It has come to our attention via various security-related online publications, that there is a new local exploit in the wild for Linux kernel 2.6.17 and above. This threat is quite serious and can quite quickly turn any regular user account into a privileged superuser account within a couple of seconds. When it fails on unpatched kernels, it causes a kernel panic and renders the machine useless until rebooted. More information can be found at the following URLs:
http://secunia.com/advisories/28835/
An excerpt from the above URL is pasted below:
“Some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service), disclose potentially sensitive information, and gain escalated privileges.
The vulnerabilities are caused due to the missing verification of parameters within the “vmsplice_to_user()”, “copy_from_user_mmap_sem()”, and “get_iovec_page_array()” functions in fs/splice.c before using them to perform certain memory operations. This can be exploited to e.g. read or write to arbitrary kernel memory via a specially crafted “vmsplice()” system call.
Successful exploitation allows attackers to e.g. gain “root” privileges.”
Issue
—–
In the past we have had several customers create test accounts with usernames and passwords such as test/test and username/password. Having accounts such as these present is a severe security risk. Having experianced this sort of occurance on more than a few occasions before, we consider threats such as these to be high. Below is an example of how easily exploits such as this one can be used to gain superuser access to your machine:
[user@test tmp]$ uname -a
Linux testbox 2.6.24.1 #1 Mon Feb 11 17:22:31 EST 2008 i686 unknown
[user@test tmp]$ ./vms
———————————–
Linux vmsplice Local Root Exploit
By qaaz
———————————–
[+] mmap: 0×0 .. 0×1000
[+] page: 0×0
[+] page: 0×20
[+] mmap: 0×4000 .. 0×5000
[+] page: 0×4000
[+] page: 0×4020
[+] mmap: 0×1000 .. 0×2000
[+] page: 0×1000
[+] mmap: 0xb7f56000 .. 0xb7f88000
[+] root
[root@test tmp]#
[root@test tmp]# id
uid=0(root) gid=0(root) groups=2011(user)
[root@test tmp]# uname -a
Linux testbox 2.6.24.1 #1 Mon Feb 11 17:23:00 EST 2008 i686 unknown
Fix
—
Please upgrade the systems kernel to the latest available using your package manager. For Debian/Ubuntu machines, use the apt package management tool. For RedHat/Fedora/CentOS systems, use the yum package management system. All vendors are now reporting that they have deployed fixed kernels onto their repositories. It also is sensible to carry out a password audit using a tool such as John The Ripper. This will test the security of all user account passwords on the the machine, and flag any weak passwords that the software can guess easily.
This entry was posted on Wednesday, February 13th, 2008 at 7:48 pm and is filed under Helping Hints from our Techies. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
