CVE-2010-0729

Vulnerability

A flaw exists in the ptrace implementation on ia64 (Itanium) within Red Hat Enterprise Linux (RHEL) 4. A Red Hat patch introduced in RHSA-2009:1024 moved the ptrace_check_attach() call, resulting in certain code paths (specifically ptrace peek/poke requests) not calling ptrace_check_attach(). This allows a local user to issue ptrace() calls on processes they do not own. The affected versions are RHEL 4 on the ia64 platform [1][3][4].

Exploitation

A local, unprivileged user can exploit this vulnerability by simply calling ptrace() on a target process without having previously attached to it via PTRACE_ATTACH. No special privileges or user interaction beyond local access are required. The missing check means the kernel does not verify that the caller has the right to trace the target process [4].

Impact

Successful exploitation gives the attacker full control over the target process, including reading and writing its memory and registers. If the target is a privileged process (e.g., a setuid root binary), the attacker can escalate privileges to root [1][3].

Mitigation

Red Hat released updates as part of RHSA-2010:0394 and RHSA-2010:0424 on June 21, 2010. Users should apply these kernel updates to fix the missing ptrace_check_attach() call. No known workarounds exist [1][3].