Linux Kernel 2.6 Local Root Exploit

aquatix writes "This local root exploit (Debian, Ubuntu) seems to work everywhere I try it, as long as it's a Linux kernel version 2.6.17 to 2.6.24.1. If you don't trust your users (which you shouldn't), better compile a new kernel without vmsplice." Here is millw0rm's proof-of-concept code.

Misleading

[arth1]

This is not an universal problem. It only occurs for those kernels with a specific function compiled in that most installations won't need, and which halfway decent sysadmins won't have as part of the kernel anyhow when they don't need it.

Yet another good example of why you shouldn't hire the sysadmins who blindly use what the vendors ship, but security and performance minded sysadmins who reduce installations to what's actually needed.

Re:Beauty of OSS

[IBBoard]

And even if it isn't on its way (and while it isn't here) you can still get the source and remove the problematic part if you don't need it. Try recompiling Flash or some other commercial software without the section that has the exploit in ;)

.

Note: The above assumes that the kernel compiles, which may not always go as smoothly or be as you'd like. That doesn't change the fact that it is theoretically possible, though.

Inside a Vserver on Grsec/PAX it seems save

[Anonymous Coward]

Can't get a rootshell on a Vserver + a Grsec/PAX kernel ("Illegal instruction"), however the non virtualized "root system" itself can be rooted from anyone.

My desktop system here (2.6.23.14) naturally has no chance.

Is this x86/x86_64 only?

[the_humeister]

The proof-of-concept code only supports x86 and x86_64. Does that mean other architectures are immune?

Re:Beauty of OSS

[RonnyJ]

Looking at the comments at the top of the code, it's described as "quite old code" (assuming you believe the author).

Re:This workaround works

[FliesLikeABrick]

I should say.. the ubuntu machines I tested it on do not appear to have vmsplice enabled. YMMV.

where to find in menuconfig

[FudRucker]

is vmsplice part of virtualization found in Device Drivers > Virtualization (and the submenu within the said location)?

if so then mine is ok as i dont build that in my kernel, if this is something else where can it be found in menuconfig?

Re:Misleading

[Anonymous Coward]

In my very limited testing it appears that the stock kernel with CentOS 4.6 and CentOS 5.0 are not vulnerable. Debian 4.0 'etch' and Ubuntu 7.10 'Gutsy Gibbon' both are vulnerable with the stock kernel.

-evilghost

Just fixed it.

[nagora]

Read the bug, ran Vi, fixed exploit in Try that next time your Windows machine has an exploit.

That's why I use an open-source OS. I can fix it when it breaks.

TWW

Re:Beauty of OSS

[raynet]

Though you can compile many parts as modules and add or remove them at will.

Re:For those that would rather write than read.

[caluml]

I have tested the exploit on a Linux VPS box within a VPS as a standard user, and it didn't work. Not sure if this is luck, kernel config, or good VPS design (Hello Bertl!), but either way I am happy.
/me will start using GRSec again. It might not stop/have stopped this (I have no idea), but it's just an extra layer of difficulty.

Re:Misleading

[iabervon]

Using vmsplice() in ordinary applications should improve system performance under load when appropriate (when you send full pages of generated data to a network connection, the kernel won't have to copy the pages, it can DMA straight to the NIC, saving work and cache space). So it's quite possible that distros would ship binaries that use vmsplice() if their default kernels support it, and it would be a performance hit to disable it. I don't know if any significant programs actually use vmsplice() yet, but it wouldn't be surprising.

Re:But...

[Mr. Roadkill]

I, for one, trust myself and am the sole user of my heavily-password-protected computer. Looks like I'm fine, and it sounds like the easiest solution in a private setting to me.

Indeed, it's only exploitable if someone can get at it. If you don't offer any services whatsoever to the outside world, then you should be okay.

The problem is, even though you're the sole user, that if other exploits appear they could piggyback this to escalate from, say, access as www-user to access as root. Got any http services on that box for your own convenience, and any of those use PHP? Based on past experiences, this might hose you. Got SSH on there? Again, based on past experiences, this might hose you. Sendmail and some kind of mailscanning? Again, this might hose you.

It's not just a matter of whether or not you trust your users - it's also a matter of whether or not you trust anyone who attempts to exploit some other service your box offers to not try for root access once they get in. "Please, Mr Blackhat, you've gained access to my box, but please don't elevate that to root!" sounds more than a little naieve, and even a little stupid, but that's exactly what people who leave a whole lot of locally exploitable vulnerabilities on their boxes are saying. By not leaving this kind of thing laying around, you are making it a little bit more difficult for anyone who does manage to gain access to your box to gain full access to it.

Security is all about healthy paranoia, and a belt AND braces AND duct tape approach can pay dividends.

Am I personally worried about this? On my work machine and servers I administer, hell yeah - always on, always connected, running various things that in the past have had vulnerabilities - of course I am, I'd be stupid not to be. At home (dial-up, behind a firewall with NAT, nothing much in the way of services, turned off most of the time even though I don't usually bother turning off my WEP-protected wireless access point), not so much - and not just because the only accounts are held by me. I don't broadcast the SSID, I have a couple of neighbors with no security on their broadband-connected wireless access points, and I don't run an awful lot in the way of remote services when I do have my home machines running. If I had broadband at home and a machine that was running anything that was remotely accessible, or if I didn't have a vertiable smorgasbord of less security-conscious neighbours - I'd fix this at home in a heartbeat.

Re:Beauty of OSS

[Morten Hustveit]

disable-vmsplice-if-exploitable causes kernel oops on Debian Etch with kernel 2.6.18-3-xen-686

Did the exploit work by itself? It would be interesting to know whether the exploit or the workaround crashes the machine. The exploit (without my patch) is known to crash some machines.

Re:Beauty of OSS

[myowntrueself]

Did the exploit work by itself?

I couldn't get the bare exploit code to compile.

The 'workaround' compiled and resulted in the oops. It did not get as far as showing whether the kernel was exploitable or not.

Re:Beauty of OSS

[petermgreen]

Normally the browser would only have access as your user account,
Which it can use to modify your menus so that next time you click that "root terminal" entry the parameters to gksu are a bit different.

Re:Beauty of OSS

[FliesLikeABrick]

What are the downsides/risks of using that fix/workaround? What functionality does it break or restrict?

Last resort from a cracker?

[gringer]

From what this looks like (given the "old code" comments, and timing of the release of exploit code), I'd say that someone realised that their pet root exploit was being patched in the current kernel (2.6.24.1 [kernel.org]), and wanted to have a final go at increasing the impact of the exploit before it was snubbed out. I find it hard to believe that, coincidentally, they just happened to post this exploit on milw0rm the day after the change appeared in the kernel.

Poor form, but I guess it has at least made a few more people aware of the severity of the issue.

To everyone saying "I ca fix it myself"...

[Toreo asesino]

...I have a question for you. I 100% agree this is an advantage of open-source than closed-source software will never have, ever. You've got me on that one, but my immediate thought was "ok, how much would I like to change my own kernel in production systems? About 0% thank-you-very-much".

I mean, hacking stuff in and out of a production system kernel; surely that's a process that would require months of intensive regression testing, etc, etc? I mean, I doubt there are people that know the kernel well enough to do such changes for their own systems, but really, what percentage of you guys honestly and confidently can say "Yeah, let me just fix that for us" knowing your job is on the line if your systems crash around you.

This isn't a troll, this is an honest question.

Source of Mystery Malware Affecting Linux/Apache?

[Spoke]

This local root exploit is very likely to be the one used to infect servers reference in previous Slashdot article Mystery Malware Affecting Linux/Apache Web Servers [slashdot.org].

It seems pretty clear that people are using other remote vulnerabilities to gain local user access and then using this local root exploit to install their "malware".

Get those boxes updated as quickly as possible, folks!

Re:Beauty of OSS

[Daniel Phillips]

Looking at the comments at the top of the code, it's described as "quite old code" (assuming you believe the author).

I believe the author, but I think he was referring to the boilerplate exploit code, which is pretty awful code to tell the truth. The vmsplice bit looks brand new to me, but who knows, perhaps somebody out there really did know about the hole for the last year and a half. If so, they kept it to themselves and damage was not widespread.