===================================================================== CERT-Renater Note d'Information No. 2005/VULN165 _____________________________________________________________________ DATE : 09/03/2005 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Linux systems running PaX. ====================================================================== PaX privilege elevation security bug Severity: critical Description: unprivileged users can execute arbitrary code with the privileges of the target in any program they or other users can execute it is definitely exploitable for local users, remote exploitability depends on how much control one can have over executable file mappings in the target Affected versions: all releases since 2003 September (when vma mirroring was introduced) Affected configurations: anyone having SEGMEXEC or RANDEXEC (vma mirroring) in the kernel's .config file Fixed versions: patches released today, see http://pax.grsecurity.net Mitigation: echo "0 0" > /proc/sys/vm/pagetable_cache this will eliminate the obvious exploit vector only, patching is still unavoidable Technical details will be posted to the dailydave mailing list, probably early next week. This is a spectacular fuckup, it pretty much destroys what PaX has always stood and been trusted for. For this and other reasons, PaX will be terminated on 1st April, 2005, a fitting date... Brad Spengler offered to take it up but if you're interested in helping as well, contact pageexec at freemail.hu. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================