Linux Kernel 2.6 Local Root Exploit 586
aquatix writes "This local root exploit (Debian, Ubuntu) seems to work everywhere I try it, as long as it's a Linux kernel version 2.6.17 to 2.6.24.1. If you don't trust your users (which you shouldn't), better compile a new kernel without vmsplice." Here is millw0rm's proof-of-concept code.
Misleading (Score:3, Interesting)
Yet another good example of why you shouldn't hire the sysadmins who blindly use what the vendors ship, but security and performance minded sysadmins who reduce installations to what's actually needed.
Re:Beauty of OSS (Score:5, Interesting)
.
Note: The above assumes that the kernel compiles, which may not always go as smoothly or be as you'd like. That doesn't change the fact that it is theoretically possible, though.
Inside a Vserver on Grsec/PAX it seems save (Score:1, Interesting)
My desktop system here (2.6.23.14) naturally has no chance.
Is this x86/x86_64 only? (Score:5, Interesting)
Re:Beauty of OSS (Score:5, Interesting)
Re:This workaround works (Score:3, Interesting)
where to find in menuconfig (Score:3, Interesting)
if so then mine is ok as i dont build that in my kernel, if this is something else where can it be found in menuconfig?
Re:Misleading (Score:1, Interesting)
-evilghost
Just fixed it. (Score:3, Interesting)
That's why I use an open-source OS. I can fix it when it breaks.
TWW
Re:Beauty of OSS (Score:3, Interesting)
Re:For those that would rather write than read. (Score:3, Interesting)
Re:Misleading (Score:3, Interesting)
Re:But... (Score:4, Interesting)
The problem is, even though you're the sole user, that if other exploits appear they could piggyback this to escalate from, say, access as www-user to access as root. Got any http services on that box for your own convenience, and any of those use PHP? Based on past experiences, this might hose you. Got SSH on there? Again, based on past experiences, this might hose you. Sendmail and some kind of mailscanning? Again, this might hose you.
It's not just a matter of whether or not you trust your users - it's also a matter of whether or not you trust anyone who attempts to exploit some other service your box offers to not try for root access once they get in. "Please, Mr Blackhat, you've gained access to my box, but please don't elevate that to root!" sounds more than a little naieve, and even a little stupid, but that's exactly what people who leave a whole lot of locally exploitable vulnerabilities on their boxes are saying. By not leaving this kind of thing laying around, you are making it a little bit more difficult for anyone who does manage to gain access to your box to gain full access to it.
Security is all about healthy paranoia, and a belt AND braces AND duct tape approach can pay dividends.
Am I personally worried about this? On my work machine and servers I administer, hell yeah - always on, always connected, running various things that in the past have had vulnerabilities - of course I am, I'd be stupid not to be. At home (dial-up, behind a firewall with NAT, nothing much in the way of services, turned off most of the time even though I don't usually bother turning off my WEP-protected wireless access point), not so much - and not just because the only accounts are held by me. I don't broadcast the SSID, I have a couple of neighbors with no security on their broadband-connected wireless access points, and I don't run an awful lot in the way of remote services when I do have my home machines running. If I had broadband at home and a machine that was running anything that was remotely accessible, or if I didn't have a vertiable smorgasbord of less security-conscious neighbours - I'd fix this at home in a heartbeat.
Re:Beauty of OSS (Score:2, Interesting)
Did the exploit work by itself? It would be interesting to know whether the exploit or the workaround crashes the machine. The exploit (without my patch) is known to crash some machines.
Re:Beauty of OSS (Score:3, Interesting)
I couldn't get the bare exploit code to compile.
The 'workaround' compiled and resulted in the oops. It did not get as far as showing whether the kernel was exploitable or not.
Re:Beauty of OSS (Score:4, Interesting)
Which it can use to modify your menus so that next time you click that "root terminal" entry the parameters to gksu are a bit different.
Re:Beauty of OSS (Score:3, Interesting)
Last resort from a cracker? (Score:3, Interesting)
Poor form, but I guess it has at least made a few more people aware of the severity of the issue.
To everyone saying "I ca fix it myself"... (Score:5, Interesting)
I mean, hacking stuff in and out of a production system kernel; surely that's a process that would require months of intensive regression testing, etc, etc? I mean, I doubt there are people that know the kernel well enough to do such changes for their own systems, but really, what percentage of you guys honestly and confidently can say "Yeah, let me just fix that for us" knowing your job is on the line if your systems crash around you.
This isn't a troll, this is an honest question.
Source of Mystery Malware Affecting Linux/Apache? (Score:4, Interesting)
It seems pretty clear that people are using other remote vulnerabilities to gain local user access and then using this local root exploit to install their "malware".
Get those boxes updated as quickly as possible, folks!
Re:Beauty of OSS (Score:3, Interesting)