.7 ChangeLog (Linux Kernel)
Linux Kernel Homepage (Linux)
Re: [Dailydave] On exploiting null ptr derefs, disabling SELinux, and silently f (Michal Zalewski )
splice/tee bugs? (Michael Kerrisk)