Linux Kernel 2.6 Local Root Exploit 586
aquatix writes "This local root exploit (Debian, Ubuntu) seems to work everywhere I try it, as long as it's a Linux kernel version 2.6.17 to 2.6.24.1. If you don't trust your users (which you shouldn't), better compile a new kernel without vmsplice." Here is millw0rm's proof-of-concept code.
This will be fixed in a day (Score:1, Informative)
*checks kernel version* 2.6.23.8-34... wow I'm out of date
Re:Misleading (Score:5, Informative)
Re:For those that would rather write than read. (Score:5, Informative)
Yes, I just verified the exploit on Linux 2.6.17.13 (Slackware 11.0) and Linux 2.6.21.5 (Slackware 12.0) and it works as advertised.
Re:Misleading (Score:2, Informative)
Funny comments :) (Score:5, Informative)
"Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura." == something like "Just returned from the pub and saw that Wojta [a machine? Or a person? Unclear...] has nothing to do." [The last word might be a Czech expletive with a typo...?]
"Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca." == something like "Here's something for you to play with, boys,
"Stejnak je to stare jak cyp a aj jakesyk rozbite." == "Anyway, it's old as hell and somehow broken anyway"
The style (no way am I able to render *this* in English
Re:Beauty of OSS (Score:5, Informative)
Or already here...
This appeared to work... [gmane.org]
This workaround works (Score:5, Informative)
The workaround posted in a follow-up in that thread works. I had a few vulnerable (tested) machines that I cannot reboot even if a patched kernel is released in the near future. I tried that fix, then tried the exploit again. The exploit no longer worked after using the fix (workaround).
Those machines were debian x64.
Ubuntu kernels do not appear to have vmsplice enabled by default.
Neat, but... (Score:2, Informative)
Re:Beauty of OSS (Score:5, Informative)
nobody$
[..]
[+] mmap: 0xb7f29000
[+] root
root# ^D
nobody$
[..]
Exploit gone!
nobody$
[+] mmap: 0xb7f34000
[-] vmsplice
nobody$ no root for me anymore!
By Morten Hustveit:
"a modification of the exploit that finds the address of sys_vmsplice in the
kernel (using
(using mmap of
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953#14 [debian.org]
Re:I am so depressed ... (Score:5, Informative)
http://www.milw0rm.com/exploits/5093 [milw0rm.com]
Notice the original article links to 5092.
Re:Is this x86/x86_64 only? (Score:3, Informative)
This flaw is CVE-2008-0600 (Score:5, Informative)
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44 [kernel.org]
Red Hat tracking bug (Enterprise Linux 5 is affected, but 4,3, and 2.1 are not)
https://bugzilla.redhat.com/show_bug.cgi?id=432251 [redhat.com]
Fedora tracking bug
https://bugzilla.redhat.com/show_bug.cgi?id=432229 [redhat.com]
Re:For those that would rather write than read. (Score:1, Informative)
Doesn't require shell access, it only requires the ability to run arbitrary code. If you're able to upload a program or CGI script that will run on the box, then you can upload this exploit code in its place.
There's nothing special about "/bin/bash" exploitation can just as easily be another program you upload that is run instead of a shell.
Re:This flaw is CVE-2008-0600 (Score:2, Informative)
Re:This workaround works (Score:3, Informative)
This also has a patch to the debian kernel tree to fix it: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=54;filename=patch;att=1;bug=464945 [debian.org]
Hopefully will hit the apt mirrors shortly, as I don't fancy trying to get my head around make-kpkg (which never worked for me) at 10pm on a Sunday.
SELinux? (Score:4, Informative)
Re:This workaround works (Score:3, Informative)
Re:Is this x86/x86_64 only? (Score:3, Informative)
What is important is whether the explotable code is being run. This is only relevant to VMs. Very few Linux phones etc will be using VMs and probably none are using this explotable architecture.
Re:HA HA (Score:3, Informative)
Re:This workaround works (Score:3, Informative)
Linux kenshu 2.6.22-14-generic #1 SMP Fri Feb 1 04:59:50 UTC 2008 i686 GNU/Linux
Re:Misleading (Score:3, Informative)
Would it be of interest to do so here on slashdot, considering that the relevant information is only a few clicks away? The short of it is: If you use software that doesn't require 2.6.17 or newer, it won't need vmsplice (because vmsplice didn't exist before then), and if you do run software that hard requires 2.6.17 or newer, chances are it won't use vmsplice anyhow.
No, that's correct enough. It would probably be better to say "Linux Kernel 2.6 Function Local Root Exploit", but that's splitting hairs.
However, the "seems to work everywhere I try it, as long as it's a Linux kernel version 2.6.17 to 2.6.24.1." is, I believe, misleading. One need to keep in mind that his "everywhere I tried" is likely not representative for those with an urgent need to patch against this. That's what I think is slightly misleading. It's like if an error in the M$ kernel only affecting those with IIS installed would necessitate a need to immediately patch ALL M$ servers.
Re:I am so depressed ... (Score:4, Informative)
I did not include KVM support in my kernel on purpose.
As this http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=9;filename=patch;att=1;bug=464953 [debian.org] patch points out, it's in the general fs splice.c code, so I think it is more serious than I originally had thought.
For some reason, (if someone can substantiate this I would appreciate it) I could get neither code to work on a CentOS 4.6 machine setup as a server).
I'm buying into the idea that it may be based (a little) on kernel config options, but an official patch would be bet
Ubuntu 7.10 generic kernel is affected. (Score:5, Informative)
Re:slashdot not filtering well enough (Score:2, Informative)
It's confirmed on some Ubuntu versions, and it works on my Ubuntu Gutsy (7.10) kernel (2.6.22-14).
Re:I am so depressed ... (Score:3, Informative)
BTW: Has anyone figured out if there is an option you can disable in make menuconfig that removes vmsplice(), or is it integral to the kernel?
2.6.24.1 is Not Vulnerable (Score:2, Informative)
commit cece280a46c9b5c0adb4d5251f42c082a578e1ad
Author: Jens Axboe
Date: Fri Feb 8 08:49:14 2008 -0800
splice: missing user pointer access verification (CVE-2008-0009/10)
patch 8811930dc74a503415b35c4a79d14fb0b408a361 in mainline.
vmsplice_to_user() must always check the user pointer and length
with access_ok() before copying. Likewise, for the slow path of
copy_from_user_mmap_sem() we need to check that we may read from
the user region.
Signed-off-by: Jens Axboe
Cc: Wojciech Purczynski
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Linus Torvalds
Nothing to see here, move along.
Re:Misleading (Score:3, Informative)
This is incorrect (Score:5, Informative)
Re:2.6.24.1 is Not Vulnerable (Score:3, Informative)
Re:Beauty of OSS (Score:3, Informative)
Re:Misleading (Score:5, Informative)
to
as mentioned in http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44 [kernel.org]
Then make and install the new kernel, reboot, and try the exploit. It should fail.
Ran the fix, couple of notes... (Score:3, Informative)
Note that if you compile disable-vmsplice-if-exploitable.c on an X86 box you'll need to compile it again for any X86-64 boxes you have.
Re:Making your system secure (Score:1, Informative)
The fix does patch the syscall, yes, BUT, in doing so it tests the exploit. From what i have gathered in testing this myself, exploiting the bug actually corrupts the kernel memory map leaving your system in an undefined state, absolutely anything could break, including the possibility of the filesystem driver writing crap to your disk. BEWARE if you use this fix, or take out the test mechanism!
Re:Beauty of OSS (Score:2, Informative)
Anyway, you do realize what local root exploit is don't you? A normal user mode program could run this and gain root access. Say you had SSH running under uid for nobody, Now normally a hole in that would mean that the cracker just has access equiv to 'nobody', but with this, 'nobody', can become root.
Or a more likely scenario, say you were running a browser with a remote code exploit. Normally the browser would only have access as your user account, but with this now your browser has root access.
Re:Beauty of OSS (Score:5, Informative)
This is probably true when it comes to malware targeting grandma, (note: you don't need a root exploit to do plenty of bad things, like install a keylogger on a user's session; IMO things like browsers should one day be relegated to another user as well) but you don't you think that people would be interested in breaking sendmail or BIND and the overwhelmingly UNIX (and increasingly GNU/Linux) systems that they run on? (They have in the past, many times in fact...)
I think this position understates the incentives to attack Linux, because, quite frankly, virtually everything actually important infrastructure-wise runs on a UNIX-alike nowadays (VMS holdouts withstanding), and now it seems clear that with the possible exception of Solaris that all UNIX-alikes except Linux are in their death throes.
> There are flaws in both open source and closed code, but I would say that closed code is better for security.
I disagree. With closed source there is substantially less research and review that goes on. Important security bugs that are thought to not be "in the wild" can be swept under the rug indefinitely because they don't jive with business goals of the owning company. In the case of open source development any agent with an axe to grind (and oftentimes clients to reassure) can make it their priority to get the damn thing fixed.
I think an axiom people have when they hold security-by-obscurity as a credible advantage is a defeatist regarding the nature of bugs: one *can* write a nearly-correct code; see qmail, TeX, dovecot, djbdns, and OpenSSL. It just takes time, effort, and sound engineering (which may include the limitation of scope, something that is hard to do in product-oriented firms). Linux 2.4 may be reaching this point; that's probably why NASA is considering deploying it on things that are actually important.
Re:This is incorrect (Score:3, Informative)
2.6.14.7 does not fall within the affected range of 2.6.17 to 2.6.24.1
The patch. Everybody needs this. (Score:5, Informative)
Re:Beauty of OSS (Score:4, Informative)
Re:Funny comments :) (Score:1, Informative)
"kura" is probably "kurva" - literally "whore", but here it's just used as a interjection.
"kym aj totok vykeca."
Re:'Sploit needs fixing on x86-64 (Score:3, Informative)
#include
int
main(int argc, char *argv[])
{
printf("%lu %lu\n", sizeof(long), sizeof(void *));
return 0;
}
$ gcc -Wall test.c -o test
$
8 8
I agree that %p would be the better choice, but using '%lx' should only provoke warnings on a 32-bit distro.