The ELF loader in Linux kernel 2.4 before 2.4.25 allows local users to cause a denial of service (crash) via a crafted ELF file with an interpreter with an invalid arch (architecture), which triggers a BUG() when an invalid VMA is unmapped.
Local privilege escalation is possible on vulnerable Linux systems due to a flaw in the ELF loader. A specially crafted ELF file with an invalid architecture can cause a kernel panic, leading to a denial-of-service (DoS) condition, rendering the system unusable until rebooted.
Step 1: Payload Delivery: A malicious user must upload or otherwise place a crafted ELF file onto the vulnerable system. This could be achieved through various means, such as a compromised web server or a shared file system.
Step 2: File Execution: The user attempts to execute the crafted ELF file. This triggers the kernel's ELF loader.
Step 3: Interpreter Processing: The ELF loader identifies the interpreter specified in the ELF header. The interpreter is flagged as having an invalid architecture.
Step 4: VMA Creation and Mapping: The kernel attempts to map the interpreter into memory.
Step 5: Unmapping and Crash: When the kernel attempts to unmap the invalid VMA, the BUG() is triggered, resulting in a kernel panic and system crash.
The vulnerability lies within the Linux kernel's ELF loader, specifically in how it handles ELF files with invalid interpreter architectures. When the kernel attempts to unmap a Virtual Memory Area (VMA) associated with the crafted ELF file, it encounters an invalid VMA due to the architecture mismatch. This triggers a BUG() call within the kernel, which is a deliberate mechanism to halt execution and signal a critical error. The root cause is a lack of proper validation of the interpreter's architecture during the ELF loading process. The kernel fails to correctly handle the invalid architecture, leading to the incorrect VMA handling and subsequent crash. This is not a memory corruption vulnerability like a buffer overflow, but rather a logic flaw in the ELF loading logic.