linux, cve-2010-0415, practical linux security, vulnerability analysis

Linux, cve-2010-0415 -CW2, SY4S04-Practical Linux Security


of 2709001603 - Mamdoh Alzhrani – Glamorgan University–May 2010


ContentsASSESSMENT CRITERIA...................................................................................................4

Course Work Requirements - Full Time CW1...............Error! Bookmark not defined.

1. Introduction...........................................................................................................7

2. What is Linux?........................................................................................................8

2.1. Linux memory management..........................................................................8

2.2. Linux Numa memory.....................................................................................10

3. Move_pages function..........................................................................................12

3.1. The issue........................................................................................................12

3.2. The exploit function......................................................................................12

3.2.1. Analysing cve-2010-0415 codes............................................................13

3.2.1.1. Acquiring node values from user space............................................14

3.2.1.2. Initializing the acquired value...........................................................15

3.2.2. Analysing the exploit code....................................................................15

4. Cve-2010-0415 limitations..................................................................................20

4.1. Cve-2010-415 scale and scope......................................................................20

4.2. Affected Linux systems.................................................................................21

4.3. Cve-2010-0415 level of threat to Linux systems.........................................21

5. Exploit code delivery to the target system.........................................................21

6. Cve-2010-0415 mitigation...................................................................................23

7. Conclusion............................................................................................................24

8. Reference:............................................................................................................26

Appendix A:..................................................................................................................28

Table of figuresFigure 1: Arabian Linux distributed system....................................................................8Figure 2: SMP CPUs with memory.................................................................................9Figure 3: Numa local and remote memory access (Denneman, 2010).........................9Figure 4: Local and remote memory access (Kenneth et al., 2001).............................10Figure 5: Flow of instruction on a certain code execution (Daniel et al., 2005)..........11Figure 6: Fedora on VMware........................................................................................13Figure 7: The exploit code on YouTube........................................................................13Figure 8: The downloaded kernel source contain migrate.c.......................................13Figure 9: Cve-2010-0415 code.....................................................................................14Figure 10: Accommodating node values with get user................................................14



Figure 11: Check error before initiating the system call..............................................15Figure 12: The vulnerable code (Xorl, 2010)................................................................15Figure 13 (Xorl, 2010)...................................................................................................15Figure 14: The exploit start with the enlightenment code..........................................16Figure 15: Retrieving the size of the bitmap................................................................17Figure 16: Updating the value of our_base variable....................................................17Figure 17: Setting the base addresses of the node......................................................17Figure 18: Initializing move pages function.................................................................18Figure 19: The exploit trigger.......................................................................................18Figure 20: Leaking the memory values........................................................................19Figure 21: Array values.................................................................................................19Figure 22: First case of the array..................................................................................19Figure 23: Other cases..................................................................................................20Figure 24: Unprivileged user account on Fedora.........................................................22Figure 25: Delivering the exploit via a carrier..............................................................22Figure 26: Cve-2010-0415 patch (Kernel.org 2010).....................................................23Figure 27: Automated update......................................................................................23Figure 28: Fedora update.............................................................................................24Figure 29: Vulnerable machine with 64-bit architecture.............................................25



1. IntroductionTechnology nowadays evolves at a fast rate. Businesses, institutional organisations and almost all kinds of communication, trade and human interaction are now based on computers. Computers have many vendors, operating systems and hardware. Each type has its own features with both advantages and disadvantages. A recent member of the large family of Unix-like systems has implemented a relatively new technology that may change the way in which data and memory is managed on computers. This member is the Linux operating system and the technology is the Numa architecture. Numa is an abbreviation of ‘Non Uniform Memory Access’. It is a new Linux technology and currently only a few architectures support the Numa functionality (Lameter, 2006). The function started with the idea of speeding up memory performance on multiprocessor machines. Each CPU has its own area of memory called a ‘node’. These memory areas have been improved significantly throughout the years and Numa has been used in the few past years as a part of Linux kernels.

The kernel tries to handle low level operations that require privileged access via the kernel mode. A normal user has his own space and privileges, as introduced by Daniel et al. (2005), and this is in the portion of the machine memory space that is dedicated to running programmes and storing data. In some cases these stored data can cause delay in memory access time in the Numa node system, as nodes can be filled or allocated in the wrong node; thus, part of the data has to be moved or migrated to another node. “The kernel itself does only provide manual page migration support. Automatic page migration may be implemented through user space processes that move pages. A special function call ‘move_pages’ allows the moving of individual pages within a process” (Lameter, 2006).

The special function move_pages is used with the Numa system in certain Linux libraries. The function has a node parameter specified to the node to which the pages must be moved. The node values, however, can cause problems due to a lack of validation. An attacker can use negative or large values to launch a denial of service attack and lose the availability. In addition, an attacker can force the kernel to move the pages manually to a zone of memory which can be read by the attacker, causing sensitive information leakage from the kernel memory process. Also, an attacker can cause a kernel bug which is known as [oops] and read the dump of the memory addresses and values (SECURITYTRACKER, 2010). Daniel et al. (2005) state that “The dumped values can be used by kernel hackers to reconstruct the conditions that triggered the bug, and thus find and correct it”.

This report will explain Linux systems and Numa technology and give details about other architecture functions and memory management in systems that support Numa. In addition, the author will analyse a recent vulnerability related to the Numa system with the reference cve-2010-0415. The analysis will provide a deep explanation of the vulnerable code and a recent exploit were released related to the vulnerability. Last but not least, the report will scale the affected systems and show the scope of the vulnerability, specifying the level of threat to Linux. Finally, the



report will show more than one way to deliver the exploit code to the target system, together with ways of mitigating such an attack.

2. What is Linux?Linux is an open source operating system which was initially proposed by Linus Torvalds in 1991 to a newsgroup. The reaction of the open source project was positive as it could develop the existing kernel code. The operating system was introduced under a license that allowed free editing and redistribution [GENERAL PUBLIC LICENSE GNU GPL]. The free licence resulted in an amazing trend; groups and developers started editing and generating new codes and patching existed ones. Step by step, the number of people who worked on Linux grew rapidly, and systems were established to differentiate new codes. The new codes were distributed in separated systems. As the kernel is the fundamental part of Linux, but not the whole system, many developers have to include much more than just the kernel itself, such as GNU utilities which gave us the variety of Linux distributed systems we see today (Justin et al., 2006).

These distributed systems are multiuser, multitask and multiplatform operating systems that use a complete set of packages built around the original kernel. Many vendors have produced complete Linux operating systems. The most important ones are Redhat, Caldera, Suse, Slackware, Debian, Ubuntu and a recent Arabic version called Arabian Linux, as shown in the figure below. Notably, each version of Linux has to be made on another previous one; for example, the Arabian was developed based on Debian and Ubuntu (Justin et al., 2006).

Figure 1: Arabian Linux distributed system

There are various kernel versions and each version contains specific features. Such features involve software changes to make the best use of the abilities of the hardware; hence, updates on these features are released constantly. Having said that, an operating system has to comply with hardware, where memory and processor architecture exist as described in the next sections.

2.1. Linux memory management



In traditional systems, processors interact with software by connecting them to the located memory using a variety of techniques. We are concerned with a recent implemented architecture called Numa, but before we consider it we need to identify the most common one, which is Symmetric Multiprocessing (SMP) infrastructure. The simplest way to explain it is to say that all processors will be connected to the memory equally. Once these connections take place at the same time, with fast and large scale processors, the situation will be like a bottleneck of traffic. Communication will pass through the same memory shared bus that will become congested, as the next figure shows (Luck, 2008). This issue related to the SMP denies machines with a high number of processors from implementing such mechanism by implementing only one memory on a shared controller to all processors on the machine. Thus, another more facilitating architecture called Non uniform Memory Access – Numa - can be implemented to provide more than one memory with multiple nodes, processes and controllers on the same machine (Kleen, 2005).

Figure 2: SMP CPUs with memory

Numa technology differs from SMP in that it limits the amount of CPUs on the memory bus and splits up the memory subsystem for each processor, which decreases the access time to the memory and takes the least latency rate among other technologies to allocate each processor with both local and remote memory. The local one, however, is obviously faster than the remote one because it is located in the same node and connected by an intersocket connection, where a node is defined as “a region of memory in which every byte has the same distance from each CPU”, as the next figure shows (SOURCEFORGE.NET, 2005). In theory, Numa hardware has to be supported by both the operating system and the application. Applications can function with Numa by ignoring the local and remote memory as best performance acts.

Figure 3: Numa local and remote memory access (Denneman, 2010)


http://frankdenneman.nl/wp-content/uploads/2010/02/NUMA-local-remote-access.png


Most modern CPUs are based on Numa technology; for example, Intel Nehalem, Core™ i7 processor and AMD Opteron all support Numa, where the operating system software (as mentioned earlier) have to be Numa aware so they can allocate the memory properly. For some operating systems, Windows being an example, both 64bit and 32bit architecture by default is configured to support Numa, while 32bit in other systems, such as Linux, either does not support Numa or needs to be configured manually. Windows has supported Numa in different systems starting from Windows 2003. Similarly, Linux has supported Numa with kernel 2.6 and later, as we shall see in more detail in the next sections (Henry, 2010).

2.2. Linux Numa memoryIn kernels earlier than 2.6 there were many enhancements in supporting Numa applications on Numa hardware. The improvements were patches that provided macros and data structure that enabled the end user to control the application memory with different APIs that were used to improve the performance of the usability of Linux on Numa hardware. These patches and improvements were updated in kernel 2.6 to become a separated library that allowed full control of locating a specific processor in a specific local or remote memory node. This resulted in jeopardising the local machine by knowing the places of the assigned tasks, as in cve-2010-0415. It is assumed that it will benefit programmers in benchmarking situations and providing best performance by lightening workloads on nodes (Gaughen, 2010).

Although Numa supports x64 architecture, in some cases, such as prior to kernel 2.6, performance improvements may be reduced significantly if the code is not designed specifically to exploit the numa structure, or the performance rate can be reduced heavily between local to remote memory, as seen in the next figure. The library Libnuma provides “a simple programming interface to the NUMA” (Kleen, 2004), whereas there is more than one API that can handle applications and memory management of Numa systems. A typical request from an API or application requires that we know from which place to which node we will allocate the memory. The memory policy will decide where and how, but by default allocation of the memory will be to the nearest local memory, which is the main goal of Numa to reduce the latency with the possibility of querying the same page of memory repeatedly from the controlling task that has asked for allocation of the memory in the first place (Lameter, 2006).

Figure 4: Local and remote memory access (Kenneth et al., 2001)

2.2.1. System calls allocations



The process of allocating the memory takes place through system calls that are made to achieve the functionality of the specified call through the process/kernel model. The Linux kernel has two levels of permission and each one has its own privileges. The first, which is the user mode, is used with less control of system calls and handling requests from the software; whereas the second privileged one, which is the kernel mode, is used by the process to switch the mode from user to kernel mode to execute the sequence of the operation for the specified call. The hardware, after finishing the system call and completing the task, returns the control mode to the user to continue the flow of instructions if everything flows with no errors, as the next figure shows. Allocation of the memory based on the system call is stored on the disk by moving the memory page from the node to the hard disk. The process of moving the pages also extends to include migrating the pages from local memory node to remote node in Numa systems, as the need may arise to be more efficient in improving the system performance (Daniel et al., 2005).

Figure 5: Flow of instruction on a certain code execution (Daniel et al., 2005)

All connections made to a memory page while moving the page need to be tracked so once it is moved the references will also be moved. The previous techniques were introduced in a recent version of Linux kernel [2.6.16]. The technique was successful due to the fact that it migrated memory pages to the target node with no dependency on the memory policy, which can surprisingly cause potential risks through certain system calls that may query the node to result in disclosure of sensitive information related to the memory allocation addresses (Lameter, 2006). Linux kernel has implemented many system calls that perform the page moving “get_mempolicy (2), mbind (2), migrate_pages (2), move_pages (2), and set_mempolicy (2)” (KERNEL.ORG, 2008). In this report we will consider the move_pages system calls that function in Numa architecture to transfer memory pages between local nodes in Linux systems, as we shall see in the next sections.



3. Move_pages function It has been said that page migration provides substantially better performance than other methods that involve moving static pages to memory locations. Linux kernel initiates the system call from the numactl package, which is the main package that provides the header of the Numa functions, with a variety of parameters, specified as follows (Ben et al., 1996): #include <numaif.h> long move_pages(int pid, unsigned long count, void **pages, const int *nodes, int *status, int flags);

The move_pages is the system call that moves the assigned pages from the process that is known by the PID number to the specified nodes. After moving the pages from the process to the node, the result will be present in the value of the status on the condition that the process was successful with no errors, where the flags value will set certain constraints. In a typical environment, if the PID value is zero then the system call will move the pages which are an array of pointers pointing to the edges of the pages that are being moved. In order to move the pages, we need to know the exact place of the node. The nodes value can be set to Null to return by default the locations of each node. In addition, the previous operations must be privileged to be executed by the [CAP_SYS_NICE]. The flags and the possible errors that might emerge from the call are explained on the source of the kernel code Kernel.org (KERNEL.ORG, 2008).

3.1. The issueThe nature of the previous system call allows local users to use the system call specifying the nodes value to anything where the system call does not validate the value which can enable local users to read arbitrary kernel memory locations and cause “a denial of service (OOPS), and possibly have unspecified other impact by specifying a node that is not part of the kernel's node set” (CVE, 2010). The lack of validation allows potential exploitation through the nodes value, as will be shown in the next sections.

3.2. The exploit functionOn 07-02-2010 a security response was released to the vulnerability reported by Ramon de C. Valle that was discovered on September 2009 and referenced by CVE as cve-2010-0415. The vulnerability resides in “The do_pages_move function in mm/migrate.c in the Linux kernel before 2.6.33-rc7” (CVE, 2010). It was caused by a lack of validation on the node values which, as mentioned earlier, can cause disclosure of sensitive data that may be used to extract a memory address and developed to cause a DoS attack on Numa hardware that runs Linux kernel prior to 2.6.33-rc7. It is also possible that it may have an unspecified impact by specifying a node that was not included in the kernel's node set. The vulnerability is exploitable with local users only, requiring physical access or a local shell run remotely. So, after understanding how the vulnerable function works in the previous section, and from the knowledge gained regarding Numa architecture, we can now examine how to exploit the move_pages system call. In order to practically exploit this vulnerability



we need to examine the vulnerable software, which is the migrate.c. For this we can download Fedora 12 with version 2.6.31 kernel on Windows 7 with 32-bit.

Figure 6: Fedora on VMware

Unfortunately, the migrate.c does not appear on a fedora machine without Numa hardware. Moreover, after investigating the issue the file CONFIG_MIGRATION that contains the move_pages system call is not included in the virtual kernel version, or the Numa libraries that support the migration between processes and nodes. Evidence is derived from the grsecurity.net security portal developer Brad Spengler, who has released a video and a file exploiting cve-2010-0415 on a 64-bit structure. There is an indication that this vulnerability is not exploitable on 32-bit systems.

Figure 7: The exploit code on YouTube

For this report we will follow an approach describing the source flies of the exploit created by Brad Spengler and the vulnerability file in migrate.c, as the following sections shows.

3.2.1. Analysing cve-2010-0415 codesHere we will present the migrate.c that was among the kernel source files that were downloaded from kernel.org. We can show the part that contains the move_pages function on the file as follows:

Figure 8: The downloaded kernel source contain migrate.c



From the previous snap we can see the first part move_pages function in the migrate.c. The function here, as described by the vendors, will move the list of pages from an address that is already specified to a new target node. The second part is the flags, which decide what kind of pages to move. If successful the function returns zero, otherwise it returns an error. As seen in the previous figure, the statement sets the error result in case the flags matched the kernel response. The first flag is “MPOL_MF_MOVE means that only page that are in exclusive use by the process are to be moved” (KERNEL.ORG, 2008).

The other MPOL_MF_MOVE_ALL move shares pages between processes with privilege access CAP_SYS_NICE. As seen in the IF statement, if the –EINVAL returns as a result, then it means “The file system does not provide a migration function and has no ability to write back pages” (KERNEL.ORG, 2008). The next statement contains an IF also with a returned result of –EOERM with the second flag, which means there are no sufficient privileges or the process belongs to another user (KERNEL.ORG, 2008). In addition to the above, a blogger posted an explanation to the function towards the following code:

Figure 9: Cve-2010-0415 code

The blogger, namely xorl, has said that the above code functions as a pointer to the system call, and unless the node value is set to zero it will execute the system call move_pages.

3.2.1.1. Acquiring node values from user spaceThe value, which as mentioned causes the issue of a lack of validation, is in the next code. The code starts getting values from the user space when applications can accommodate data in user mode.

Figure 10: Accommodating node values with get user



One can see the start of the code by moving a chunk of memory data to the target node. The node values are collected by the get_user() function, as is obvious in the blue writing /* from the user-space*/. Daniel et al. (2005) describe the get user function, stating it “can be used to read 1, 2, or 4 consecutive bytes from an address”. The address is located in the process address space.

The value is used later as xorl describe: “it’s using it later on without performing any range checks” (XORL, 2010). The following figure shows initiating of the system call unless the node is either ENODEV or EACCES, which respectively means either the target node does not exist or the target node is not allowed by the cpuset (KERNEL.ORG, 2008).

Figure 11: Check error before initiating the system call

3.2.1.2. Initializing the acquired valueThe vulnerability that causes the issue is extended from the previous section to this area. We can argue that by identifying the code in this area we can discover the problem and either solve it or exploit it. The blogger xorl has demonstrated the initiation of the vulnerable code without validating the entered values from the user space, as follows:

Figure 12: The vulnerable code (Xorl, 2010)

From the idea that the user can ask for any value for the node, the vulnerability that can cause potential damage emerges. The following code shows how Eugene Teo has described cve-2010-0415 “The node_isset and node_state functions just map to test_bit, which has no limiter in the normal implementations” (Bugzilla, 2010). [test_bit] will return the bits of the node address as the following code shows (Daniel et al., 2005):

Figure 13 (Xorl, 2010)

As the previous figure shows, “This will lead to initializing the ‘pm[]‘ page’s node value with an arbitrary one” (Xorl, 2010). Now that we have seen the functions of the system called move_pages and demonstrated the associated vulnerable functionality, the logical move is to go deeper and explore the lack of validation of the node values that can be exploited.

3.2.2. Analysing the exploit code



In order to exploit cve-2010-0415 we need to use the move_pages on a vulnerable system that runs x64 architecture with Numa hardware technology. Linux kernel implements a four level memory that functions with any x64 hardware (Daniel et al., 2005). Since the vulnerability resides in the way the system call moves certain memory pages from a process to a target node, we need to identify the PID of the process. Afterwards we can begin exploiting the move_pages by forcing the kernel to move the specified page to an already known node where we can read the addresses or move it beyond the limits of the available addresses on the memory to cause an access valuation, causing kernel oops.

The following code works on an x64 system. The exploit is created by Brad Spengler “which is named ‘exp_sieve.c’” (xorl, 2010). The exploit should check firstly if the target system is vulnerable or not. Then it will start performing the move_pages function. Although the next code is the last part of the actual written code, it is brought as the first to demonstrate the logical flow of the exploit. At the start the coder writes the preparing part, which sets up the following exploit:

Figure 14: The exploit start with the enlightenment code

The coder here uses a framework called enlightenment to call back system calls that get the total high pages: node stat and node online help, “which contains the ‘N_ONLINE’ value” (xorl, 2010). The goal of this code is to get the addresses from the kernel to find whether the nodes are online or not through the called functions. The malloc function will allocate four Kbytes with the assigned value [4096]. The following code will retrieve the size of the bitmap, as stated by xorl 2010:



Figure 15: Retrieving the size of the bitmap

The exploit author retrieves the values by using an array of nodes valued from 0 to 511 with move_pages. The ‘if statement’ tries to check whether there were any errors to output the errors message. If there were no errors then it will output the maxnumenode value. The following code will update the value of our_base with the previous acquired values:

Figure 16: Updating the value of our_base variable

The code starts with the node_state value being anything but zero. Then it updates and calculates the value of our_base depending on the previous addresses and values, or exits the function with an assumption that the target does not support the cve-2010-0415. At this stage the preparation ends and the following are the execution parts, where the trigger starts from setting the base addresses of the node as follows:

Figure 17: Setting the base addresses of the node



As is obvious, the code initiates an integer ‘i’ with our already calculated value of our_base and min and max values to do a mathematical calculation to calculate the node values that will be used in the next part.

Figure 18: Initializing move pages function

As explained earlier, the nodes are an array. The code initializes this array to start the exploitation by the move_pages with PID equals to zero and if there were no errors in passing the calculated node value, it will return the updated value in success. The following code, as stated by Spengler, is the trigger code that will put things together:

Figure 19: The exploit trigger

This part seems to be part of the framework made by Spengler. It is obvious in this figure that the code reads the user input by ‘fgets’ by ‘while’ function with three cases as a loop, where the fist case in the previous figure with zero as an input will "Dump via symbol/address with length"(xorl, 2010). The next code will process the input to result in a valid or invalid address as follows:



Figure 20: Leaking the memory values

The framework will call get_kernel_sym() to regain the symbol or the address. After that it requests in addr2 the length of bytes that the user wants to leak and updates the value. The leak part uses a loop process and printf provides the results. The next case in the code presents the user choosing the value 1. The following figure shows the purpose of it:

Figure 21: Array values

The code of case 1 is as follows:

Figure 22: First case of the array

The code starts by stating the address and an if statement that goes between x64 and 32-bit architectures. After the endif, the code will check if the address is on the boundary of the kernel space range. The function sets our base + 0x10000000, which is translated as the maximum value of 256MG above and below, as Spengler explains in the exploit code: “on 64bit, this gives us a 256MB range above and below our base to grab memory” (Spengler, 2010). The output will be written in kernel.bin by fopen



function. After checking the range of the bites, the function will close and break the loop, as case ’2’ indicates in the following figure:

Figure 23: Other cases

4. Cve-2010-0415 limitations Although the vulnerability CVE-2010-0415 has a critical affect on vulnerable machines, it has some limitations that can reduce the chance of attacks based on it occurring. The following sections will provide detailed information about how it can affect a machine and how serious it is.

4.1. Cve-2010-415 scale and scope The vulnerability expert Ramon de Carvalho Valle describes the issue in the sys_move_pages system call, as confirmed by many vendors of Linux systems, as a limited vulnerability that affects and can cause local damages only. The vulnerability mostly affects any Linux kernel lower than 2.6.33, according to the original kernel website. In addition, Red hat developers have announced that kernel versions affected are those between 2.6.18 and 2.6.33. In addition, almost all versions of Debian have been affected and they have issued updates based on the risks posed by the vulnerability, as mentioned in ADVISORY (2010). OpenSuse vendors have published on their mailing list an advisory with urgent updates that fixe this vulnerability and limits its affect on their systems. Fedora have addressed the issue by releasing an update that handles “memory allocation, process allocation, device input and output” (Fedora, 2010). Ubuntu has also tackled the vulnerability with a security update to fix all of the affected versions. From the examples of all these vendors one can see that the scale of the vulnerability is relatively limited to certain versions of Linux kernels.

The scope of this vulnerability is limited to local users on any core Linux system that operates kernel 2.6.32 and prior. To be more specific, CVE described in 2010 the vulnerability as “do_pages_move function in mm/migrate.c in the Linux kernel before 2.6.33-rc7 does not validate node values”. Thus, it is a local vulnerability. According to developers and security advisories, users can exploit this weakness to cause a denial of service (DoS attack) or gain vital information to access sensitive kernel memory addresses that use the system call move_pages(). To exploit this vulnerability successfully, the attacker has to have physical access to the vulnerable



system with a local account to execute the exploit. This is the primary scope of cve-2010-0415.

4.2. Affected Linux systems Generally, cve-2010-0415 affects any Linux kernel between 2.6.X and 2.6.33, or more specifically, kernels that implement the move_pages call system which, as kernel.org states, begins from version 2.6.18 onwards until the patch for the vulnerability on version 2.6.33 was released. Therefore, all previous versions are subject to this vulnerability, which can be exploited by a local attacker who will cause kernel errors and denial of service. Based on the nature of Linux systems, one can say that to make a clear statement on the vulnerability of systems one has to know whether a vulnerable kernel is implemented on the target system. There are many Linux operating systems based on kernel 2.6.18 and onwards, such as Fedora, Redhat, Debian, Ubuntu, Mandriva and Suse. Therefore, the best way to define vulnerable systems is to use the kernel version. The table in Appendix A illustrates in detail the affected kernels that are vulnerable to cve-2010-0415 (SECURITYFOCUS, 2010).

4.3. Cve-2010-0415 level of threat to Linux systemsThe level of threat to compromised machines is relatively low since it is a local vulnerability and even though it may be exploited it will result in loss of availability. Many advisories have addressed the issue and described the level of threat as either low or near low. The National Vulnerability Database rated the impact of cve-2010-0415 as medium, with a score of 4.6 out of ten. Although the exploit range is local, the attack complexity is relatively low (NVD, 2010). On the contrary, Bugzilla (2010) has prioritised the vulnerability as high with a high severity impact. A Secunia advisory, however, rated the issue as less critical, stating it might lead to “exposure of sensitive data to local users” (Secunia, 2010). Most advisories have rated the issue as a local one, causing denial of service, sensitive information leakage and the potential escalation of privileges. We can therefore say that the level of threat is relatively low, but there is the potential of loss of service or memory data exposure.

5. Exploit code delivery to the target systemLocal vulnerabilities are not reachable across a network, such as “the operating system kernel or services which do not accept remote connections”. To exploit such vulnerabilities a prior account is required on the target machine. Thus, “there must be an existing connection to the target before the exploit can be attempted” (Saint, 2010). This particular vulnerability is exploited on a local basis, which means that the attacker has an account which he can use to attempt unauthorized operations such as reading or writing of arbitrary memory addresses, as in the cve-2010-0415 vulnerability. The next figure shows the login screen of an unprivileged user account for a local user. Having a local user means there is a certain level of reliance and it is not always simple to find out how trust can be violated. After all, a physical presence is required to perform an attack which controls the compromised machine via the available user account (QNX, 2010).



Figure 24: Unprivileged user account on Fedora

On a theoretical basis, once the local presence is achieved, the attacker can exploit the target machine using the Spengler code ‘exp_sieve.c’. The code is developed and delivered in C code, and it is possible to run it directly because the source code is already available and the local attacker can go through a GCC complier to compile and manipulate the exploit as needed on the target machine. The exploit can have different impacts on the target machine. It is even possible, since the exploit is local, to escalate the user privileges to gain root access and control all operations on the target machine.

The exploit code can also be delivered remotely if there is a suitable carrier to hold the code and the vulnerable kernel can be exploited as if it were local. In a simple way, the code can be injected and hidden in some sort of object and sent to the victim remotely. Then the victim may then be tempted to execute the exploit by any kind of social engineering mechanism. The vulnerability can then function on the targeted machine. The local exploit concept does not mean it cannot be transmitted remotely to another machine in which the one receiving is also considered to be local. The exploit will then be considered a local exploit by executing the carried code. The following figure shows how it is possible to deliver a local exploit remotely through any means for it to be exploited locally on the targeted machine if the victim can be tricked to execute the code.

Figure 25: Delivering the exploit via a carrier


Hacker

CarrierTarget


6. Cve-2010-0415 mitigationCve-2010-0415 compromises three fundamental concepts of security. The three elements are availability, integrity and confidentiality. Each of them is in potential danger with this vulnerability, although the weakness is implemented on a local range only. Availability is jeopardised by DoS attacks, caused by faulty node values passed on the move_pages function to the vulnerable kernel. Integrity and confidentiality are at risk in terms of escalating the privileges to gain root access or sensitive information leakage occurring which discloses data that can lead to other potential exploits and a more severe impact on the target. As usual, vendors respond to such vulnerabilities and bugs by releasing patches and updates to change the affected software. The move_pages function was updated and patched in all distributed Linux versions. The patch of the vulnerable software [migrate.c] changes the method of checking and validating node values, which caused the issue in the first place. The changes were as follows:

Figure 26: Cve-2010-0415 patch (Kernel.org 2010)

The code checks if the node is smaller than zero or equal to the maximum Numanodes, then prints the error message and exits. The validation prevents leakage and denies exceeding of the boundaries of the memory address. The patch can be downloaded automatically in recent versions of Linux, as the following figure shows:

Figure 27: Automated update

The update varies based on the vendor, but as a general rule each vendor releases regular patches and updates that can be downloaded without having to leave the desktop. The following figure illustrates updates and patches for the authors VMware Fedora:



Figure 28: Fedora update

Besides automatic updates, we can find patches for source code on kernel.org on a regular basis, since it is especially dedicated to Linux kernel codes and patches.

7. ConclusionThis report sheds light on a recent vulnerability found in Numa libraries, providing many tools for programmers to control programs and allocate memory. Among these, ‘migrate.c’ contains the flawed code that causes certain versions of Linux kernels to crash or potential privilege escalation through the exploitation of a local user. Affected kernel versions are usually implemented on both 64bit and 32bit architecture. A Linux kernel has to be compiled to support Numa libraries. Numa has been explained in this report; generally it is used to organise memory allocation and distribution between sets of local and remote nodes. Each processor has its own memory node called a local one and another processor memory is called a remote one. The focus has primarily been on the issue of cve-2010-0415 and the exploiting methodology that is found in Numa libraries. The report has provided a detailed description of the flawed code and how an attacker might use such a vulnerability to deliver the exploit code to a Linux machine.

Although the report has stated that the vulnerability has a low to medium affect on a compromised machine, it has also provided a mitigation strategy to limit the scale and scope of the vulnerability. Analysis of the code was informative in terms of explaining the conditions which cause occurrence. The exploit code uses a clever method to validate the targeted system support. If it does support or is vulnerable to the flawed code, the exploit starts with the inputting of a variable from the user’s space that causes the issue on the node value. The node value range on the exploit code is calculated through a set of arrays and functions that output the value and the move_pages function retrieves values from the kernel to leak the sensitive data required. The acquired data will provide an arbitrary memory address that can be used to cause DoS, data leakage or privilege escalation on the compromised machine. Although the report has given a detailed explanation of the vulnerability and exploit code, it was difficult to execute the actual exploit code on a vulnerable machine that had 64-bit architecture, as shown in the next figure (using a University lab machine), due to the fact that it requires compilation of the kernel with a Numa



function. Despite the exploitation of cve-2010-0415 on a 64-bit machine being shown on YouTube, there is still no proof of the concept of cve-2010-0415.

Figure 29: Vulnerable machine with 64-bit architecture

In conclusion, the vulnerability can compromise a vulnerable machine and cause various problems. The move_pages function can be used to leak data that might be used by attackers to cause denial of service or privilege escalation. In theory, cve-2010-0415 is relatively limited and is not difficult to patch. Even if there are no patches provided by the vendor, one can construct a patch since the sucrose code is available to the public. While the vulnerability exists in both 32-bit and 64-bit machines, the proposed exploit code exploits only 64-bit machines that support Numa. The author believes that the concepts of confidentiality, integrity and availability (CIA) must be preserved due to the fact that cve-2010-0415 is caused by local users. Thus, more internal caution and measures must be put in place to deter internal users from causing it. The author believes that one of the most efficient ways of stopping internal risk is to put in place security policies that define what is and what is not allowed. These policies will have an affect on the security of premises and their machines by not allowing execution of such exploits on machines; thus, protection will be accomplished.



8. Reference:ADVISORY, D.S., (2010), Dsa-1996-1 Linux-2.6 -- Privilege Escalation/Denial of

Service/Sensitive Memory Leak [online]. [Accessed 24 Mar 2010]. Available from World Wide Web: http://www.debian.org/security/2010/dsa-1996

BEN, V.; D. SCOTT; G. ANOOP and R. MENDEL, (1996), Operating System Support for Improving Data Locality on Cc-Numa Compute Servers. IN: Proceedings of the seventh international conference on Architectural support for programming languages and operating systems, Cambridge, Massachusetts, United States. ACM.

BESEDIN, D., (2005), Non-Uniform Memory Architecture (Numa): Dual Processor Amd Opteron Platform Analysis in Rightmark Memory Analyzer [online]. [Accessed 29 Mar 2010]. Available from World Wide Web: http://ixbtlabs.com/articles2/cpu/rmma-numa.html

BUGZILLA, (2010), (Cve-2010-0415) Cve-2010-0415 Kernel: Sys_Move_Pages Infoleak [online]. [Accessed 2 Apr 2010]. Available from World Wide Web: https://bugzilla.redhat.com/show_bug.cgi?id=562582#c0

CVE, (2010), Cve-2010-0415 [online]. [Accessed 24 Mar 2010]. Available from World Wide Web: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0415

DANIEL, B. and C. MARCO, (2005), Understanding the Linux Kernel. Oreilly \& Associates Inc.

DENNEMAN, F., (Feb 2010), Sizing Vms and Numa Nodes [online]. [Accessed 29 Mar 2010]. Available from World Wide Web: http://frankdenneman.nl/2010/02/sizing-vms-and-numa-nodes/

ENCYCLOPEDIA, C.D., (2010), Smp Definition - Computer [online]. Available from World Wide Web: http://www.yourdictionary.com/computer/smp

FEDORA, (2010), [Security] Fedora 11 Update: Kernel-2.6.30.10-105.2.23.Fc11 [online]. Available from World Wide Web: http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035070.html

GAUGHEN, P., (2010), Numa Status [online]. [Accessed 30 Mar 2010]. Available from World Wide Web: http://lse.sourceforge.net/numa/status/

HENRY, G., (2010), Intel(R) Mkl Numa Notes [online]. [Accessed 29 Mar 2010]. Available from World Wide Web: http://software.intel.com/en-us/articles/intel-mkl-numa-notes/

JUSTIN, D.; W. ROGER and H. WILLIAM VON, (2006), Suse Linux10 Bible. John Wiley & Sons, Inc.

KENNETH, M.W. and B.A. BOB, (2001), Dynamic Page Placement to Improve Locality in Cc-Numa Multiprocessors for Tpc-C. IN: Proceedings of the 2001 ACM/IEEE conference on Supercomputing (CDROM), Denver, Colorado. ACM.

KERNEL.ORG, (2008), Linux Programmer's Manual [online]. [Accessed 30 Mar 2010]. Available from World Wide Web: http://www.kernel.org/doc/man-pages/online/pages/man5/numa_maps.5.html

KERNEL.ORG, (2008), Linux Programmer's Manual, Move_Pages(2) [online]. [Accessed 31 Mar 2010]. Available from World Wide Web: http://www.kernel.org/doc/man-pages/online/pages/man2/move_pages.2.html


http://www.kernel.org/doc/man-pages/online/pages/man2/move_pages.2.html

http://www.kernel.org/doc/man-pages/online/pages/man2/move_pages.2.html

http://www.kernel.org/doc/man-pages/online/pages/man5/numa_maps.5.html

http://www.kernel.org/doc/man-pages/online/pages/man5/numa_maps.5.html

http://software.intel.com/en-us/articles/intel-mkl-numa-notes/

http://lse.sourceforge.net/numa/status/

http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035070.html

http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035070.html

http://www.yourdictionary.com/computer/smp

http://frankdenneman.nl/2010/02/sizing-vms-and-numa-nodes/

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0415

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0415

https://bugzilla.redhat.com/show_bug.cgi?id=562582#c0

http://ixbtlabs.com/articles2/cpu/rmma-numa.html

http://www.debian.org/security/2010/dsa-1996


KERNEL.ORG, (2010), Fix Potential Crash with Sys_Move_Pages [online]. [Accessed 9 Apr 2010]. Available from World Wide Web: https://patchwork.kernel.org/patch/89838/

KLEEN, A., (2004), Numa(3) - Linux Man Page [online]. [Accessed 30 Mar 2010]. Available from World Wide Web: http://linux.die.net/man/3/numa

KLEEN, A., (2005), A Numa Api for Linux [online]. [Accessed 29 Mar 2010]. Available from World Wide Web: http://www.novell.com/rc/docrepository/newpublic/37/basedocument.2009-11-18.5883877819/4621437_en.pdf

LAMETER, C., (2006), Local and Remote Memory: Memory in a Linux/Numa System [online]. [Accessed 30 Mar 2010]. Available from World Wide Web: http://kernel.org/pub/linux/kernel/people/christoph/pmig/numamemory.pdf

LAMETER, C., (2006), Page Migration [online]. [Accessed 8 Apr 2010]. Available from World Wide Web: http://www.mjmwired.net/kernel/Documentation/vm/page_migration

LUCK, T., (2008), Linux Scalability in a Numa World. Linux Magazine [online]. [Accessed 29 Mar 2010], Available at: http://www.linux-mag.com/id/6868

NVD, (2010), Vulnerability Summary for Cve-2010-0415 [online]. [Accessed 6 Apr 2010]. Available from World Wide Web: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0415

QNX, (2010), Securing Your System [online]. [Accessed 7 Apr 2010]. Available from World Wide Web: http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/user_guide/security.html

SAINT, (2010), Running Exploits [online]. [Accessed 7 Apr 2010]. Available from World Wide Web: http://www.saintcorporation.com/cgi-bin/demo_doc.pl?doc_name=exploits.html

SECUNIA, (2010), Ubuntu Update for Linux and Linux-Source-2.6.15 [online]. [Accessed 6 Apr 2010]. Available from World Wide Web: http://secunia.com/community/advisories/terminology/

SECURITYFOCUS, (2010), Linux Kernel 'Do_Pages_Move()' Local Information Disclosure Vulnerability [online]. Available from World Wide Web: http://www.securityfocus.com/bid/38144/info

SECURITYTRACKER, (2010), Linux Kernel Flaw in Do_Pages_Move() Lets Local Users Obtain Kernel Memory and Deny Service [online]. [Accessed 9 Apr 2010]. Available from World Wide Web: http://securitytracker.com/alerts/2010/Feb/1023554.html

SOURCEFORGE.NET, (2005), Linux Scalability Effort Homepage [online]. [Accessed 29 Mar 2010]. Available from World Wide Web: http://lse.sourceforge.net/numa/faq/index.html

SPENGLER, B., (2010), Exp_Sieve [online]. [Accessed 3 Apr 2010]. Available from World Wide Web: http://www.grsecurity.net/~spender/exp_sieve.txt

XORL, (2010), Cve-2010-0415: Linux Kernel Move_Pages(2) Information Leak [online]. [Accessed 2 Apr 2010]. Available from World Wide Web:


http://www.grsecurity.net/~spender/exp_sieve.txt

http://lse.sourceforge.net/numa/faq/index.html

http://securitytracker.com/alerts/2010/Feb/1023554.html

http://www.securityfocus.com/bid/38144/info

http://secunia.com/community/advisories/terminology/

http://www.saintcorporation.com/cgi-bin/demo_doc.pl?doc_name=exploits.html

http://www.saintcorporation.com/cgi-bin/demo_doc.pl?doc_name=exploits.html

http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/user_guide/security.html

http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/user_guide/security.html

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0415

http://www.linux-mag.com/id/6868

http://www.mjmwired.net/kernel/Documentation/vm/page_migration

http://kernel.org/pub/linux/kernel/people/christoph/pmig/numamemory.pdf

http://kernel.org/pub/linux/kernel/people/christoph/pmig/numamemory.pdf

http://www.novell.com/rc/docrepository/newpublic/37/basedocument.2009-11-18.5883877819/4621437_en.pdf

http://www.novell.com/rc/docrepository/newpublic/37/basedocument.2009-11-18.5883877819/4621437_en.pdf

http://linux.die.net/man/3/numa

https://patchwork.kernel.org/patch/89838/


http://xorl.wordpress.com/2010/02/25/cve-2010-0415-linux-kernel-move_pages2-information-leak/

Appendix A:Affected kernelsLinux kernel 2.6.31 5Linux kernel 2.6.31 .2Linux kernel 2.6.31 .11Linux kernel 2.6.31 -rc7Linux kernel 2.6.31 -rc6Linux kernel 2.6.31 -rc3Linux kernel 2.6.31 -rc1Linux kernel 2.6.31Linux kernel 2.6.31.6Linux kernel 2.6.31.4Linux kernel 2.6.31.1Linux kernel 2.6.31-rc9Linux kernel 2.6.31-rc8Linux kernel 2.6.31-rc5-git3Linux kernel 2.6.31-rc4Linux kernel 2.6.31-rc2Linux kernel 2.6.31-git11

Linux kernel 2.6.32Linux kernel 2.6.33-rc6Linux kernel 2.6.33-rc4Linux kernel 2.6.32.4Linux kernel 2.6.32.3Linux kernel 2.6.32-rc8Linux kernel 2.6.32-rc7Linux kernel 2.6.32-rc5Linux kernel 2.6.32-rc4Linux kernel 2.6.32-rc3Linux kernel 2.6.32-rc2Linux kernel 2.6.32-rc1

Linux kernel 2.6.29 .4Linux kernel 2.6.29 .1Linux kernel 2.6.29 -git8Linux kernel 2.6.29 -git14Linux kernel 2.6.29 -git1Linux kernel 2.6.29Linux kernel 2.6.29-rc2-git1Linux kernel 2.6.29-rc2Linux kernel 2.6.29-rc1

Linux kernel 2.6.30 .10Linux kernel 2.6.30 .1Linux kernel 2.6.30 -rc6Linux kernel 2.6.30 -rc5Linux kernel 2.6.30 -rc3Linux kernel 2.6.30 -rc2Linux kernel 2.6.30 -rc1Linux kernel 2.6.30Linux kernel 2.6.30.5Linux kernel 2.6.30.4Linux kernel 2.6.30.3

Linux kernel 2.6.27-git3Linux kernel 2.6.27 6Linux kernel 2.6.27 3Linux kernel 2.6.27 12Linux kernel 2.6.27 .8Linux kernel 2.6.27 .5Linux kernel 2.6.27 .5Linux kernel 2.6.27 .24Linux kernel 2.6.27 .14Linux kernel 2.6.27 .13Linux kernel 2.6.27 .12Linux kernel 2.6.27 -rc8-git5Linux kernel 2.6.27 -rc8

Linux kernel 2.6.28 .9Linux kernel 2.6.28 .8Linux kernel 2.6.28 .6Linux kernel 2.6.28 .5Linux kernel 2.6.28 .3Linux kernel 2.6.28 .2Linux kernel 2.6.28 .1Linux kernel 2.6.28 -rc7Linux kernel 2.6.28 -rc5Linux kernel 2.6.28 -rc1Linux kernel 2.6.28 -git7Linux kernel 2.6.28Linux kernel 2.6.28.4





Linux kernel 2.6.27 -rc6-git6Linux kernel 2.6.27 -rc6Linux kernel 2.6.27 -rc5Linux kernel 2.6.27 -rc4Linux kernel 2.6.27 -rc2Linux kernel 2.6.27 -rc1Linux kernel 2.6.27

Linux kernel 2.6.28.10

Linux kernel 2.6.25 19Linux kernel 2.6.25 .9Linux kernel 2.6.25 .8Linux kernel 2.6.25 .7Linux kernel 2.6.25 .6Linux kernel 2.6.25 .5Linux kernel 2.6.25 .15Linux kernel 2.6.25 .13Linux kernel 2.6.25 .12Linux kernel 2.6.25 .11Linux kernel 2.6.25 .10Linux kernel 2.6.25Linux kernel 2.6.25.4Linux kernel 2.6.25.3Linux kernel 2.6.25.2Linux kernel 2.6.25.1Linux kernel 2.6.25-rc1

Linux kernel 2.6.26-rc5-git1Linux kernel 2.6.26 7Linux kernel 2.6.26 .6Linux kernel 2.6.26 .4Linux kernel 2.6.26 .3Linux kernel 2.6.26 -rc6Linux kernel 2.6.26Linux kernel 2.6.26.1

Linux kernel 2.6.23.14Linux kernel 2.6.23.10Linux kernel 2.6.23.1Linux kernel 2.6.23.09Linux kernel 2.6.23 .7Linux kernel 2.6.23 .6Linux kernel 2.6.23 .5Linux kernel 2.6.23 .4Linux kernel 2.6.23 .3Linux kernel 2.6.23 .2Linux kernel 2.6.23 -rc2Linux kernel 2.6.23 -rc1Linux kernel 2.6.23

Linux kernel 2.6.24.6Linux kernel 2.6.24-rc2Linux kernel 2.6.24-rc1Linux kernel 2.6.24 .2Linux kernel 2.6.24 .1Linux kernel 2.6.24 -rc5Linux kernel 2.6.24 -rc4Linux kernel 2.6.24 -rc3Linux kernel 2.6.24 -git13Linux kernel 2.6.24

Linux kernel 2.6.20Linux kernel 2.6.20 .9Linux kernel 2.6.20 .8Linux kernel 2.6.20 .5Linux kernel 2.6.20 .4Linux kernel 2.6.20 .15Linux kernel 2.6.20 .1Linux kernel 2.6.20.3Linux kernel 2.6.20.2Linux kernel 2.6.20.13

Linux kernel 2.6.22 .8Linux kernel 2.6.22 .7Linux kernel 2.6.22 .6Linux kernel 2.6.22 .5Linux kernel 2.6.22 .4Linux kernel 2.6.22 .3Linux kernel 2.6.22 .2Linux kernel 2.6.22 .17Linux kernel 2.6.22 .16Linux kernel 2.6.22 .15



Linux kernel 2.6.20.11Linux kernel 2.6.20-rc2Linux kernel 2.6.20-2Linux kernel 2.6.20 -git5

Linux kernel 2.6.22 .14Linux kernel 2.6.22 .13Linux kernel 2.6.22 .12Linux kernel 2.6.22 .11Linux kernel 2.6.22 .1Linux kernel 2.6.22Linux kernel 2.6.22-rc7Linux kernel 2.6.22-rc1

Linux kernel 2.6.18-8.1.8.el5Linux kernel 2.6.18-53Linux kernel 2.6.18Linux kernel 2.6.18 .4Linux kernel 2.6.18 .3Linux kernel 2.6.18 .1

Linux kernel 2.6.19Linux kernel 2.6.19 -rc6Linux kernel 2.6.19 .2Linux kernel 2.6.19 .1Linux kernel 2.6.19 -rc4Linux kernel 2.6.19 -rc3Linux kernel 2.6.19 -rc2Linux kernel 2.6.19 -rc1


linux, cve-2010-0415, practical linux security, vulnerability analysis

Documents

linux numa memory

linux memory management

analysing cve

affected linux systems

memory values

exploit code delivery

exploit function

enlightenment code