Vulnerability Stack Clash allows you to get root-privileges in Linux and other operating systems

Image: finnsland , CC BY-SA 2.0

A serious vulnerability has been discovered in the memory management mechanism of the Linux, OpenBSD, NetBSD, FreeBSD and Solaris operating systems, which allows elevation of privileges to the superuser level and execute arbitrary code. The security issue is called Stack Clash.
')

What is the problem

The problem was discovered by information security researchers from Qualys. Vulnerability was first discovered in 2005, at which time a fix appeared. However, in 2010, researchers found that the released patches did not completely block the possibility of exploitation. Linux developers re-released the patch, but it turned out that the protection can be circumvented.

The essence of the vulnerability is that if the stack and heap are placed next to each other, situations where the contents of the overflowed heap may be in the stack area or the stack, conversely, can rewrite the heap area if the heap grows upwards and the stack downward . To prevent such situations in Linux and other operating systems, the stack guard-page protection technique is used.

In the course of the study, the experts identified multiple vulnerabilities in the implementation of the guard-page and identified three possible types of attacks:

• The intersection of the stack with another area of ​​memory: the memory is allocated until the stack reaches another area of ​​memory or the memory reaches the stack;
• “Leap” through the guard page: in this case, the stack pointer moves from the stack to another memory area without affecting the memory protection page;
• Splitting a stack or other memory area: the stack is overwritten by the contents of another memory area or another memory area by the contents of the stack.

The researchers have prepared a set of PoC-exploits for various operating systems. To use the described security problem, local access to the computer is required, but experts do not exclude the possibility of remote operation, for example, via HTTP requests or JavaScript.

How to protect

According to the report of the researchers, they notified the developers of vulnerable operating systems in advance about the problems found. Patches are currently being developed to close the vulnerability. Red Hat has already published a security bulletin - however, the methods of protection described in it may adversely affect system performance. The developers promise to fix this problem later.

According to the researchers, they checked for problems in the FreeBSD, NetBSD, OpenBSD, Solaris operating systems, as well as the popular Linux distributions of Red Hat, SuSE, Debian, and Ubuntu. Users are advised to check for updates for their distribution. At the moment, it is unclear whether the mobile Android OS is vulnerable.

As a temporary measure before the release of a patch for a specific OS, its users can change the settings of the RLIMIT_STACK and RLIMIT_AS options for local accounts and remote services by lowering the default values. However, this method will not allow you to completely secure yourself - choosing too low values ​​will not allow many trusted applications to work, and choosing an average value will allow a series of attacks (for example, a Stack Clash attack on a Sudo).