There is a new local root exploit found in linux kernels 2.6.17 to 22.214.171.124. Here’s a proof-of-concept, which basically works as a “passwordless su”.
I have tested the exploit on a few systems I manage, and it just plain works on a number of them. The distros I have around that are vulnerable are:
- Fedora 8
- CentOS 5/5.1 (and therefore presumably RHEL as well)
- Debian Etch
- Ubuntu 7.10
On one oddball Debian Etch system the exploit segfaulted, but to me that doesn’t rule out that the hole is still there. On older boxes (tested on a couple Debian Sarge systems), the kernel is too old to have the vulnerable vmsplice feature.
The hole is patched in 126.96.36.199, but compiling and installing that on a production system really isn’t a viable alternative.
I’d hate for this to turn into a flamewar on Linux security, or how dangerous a local root exploit really is. It’s there, it’s not the end of the world in any way, but it very much needs fixing. I am really interested in hearing if anyone has seen patched kernels for the main distros, or when they show up. Most of the vulnerable systems I have don’t have any users on them (other than people who have root access “the normal way”), but I currently have a couple of machines locked down (sshd stopped or normal users disabled). Both of those are Debian Etch, and those guys generally are quite snappy in providing security updates.
Edit: There is some kind of “temp fix” available here, which simply disables the vmsplice function call on a running kernel. Haven’t tried it yet, and it apparently mainly crashes the system entirely.
Edit #2: Just received an auto-update from Fedora:
Â Â Â Â Â Â Â Â IDÂ FEDORA-2008-1423
IssuedÂ 2008-02-11 20:30:09.696513
BugsÂ 429364 429412 426574 390531 427641 432229
427518 233255 430663 426480 431360
DescriptionÂ Update to Linux kernel 188.8.131.52:
Fix vmsplice local root vulnerability:
CVE-2008-0009: Fixed by update to 184.108.40.206.
CVE-2008-0010: Fixed by update to 220.127.116.11.
CVE-2008-0600: Extra fix from upstream applied.
Fix memory leak in netlabel code.
Work around broken Seagate LBA48 disks. (#429364)
Fix futex oops on uniprocessor machine. (#429412)
Add support for new Macbook touchpads. (#426574)
Fix the initio driver broken in 2.6.23. (#390531)
Fix segfaults from using vdso=2. (#427641)
FireWire updates, fixing multiple problems. (#429598)
ACPI: fix multiple problems with brightness controls (#427518)
Fix Megahertz PCMCIA Ethernet adapter (#233255)
Fix oops in netfilter. (#430663)
ACPI: fix early init of EC (#426480)
ALSA: fix audio on some systems with STAC codec (#431360)
Atheros L2 fast Ethernet driver (atl2) for ASUS Eeepc.
ASUS Eeepc ACPI hotkey driver.
Wireless driver updates from upstream.
Related Posts: On this day...
- Ron Paul wants to expropriate RonPaul.com from his supporters without compensation - 2013
- John Wayne Gacy had a helper? - 2012
- Google bets $20K that Chrome can't be hacked - 2011
- Fedora Rawhide Quickly Switching To Fedora 14 - 2010
- Mozilla retracts malware accusation against Firefox Addon - 2010
- Russian botnet tries to kill rival botnet - 2010
- MIME sniffing in Internet Explorer enables cross-site scripting attacks - 2009
- HOWTO: Write a Linux virus in five easy steps - 2009
- NBC's Heroes not returning until fall - 2008
- Netflix picks Blu-ray, good luck renting an HD-DVD soon - 2008