CVE-2010-3904: Linux RDS Protocol Local Privilege Escalation

Timeline :

Vulnerability discovered by Dan Rosenberg
Vulnerability disclosed to the vendor the 2010-10-13
Coordinated vulnerability disclosure the 2010-10-19

PoC provided by :

Dan Rosenberg

Reference(s) :

CVE-2010-3904

Affected version(s) :

Kernel Linux 2.6.30 to 2.6.36-rc8

Tested on Ubuntu 10.04

Description :

On October 13th, VSR identified a vulnerability in the RDS protocol, as implemented in the Linux kernel. Because kernel functions responsible for copying data between kernel and user space failed to verify that a user-provided address actually resided in the user segment, a local attacker could issue specially crafted socket function calls to write abritrary values into kernel memory. By leveraging this capability, it is possible for unprivileged users to escalate privileges to root.

Demonstration :