Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation

Vulnerable: Linux kernel 2.6.*, Linux kernel 2.5.72-lsm1
Unvulnerable: Linux kernel 2.4

When POSIX Capability LSM module isn’t compiled into kernel, after inserting capability module into kernel, all existed normal users processes will have total Capability privileges of superuser (root).
POSIX.1e Capability is a very important component of Linux kernel. In original Linux Kernel, system security relies on it and DAC mainly. In new kernel version, Linux Security Modules (LSM) framework is introduced to provide a lightweight, general-purpose framework for access control. Some Linux security projects are ported to LSM and accepted by kernel source, such as POSIX.1e Capability and SE-Linux. Users can compile Capability as a
Linux Loadable Kernel Module, and insert it into kernel at any time he wants to. Under this situation, after inserting Capability module, due to error creds of existing processes, normal user processes will possess total privileges of root and can perform any operations (like a root process).

Leave a Reply