Tuesday, December 21, 2010

Linux ACPI custom_method Privilege Escalation

Past November 13rd  a fix was commited in the Linux kernel.   For some reason I cannot understand, /sys/kernel/debug/acpi/custom_method was world writable, allowing any user to inject custom ACPI methods  into the ACPI interpreter tables.

As the RedHat bug report explains, it was introduced in this commit (Linux 2.6.33)

/drivers/acpi/debug.c 
cm_dentry = debugfs_create_file("custom_method", S_IWUGO,
                    acpi_dir, NULL, &cm_fops);
 S_IWUGO is a macro that grants world writable  permissions
source/include/linux/stat.h
#define S_IWUGO         (S_IWUSR|S_IWGRP|S_IWOTH)

The fix changes the permissions to S_IWUSR, that is a macro that grants write access to the owner (root)


An exploit already exists for this vulnerability.

No comments:

Post a Comment