Linux Kernel 2.6 Local Root Exploit

aquatix writes "This local root exploit (Debian, Ubuntu) seems to work everywhere I try it, as long as it's a Linux kernel version 2.6.17 to 2.6.24.1. If you don't trust your users (which you shouldn't), better compile a new kernel without vmsplice." Here is millw0rm's proof-of-concept code.

The sound you hear...

[downix]

And the next sound you shall hear are millions of nerds rushing into their offices to compile a new kernel on a sunday afternoon... along with the millions of cell phones ringing as the bosses read this...

jessica_biel_naked_in_my_bed.c ?

[Anonymous Coward]

I strongly suspect this code doesn't do what it says on the tin.

Thank God

[Zoxed]

Phew, lucky I run MS Windows then !!

Re:Thank God

[Anonymous Coward]

That's like finding out there's a new 24-hour flu going around, and thanking God the AIDS will kill you first.

Re:Thank God

[monkeySauce]

Phew, lucky I run MS Windows then !!

I know what you mean. It's nice not having to freak out periodically like this since you live in a constant state of panic anyway.

Re:Beauty of OSS

[dotancohen]

And even if it isn't on its way (and while it isn't here) you can still get the source and remove the problematic part if you don't need it. Try recompiling Flash or some other commercial software without the section that has the exploit in ;)

Well, you could always just enter a blank CDR in the drive. I'd say that's about as close as you are going to get to "remove the problematic part" from Windows.

Re:Misleading

[fo0bar]

This is not an universal problem. It only occurs for those kernels with a specific function compiled in that most installations won't need, and which halfway decent sysadmins won't have as part of the kernel anyhow when they don't need it.

Yet another good example of why you shouldn't hire the sysadmins who blindly use what the vendors ship, but security and performance minded sysadmins who reduce installations to what's actually needed.

Which reminds me, have you done your emerge -abuop6QvvvvVVvVVxz world yet today?

Re:jessica_biel_naked_in_my_bed.c ?

[Anonymous Coward]

I strongly suspect this code doesn't do what it says on the tin.

Well, it's OSS, you could always fix it with a patch...

Re:jessica_biel_naked_in_my_bed.c ?

[LiquidCoooled]

Thats because you are compiling it with the wrong target.

You need to include justin_timberlake.h and link it with the millionaires library.

Re:Thank God

[Sique]

AIDS doesn't kill you. It's the inability, that comes with AIDS, to combat the virus of the 24-h-flu, that kills you.

Re:jessica_biel_naked_in_my_bed.c ?

[BJH]

realdoll_and_a_tube_of_lube_on_my_inflatable_mattress.c ?

Re:Beauty of OSS

[Anonymous Coward]

The smugness of these OSS fanboys just makes me want to use Windows ME so badly.

And smack them in the face.

Re:Is this x86/x86_64 only?

[Zoxed]

> The proof-of-concept code only supports x86 and x86_64. Does that mean other architectures are immune?

I heard that the Debian Architecture group are working through the night to ensure it will work on *all* of their supported platforms. Should be on your favourite mirror by Monday lunchtime !!

Re:Thank God

[Anonymous Coward]

You'll get used to it.

Re:Beauty of OSS

[Anonymous Coward]

LULZ jessica_biel_naked_in_my_bed.c

Re:Beauty of OSS

[caluml]

I don't think I'm the first of us to say "Ah shit".

No, you are, you really are! Google confirms it!

Your search - "Ah shit" - did not match any documents.

Re:Misleading

[BasharTeg]

Quick, cue the Linux apologists! Damage control! Spin it! Only noobs and bad administrators would be affected!

Re:Before the inevitable occurs:

[QuantumG]

Yeah, this is an example of one of the millions of Linux kernel holes there are out there. Every now and then, a blackhat gets a job and wants to impress his employer so he pulls out some of his old code and polishes it up. You can tell when it happens because they are so childish that they make the exploit trivial to demonstrate and distribute it far and wide. And you just know that every blackhat who had a variant of this exploit in their personal collection are like "well thanks asshole, now I've got one less Linux kernel exploit.. bastard."

Re:Just fixed it.

[DarkProphet]

Maybe you should try using EMACS to post on slashdot instead. *ducks*

Re:Beauty of OSS

[smittyoneeach]

Did you follow http://www.milw0rm.com/exploits/5092 [milw0rm.com]?

Allow me to past in the first couple of lines:

/*
* jessica_biel_naked_in_my_bed.c
*

Apparently, milw0rm does have a patch for that.

Re:ssh

[Wakko Warner]

Thankfully, nobody runs Linux on enterprise-class hardware.

Re:Beauty of OSS

[LizardKing]

However, bricks = shat.

Come on now, that simply assigns shat to bricks (and that's some nasty use of the comma operator to separate statements). I think you meant:

while (exploitable) {
Bricks *bricks = malloc(sizeof(Bricks));
shit(bricks);
sleep(1);
}

Note that we don't have to dispose of the bricks we shit, as that's taken care of elsewhere. And of course, if we all still wrote VAX assembler we would be able to optimise this by using the SHTBRCKS instruction.

Re:HA HA

[Anonymous Coward]

+--------------+
|    PLEASE    |
|    DO NOT    |
|   FEED THE   |
|    TROLLS    |
+--------------+
      |  |
    .\|.||/..

Re:'Sploit needs fixing on x86-64

[Kirth]

Not only there:

$ gcc -o jessica_biel_naked_in_my_bed jessica_biel_naked_in_my_bed.c
jessica_biel_naked_in_my_bed.c:138:2: error: #error "unsupported arch"
jessica_biel_naked_in_my_bed.c: In function 'kernel_code':
jessica_biel_naked_in_my_bed.c:159: warning: initialization makes pointer from integer without a cast
jessica_biel_naked_in_my_bed.c: In function 'main':
jessica_biel_naked_in_my_bed.c:211: error: 'PAGE_SIZE' undeclared (first use in this function)
jessica_biel_naked_in_my_bed.c:211: error: (Each undeclared identifier is reported only once
jessica_biel_naked_in_my_bed.c:211: error: for each function it appears in.)

$ gcc -o 27704-2 27704-2.c /tmp/ccJWJWBA.s: Assembler messages: /tmp/ccJWJWBA.s:156: Error: Illegal operands /tmp/ccJWJWBA.s:156: Error: Unknown opcode: `andl' /tmp/ccJWJWBA.s:156: Error: Illegal operands

Bloody x86-asm. Doesn't work on Sparc.

Re:Beauty of OSS

[XenoPhage]

So while it may not be difficult to spot some wayward code if you are a geek, it might not be if you are a 65 year old hippie who knows almost nothing about computers.

What does RMS have to do with this?

Re:Beauty of OSS

[Alex Belits]

You can shit null pointers, too.

Re:Beauty of OSS

[Joe the Lesser]

If it fails then he dumps core, which may be an acceptable alternative.