Monday, February 11, 2008

local root exploit in the wild!!!

https://www.redhat.com/archives/fedora-list/2008-February/msg01215.html

https://bugzilla.redhat.com/show_bug.cgi?id=432229

Affected kernels: 2.6.17 till 2.6.24

I tried it on my boxes, and heres the result

Hoshino
Release: Werewolf
SELinux: Enforcing
Result : R00TED!

[kagesenshi@Hoshino tmp]$ ./a.out
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f95000 .. 0xb7fc7000
[+] root
[root@Hoshino tmp]# uname -a
Linux Hoshino.KageSenshi.Org 2.6.23.9-85.fc8 #1 SMP Fri Dec 7 15:49:59 EST 2007 i686 i686 i386 GNU/Linux



Hikari
Release: Rawhide
SELinux: Permissive
Result : Safe (I think)

[izhar@hikari tmp]$ ./a.out
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f61000 .. 0xb7f93000
Segmentation fault
[izhar@hikari tmp]$ uname -a
Linux hikari.kagesenshi.org 2.6.24-23.fc9 #1 SMP Wed Feb 6 11:36:31 EST 2008 i686 i686 i386 GNU/Linux


I just refreshed the bugzilla page, and it seems like fixes are on the way to all F7, F8, Rawhide users.


Comment #9 From Mark J. Cox (Security Response Team) on 2008-02-10 16:05 EST

So to fix this you need 2.6.24.1 +
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44

or if backporting, an earlier kernel plus both
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8811930dc74a503415b35c4a79d14fb0b408a361
and
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44

Comment #10 From Chuck Ebbert on 2008-02-10 22:26 EST

Fixed in:

kernel-2.6.24.1-28.fc9
kernel-2.6.23.15-137.fc8
kernel-2.6.23.15-80.fc7


Great and Thanks!!!. Those who are hosting a multiuser system, update your kernels now!.
Post a Comment