The 2009 Pwnie Winner For Best Privilege Escalation Bug

Linux udev Netlink Message Privilege Escalation (CVE-2009-1185)

Credit: Sebastian Krahmer

In the midst of all the Linux kernel security debates about exploiting NULL function pointer dereferences, Cheddar Bay, transparency regarding known or potential security issues, Cheddar Bay, and the protection afforded by LSMs running within an insecure kernel, Cheddar Bay, sometimes the very simple yet damaging vulnerabilities don’t get nearly the attention they deserve. This is one such vulnerability.

Sebastian Krahmer identified a vulnerability in udevd where it incorrectly assumed that messages arriving on its NETLINK socket would always come from the kernel. Any local unprivileged user may send a unicast or multicast NETLINK message to udevd, which it will treat as a privileged message from the kernel. This would allow a user to (for example) instruct udevd to create a /dev/random device file with chosen minor and major device numbers, giving RWX permissions to any device that the attacker chooses. That’s game over, kids.

(CVE-2009-1185)