Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : New kernel root exploits for RHEL/linux 2.6*

[ngham4host]

could you post the links and more info

[felosi]

Quote:

Originally Posted by ngham4host

is it possible to upgrade the kernel to kernel 2.6.31 -rc6
on CentOS 4.7
my current kernel version is 2.6.9-78.0.13.ELsmp


regards,

no, we wont allow you. You are not allowed to do that.

lol, jk

But yeah, like they said, nothing can stop you from compiling your own kernel, except in your case with centos4 you may have to update binutils or maybe even gcc

[ngham4host]

Quote:

Originally Posted by felosi

no, we wont allow you. You are not allowed to do that.

lol, jk

But yeah, like they said, nothing can stop you from compiling your own kernel, except in your case with centos4 you may have to update binutils or maybe even gcc

lol


thanks felosi
for your reply

[tchryan]

Quote:

Originally Posted by tchryan

Temporarily patch off this issue as follows, let me stress the importance of updating CentOS/RHEL 4 systems as they can very easily be compromised through any vulnerable web applications. The same is true of CentOS/RHEL 5 systems where selinux is not properly disabled and mmap_minaddr > 0.

CentOS/RHEL 5 run:
http://www.rfxn.com/downloads/set_mmap_minaddr

then reboot

CentOS/RHEL 4 run:
http://www.rfxn.com/downloads/upkern_cos4

then reboot

WARNING: The centos/rhel 4 script updates your kernel, it will not migrate in custom kernel modules (which majority of people do not use). The versioning of this kernel update is inline with upstream kernels so when a proper centos/rhel update is released it will apply straight over my kernel without issue.

This kernel is an rpm built from the mainstream 2.6.30-5 kernel with sock_sendpage fix and version changed for compatibility with centos/rhel 4. This is not intended as a long term replacement for upstream kernels, just as a short term fix to the null deference local root exploit.

The upkern_cos4 now uses native RHEL4 patched rpm's built off the 2.6.9-78.0.x source rpm. I have confirmed the patch to socket.c working as intended and all 3 versions of pof exploits for sock_sendpage null deference fail to execute.

This took a little bit of doing as the standard patch for 2.6.30-5 does not work on the 2.6.9 socket.c, in the end I took a snippet of code from the 2.4.x tree with the fix as the socket.c from 2.4.x tree more accurately resembles that of 2.6.9 socket.c.

Please see the following if you would like to manually install:
http://bala.tchmachines.com/kernel-2...8.0.30.tch.EL/

[karem]

what about 2.6.29.5-grsec-xxxxx-4.2.0-x86_64-libata

[Dougy]

grsec is not vulnerable

[nospa]

I've disabled direct root login, disabled php system functions, disabled root login from untrusted ips, disabled compilers except root, rmmod sctp module and removed all .ko files wich are affected from /lib/modules/[kernel-version/kernel/net, disabled SElinux - what else I can do to protect Centos4?

[zacharooni]

Upgrade to CentOS 5 @nospa
If you need help configuring modules in make menuconfig try this page, it's helped me a lot:

http://kmuto.jp/debian/hcl/

[tchryan]

Upgrading to CentOS5 does not patch the issue, people are clearly not understanding this. The only way to patch the issues is to UPGRADE YOUR KERNEL.

[zacharooni]

I didn't say it would patch it, I just said he should probably upgrade to 5
Patch it with grsec

[root@tau ~]# uname -sri
Linux 2.6.30.4-grsec-lockdown x86_64

[tchryan]

Its worth noting again, grsec prevents successful execution of the exploit but the exploit is still there, upgrade the kernel. It has happened many times in the past where exploits blow clean through grsec and stands to reason it can and will happen again in the future. Further grsec implies additional maintenance requirements outside the scope of management ability for many individuals who depend on stable, reliable and regular binary kernel updates.

[Doobla]

Thanks for your work on this ryan. Much appreciated.

[StevenG]

Sometimes upgrading kernels brings with it, new exploits, yet unknown. That has happened before as well. Sometimes patching a stable and tested build of kernel is preferable to installing a new and un-tested but stable kernel. Checking changelogs between the installed and new version of kernel, is always recommended before upgrading the version.

I'd still recommend upgrading to the latest kernel, if you aren't comfortable with patching and I'd agree that grsec isn't all that.

[kgeedorah]

Quote:

Originally Posted by tchryan

The upkern_cos4 now uses native RHEL4 patched rpm's buil
[...snip...]

tchryhan:

Thanks for all the useful info thus far - could you provide your spec file for this build? (I'm sure you're above board - but some of us might want to build/patch our own RPMs).

[tchryan]

kgeedorah the source rpm file is located in the download directory
http://bala.tchmachines.com/kernel-2...8.0.30.tch.EL/

WARNING: CENTOS 4.8 was released today which contains kernel 2.6.9-89.0.7, this kernel IS VULNERABLE.

[root@hoth ~]# uname -a
Linux hoth.tchmachines.com 2.6.9-89.0.7.ELsmp #1 SMP Fri Aug 14 10:12:44 EDT 2009 i686 i686 i386 GNU/Linux
[test@hoth ~]$ ./1397041_exp_nulldef_sendpage
[+] MAPPED ZERO PAGE!
[+] Resolved security_ops to 0xc0457740
[+] Resolved sel_read_enforce to 0xc01b3e27
[+] got ring0!
[+] detected 2.6 style 4k stacks
[+] Disabled security of : SELinux
[+] Got root!
sh-3.00#

You can still apply centos 4.8 updates with the following command:
yum update --exclude=kernel --exclude=kernel-smp --exclude=kernel-devel