Linux Kernel BINFMT_ELF Loader Local Privilege Escalation Vulnerabilities
Multiple vulnerabilities have been identified in the Linux ELF binary loader. These issues can allow local attackers to gain elevated privileges. The source of these issues resides in the 'load_elf_binary' function of the 'binfmt_elf.c' file.
The first issue results from an improper check performed on the return value of the 'kernel_read()' function. An attacker may gain control over execution flow of a setuid binary by modifying the memory layout of a binary.
The second issue results from improper error-handling when the 'mmap()' function fails.
The third vulnerability results from a bad return value when the program interpreter (linker) is mapped into memory. It is reported that this issue occurs only in the 2.4.x versions of the Linux kernel.
The fourth issue presents itself because a user can execute a binary with a malformed interpreter name string. This issue can lead to a system crash.
The final issue resides in the 'execve()' code. This issue may allow an attacker to disclose sensitive data that can potentially be used to gain elevated privileges.
These issues are currently undergoing further analysis. This BID will be updated and divided into separate BIDS in the future.