Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Linux vmsplice Local Root Exploit (2.6.17 - 2.6.24.1) [MERGED]

[luki]

Get ready for another round of patching and reboots. See: https://bugs.launchpad.net/ubuntu/+s...22/+bug/190587

Linux vmsplice Local Root Exploit
By qaaz
Linux 2.6.17 - 2.6.24.1

Debian also has a report but I'm trying to avoid linking to the source of the exploit. It works on 2.6.24, but only once. Then the box kernel panics (did for me). 2.6.24.1 is out as of couple days ago, but I'm not sure if it's still vulnerable. Seems like it is.


luki@tester:/tmp$ gcc t.c -o t
luki@tester:/tmp$ ./t
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e6f000 .. 0xb7ea1000
[+] root
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@tester:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@tester:/tmp#

[Sam Robertson]

Thanks for the headsup

**Goes to check servers**

[reposed]

Yes, this is bad.

Check hxxp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953#14
for info about a temporary solution.

[jon-f]

dang, working on all centos and grsecurity kernels

Take it back, only a few grsecurity kernels it worked on, not sure the reason

[MaB]

Only 2.6.17+ is vuln.. centos < 5 should be okay (they run 2.6.9 iirc), but centos5 = vuln

Doesn't look like OpenVZ is vulnerable

[domainworldaccess]

Confirm centos 5 is vuln

http://bugs.centos.org/view.php?id=2667

Current 4.6 = 2.6.9-67.0.4.ELsmp #1 is not vuln.


From Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=432251

Opened by Mark J. Cox (Security Response Team)on 2008-02-10 08:37 EST[reply] A new system call named vmsplice() was introduced in the 2.6.17release of the Linux kernel. COSEINC reported two issues affecting vmsplice, CVE-2008-0009 and CVE-2008-0010.On Saturday 20080210 a public exploit was released that utilised a similar flawin vmsplice (vmsplice_to_pipe function) to allow a local user to gain privilegeson some architectures. See alsohttp://marc.info/?t=120263655300003&r=1&w=2This issue will affect kernels 2.6.17+ and therefore affected Red Hat EnterpriseLinux 5, but not Red Hat Enterprise Linux 4, 3, or 2.1.

[jon-f]

ok guys here is a fix Ive ran on a few centos5 servers
http://home.powertech.no/oystein/ptpatch2008/

Just insert that module as per
https://bugzilla.redhat.com/show_bug.cgi?id=432251#c10

[domainworldaccess]

Felosi - can you confirm working patch as suggested in RHN comment 10?

Comment #11 From Seva on 2008-02-10 18:38 EST[reply] Ola,I tried that module on a test system and got: <name> kernel: general protection fault: 0000 [1] SMP

[MaB]

I just loaded that kernel module on half a dozen servers with no problem and verified that it caught any attempts. Thanks for the link felosi!

[jon-f]

yes patch works!

But the same servers the exploit did not work on which I have no idea why cause same exact kernel.. I think. It would not load the module cause invalid format.

But all machines I tested exploit on and got root, I was able to load the module.

Gonna be a busy night guys

[dysk]

The module works for me. I'm currently compiling rhel/centos 5 kernels with the upstream patches and they should be ready in the morning. I'll post them when they're done and tested.

Of the machines that the proof of concept doesn't work, by any chance are they 64 bit? 64 bit machines are vulnerable, but the proof of concept that's been floating around has a bug that prevents it from running on 64 bit machines.

I do hyave one 32 bit machine that the exploit doesn't work on. It's got some 3rd party closed source drivers, so I suspect that one of those is interfering with the exploit.

Cheers,
Erek Dyskant
http://erek.blumenthals.com/blog/

[RossH]

So are we taking bets on how many web hosting companies are going to be hacked by the next week?

[MaB]

some hostgator servers were hacked (http://forums.hostgator.com/showthread.php?t=27629)

I don't doubt that a bunch of other servers across many companies were hacked as well.

[jon-f]

ya its gonna be a real sh**storm

[rfxn]

Ok for those of you getting the invalid module format error, make sure you have the specific kernel-devel package installed for your kernel. So if you are running a PAE kernel, be sure that kernel-PAE-devel is installed (all systems will need the valid kernel-devel package for your kernel build installed for successful compilation of the LKM patch).

You may also need to modify the Makefile on your system, just simply point the KPATH value to your kernel headers/source such as:
KPATH = /usr/src/kernels/2.6.18-53.1.6.el5PAE-i686

You should also make sure the system.map being used is in fact the correct one so hard coding the MAPFILE value would not hurt either:

MAPFILE = /boot/System.map-2.6.18-53.1.6.el5PAE

(also a given is if you are using custom kernel versions modify the paths accordingly)

Also just because the pof exploit wont run on x86_64 systems does not mean they are not vulnerable - a few register changes to the exploit will very quickly show that they are in fact vulnerable too.

Finally, be sure you do not forget to set the ptpatch2008 module to load on boot - some may overlook this simple fact and get nailed. I would recommend you load the module through a simple insmod entry to /etc/rc.local to be as uninvasive on upon the system as possible.