| 
		
			| Kernel Root Exploit? [message #27179] | Mon, 11 February 2008 18:08  |  
			| 
				
				
					|  mperkel Messages: 253
 Registered: December 2006
 | Senior Member |  |  |  
	| Someone alerted me to this. 
 https://bugzilla.redhat.com/show_bug.cgi?id=432229
 
 Description of problem:
 
 Local user can obtain root access (as described below).
 
 This bug is being actively exploited in the wild -- our server was just broken
 in to by an attacker using it. (They got a user's password by previously
 compromising a machine somewhere else where that user had an account, and
 installed a modified ssh binary on it to record user names and passwords. Then
 they logged in to our site as that user, exploited CVE-2008-0010, and became root).
 
 It is EXTREMELY urgent that a fixed kernel be provided ASAP given that this bug
 is being actively exploited in the wild.
 
 There is a fix listed upstream in 2.6.23.15 and 2.6.24.1. However, even after
 applying that patch and recompiling the kernel, the escalation-of-privilege
 exploit still worked so I am wondering if 2.6.23.15 does not completely fix it.
 
 Version-Release number of selected component (if applicable):
 
 All 2.6.23.x kernels
 
 How reproducible: 100%
 
 Steps to Reproduce:
 1. Download  http://downloads.securityfocus.com/vulnerabilities/exploits/ 27704.c
 2. cc -o exploit 27704.c
 3. [as non-privileged user] ./exploit
 
 Actual results:
 
 Root shell
 
 Expected results:
 
 No root shell.
 
 Additional info:
 
 When I altered the kernel spec file for 2.6.23.14-115.fc8 to pull 2.6.23.15
 instead of 2.6.23.14 (and altered linux-2.6-highres-timers.patch to apply
 cleanly, and removed the already-included-in-2.6.23.15 patches
 linux-2.6-net-silence-noisy-printks.patch and
 linux-2.6-freezer-fix-apm-emulation-breakage.patch), rebuilt a new kernel RPM,
 installed it, and rebooted, the above exploit still worked. So it is possible an
 additional patch is needed against 2.6.23, unless I just goofed somehow in my
 kernel rebuild. (I did check and the file fs/splice.c was correctly patched and
 included the lines that were suppose to fix this problem...)
 
 More info:
 
 Marc,
 
 Even better:
 
 http://home.powertech.no/oystein/ptpatch2008/
 
 
 Junk Email Filter
 http://www.junkemailfilter.com
 
 |  
	|  |  | 
	|  | 
	|  | 
	|  | 
	|  | 
	|  | 
	|  | 
	|  | 
	|  | 
	|  | 
	|  | 
	|  | 
	|  | 
	|  | 
	| 
		
			| Re: Kernel Root Exploit? [message #27448 is a reply to message #27179] | Mon, 18 February 2008 08:21  |  
			| 
				
				
					|  xemul Messages: 248
 Registered: November 2005
 | Senior Member |  |  |  
	| 2.6.20+ kernels are development ones. This means, that they are not as stable as 2.6.18 is and some of them (2.6.20 and 2.6.22) are no longer supported. 
 But why can't you use the 2.6.18 kernel? Are there any functionality missed or API changed? Please report and we'll try to solve these issues.
 
 
  
 |  
	|  |  |