local root exploit in the wild!!!

https://www.redhat.com/archives/fedora-list/2008-February/msg01215.html

https://bugzilla.redhat.com/show_bug.cgi?id=432229

Affected kernels: 2.6.17 till 2.6.24

I tried it on my boxes, and heres the result

Hoshino
Release: Werewolf
SELinux: Enforcing
Result : R00TED!

[kagesenshi@Hoshino tmp]$ ./a.out
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f95000 .. 0xb7fc7000
[+] root
[root@Hoshino tmp]# uname -a
Linux Hoshino.KageSenshi.Org 2.6.23.9-85.fc8 #1 SMP Fri Dec 7 15:49:59 EST 2007 i686 i686 i386 GNU/Linux



Hikari
Release: Rawhide
SELinux: Permissive
Result : Safe (I think)

[izhar@hikari tmp]$ ./a.out
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f61000 .. 0xb7f93000
Segmentation fault
[izhar@hikari tmp]$ uname -a
Linux hikari.kagesenshi.org 2.6.24-23.fc9 #1 SMP Wed Feb 6 11:36:31 EST 2008 i686 i686 i386 GNU/Linux


I just refreshed the bugzilla page, and it seems like fixes are on the way to all F7, F8, Rawhide users.


Comment #9 From Mark J. Cox (Security Response Team) on 2008-02-10 16:05 EST

So to fix this you need 2.6.24.1 +
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44

or if backporting, an earlier kernel plus both
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8811930dc74a503415b35c4a79d14fb0b408a361
and
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44

Comment #10 From Chuck Ebbert on 2008-02-10 22:26 EST

Fixed in:

kernel-2.6.24.1-28.fc9
kernel-2.6.23.15-137.fc8
kernel-2.6.23.15-80.fc7


Great and Thanks!!!. Those who are hosting a multiuser system, update your kernels now!.

Comments

Anonymous said…
Is it safe to presume that RHEL is not affected by this bug?
Yankee said…
No, It is not safe to presume any machine using an affected kernel is not affected by this problem. RHEL 5 is vulnerable.

Popular posts from this blog

Tee'ing Python subprocess.Popen output

Consolidated community site infrastructure on Plone

HOWTO: Linux Container (LXC) on Fedora 12