Is Red Hat Enterprise Linux vulnerable to the /proc privilege escalation (CVE-2006-3626) exploit?
CVE-2006-3626 describes a race condition in Linux kernel 2.6.18-rc1 (including 2.6.17.4 and 2.6.16.24) and earlier that allows a local users to gain root privileges. It is possible to change the mode of /proc/self/environ to 4755 (suid) and including a small a.out binary into it. After that it is possible through prctl() with PR_SET_DUMPABLE to flip the owner and group to root:root. This allows the user get a root shell. A working exploit has been posted to Full Disclosure on the 14th of July, 2006 [1].
To make this exploit work, it is important that the running Linux kernel supports the a.out (Assembler.OUTput) binary format. The a.out binary format got replaced by ELF (Executable and Linkable Format) starting back in 1995 and every modern Linux distribution uses ELF only binaries.
This issue does not affect Red Hat Enterprise Linux 2.1 or 3 as they are based on 2.4 kernels which are not vulnerable to this issue.
The Red Hat Enterprise Linux 4 is based on the Linux kernel 2.6.9 and the race condition also exists, but the a.out format is not enabled. The kernel options CONFIG_BINFMT_AOUT is set to "n". Since the a.out format is not available, the posted exploit won't succeed. The exploit will fail with the message "failed: Exec format error" which indicates the missing a.out support in the Red Hat Enterprise Linux 4 kernel. Red Hat is, as of July 17, 2006, currently not aware of any way to exploit this vulnerability if a.out format is not enabled.
One key attack vector of this exploit is that it is possible to change the mode of the /proc file to any possible mode (including suid). The change to suid shouldn't be allowed in a Red Hat Enterprise Linux 4 installation with activated SELinux in enforcing mode. The targeted policy prevents this. This is the mode SELinux will be in for a default installation. In this case the exploit will never succeed and fail with a "failed: Permission denied" error.
Red Hat recommends that SELinux should be activated. It effectively protect systems against this exploit. The current SELinux status change can be checked with "getenforce" and changed through "system-config-securitylevel" [2].
Attempts to run this exploit on Red Hat Enterprise Linux 4 with SELinux in enforcing mode will fail and they will be logged through the audit subsystem. The system log files will show messages like this:
audit(1152957171.464:5): avc: denied { setattr } for pid=6291 comm="h00ly" name="environ" dev=proc ino=412286986 scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t tclass=file
The "setattr" is used to change the mode of a file or directory and this messages shows the attempt of the exploit to change /proc/self/environ to suid which is not allowed by targeted SELinux policy.
In addition, another workaround for this problem is to mount the /proc file system with the the nosuid option. On a running system this can be done with the command "mount -o remount,nosuid /proc". To make this permanent the mount options in /etc/fstab should be changed.
For more technical details, visit: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198973#c10
[1]http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047907.html
