Skip to content

Privilege Escalation in Linux: Local Users Can Read Foreign Files

(Image: Tux by Larry Ewing/GIMP) The vulnerability had been publicly known for years and was only patched on Thursday. Just hours later, an exploit was published as the kernel team responded. It is the fourth vulnerability in just a few days that allows Linux users to escalate their privileges: A security researcher named _SiCK has uploaded several proof-of-concept examples on GitHub that exploit a bug in Linux kernel memory management to win a race condition. The most powerful PoC, ssh-keysign-pwn, can steal the machine’s private SSH key. This is typically only accessible to the root user. Other proof-of-concept exploits exist for “chage”, which reads the password file /etc/shadow during execution, and similar attacks are theoretically possible against any other setuid-root binary. The bug originates deep in the Linux kernel and in process management. The ptrace_may_access() function indicates that processes to be terminated are too permissive (not restricted). When the exploit triggers a race condition, it can read files that the terminating process has already opened (such as /etc/shadow), even without the necessary permissions. The vulnerability in /etc/ssh/ssh_host_key was identified by security firm Qualys and patched on Thursday afternoon by Torvalds, a Linux maintainer.

heise security News

Share on: