The 8-year-old privilege escalation vulnerability allows a local user with access to the vulnerable privileged driver can escalate the privileges to read from and write to sensitive kernel memory.
It is actually an eight-year-old vulnerability and can be used in latest kernel version (4.16-rc3) for escalating privileges.
According to checkpoint researchers, the vulnerability(CVE-2018-8781) resides in the is in the internal mmap() defined in the fb_helper file operations of the “udl” driver of “DisplayLink”.
The prototype of the mmap() function from user-space there is plenty of fields an attacker can use to trigger integer overflow vulnerability.
The Vulnerability(CVE-2018-8781) receives the cvss score 7.8 and declared as critical. It affects the function udl_fb_mmap of the file drivers/gpu/drm/udl/udl_fb.c of the component udldrmfb Driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space. It impacts from Linux kernel version 3.4 up to 4.15.
How the8-year-old privilege escalation vulnerability spotted
To check the vulnerability researchers used an Ubuntu 64-bit virtual machine and uploaded a simulated vulnerable driver. With their, each tests driver’s mmap() handler contained the implementation to check.
The user-mode code performed 2 consecutive calls to mmap() on the vulnerable driver:
length = 0x1000, offset = 0x0 -> sanity check length = 0x1000, offset = 0xFFFFFFFFFFFFFFFF – 0x1000 + 1 -> vulnerability check
When setting the buffer’s address at the page-aligned physical address of the kernel’s /dev/urandom implementation, the output (in both cases) was the expected result:
The correct physical page: 0x1531000 The previous physical page: 0x1530000
While the vulnerability was found employing a straightforward search, it absolutely was introduced to the kernel eight years agone. This reality will teach us that even on a preferred open supply project because the UNIX operating system Kernel, you may invariably hope to seek out vulnerabilities concluded checkpoint researchers.