OpenVZ Forum: Support » Kernel Root Exploit?

Home » General » Support » Kernel Root Exploit?

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

Kernel Root Exploit? [message #27179]

Mon, 11 February 2008 18:08

mperkel
Messages: 253
Registered: December 2006

Senior Member

Someone alerted me to this.

https://bugzilla.redhat.com/show_bug.cgi?id=432229

Description of problem:

Local user can obtain root access (as described below).

This bug is being actively exploited in the wild -- our server was just broken
in to by an attacker using it. (They got a user's password by previously
compromising a machine somewhere else where that user had an account, and
installed a modified ssh binary on it to record user names and passwords. Then
they logged in to our site as that user, exploited CVE-2008-0010, and became root).

It is EXTREMELY urgent that a fixed kernel be provided ASAP given that this bug
is being actively exploited in the wild.

There is a fix listed upstream in 2.6.23.15 and 2.6.24.1. However, even after
applying that patch and recompiling the kernel, the escalation-of-privilege
exploit still worked so I am wondering if 2.6.23.15 does not completely fix it.

Version-Release number of selected component (if applicable):

All 2.6.23.x kernels

How reproducible: 100%

Steps to Reproduce:
1. Download http://downloads.securityfocus.com/vulnerabilities/exploits/ 27704.c
2. cc -o exploit 27704.c
3. [as non-privileged user] ./exploit

Actual results:

Root shell

Expected results:

No root shell.

Additional info:

When I altered the kernel spec file for 2.6.23.14-115.fc8 to pull 2.6.23.15
instead of 2.6.23.14 (and altered linux-2.6-highres-timers.patch to apply
cleanly, and removed the already-included-in-2.6.23.15 patches
linux-2.6-net-silence-noisy-printks.patch and
linux-2.6-freezer-fix-apm-emulation-breakage.patch), rebuilt a new kernel RPM,
installed it, and rebooted, the above exploit still worked. So it is possible an
additional patch is needed against 2.6.23, unless I just goofed somehow in my
kernel rebuild. (I did check and the file fs/splice.c was correctly patched and
included the lines that were suppose to fix this problem...)

More info:

Marc,

Even better:

http://home.powertech.no/oystein/ptpatch2008/

Junk Email Filter
http://www.junkemailfilter.com

Report message to a moderator

[Message index]

		Kernel Root Exploit? By: mperkel on Mon, 11 February 2008 18:08
		Re: Kernel Root Exploit? By: xemul on Wed, 13 February 2008 10:03
		Re: Kernel Root Exploit? By: sara3 on Fri, 15 February 2008 11:43
		Re: Kernel Root Exploit? By: sara3 on Fri, 15 February 2008 11:51
		Re: Kernel Root Exploit? By: mperkel on Fri, 15 February 2008 13:09
		Re: Kernel Root Exploit? By: elronxenu on Fri, 15 February 2008 13:50
		Re: Kernel Root Exploit? By: sara3 on Fri, 15 February 2008 14:01
		Re: Kernel Root Exploit? By: elronxenu on Sat, 16 February 2008 00:08
		Re: Kernel Root Exploit? By: mperkel on Fri, 15 February 2008 14:04
		Re: Kernel Root Exploit? By: sspt on Fri, 15 February 2008 14:26
		Re: Kernel Root Exploit? By: sara3 on Fri, 15 February 2008 14:38
		Re: Kernel Root Exploit? By: sara3 on Fri, 15 February 2008 16:23
		Re: Kernel Root Exploit? By: sara3 on Fri, 15 February 2008 23:01
		Re: Kernel Root Exploit? By: mperkel on Sat, 16 February 2008 00:17
		Re: Kernel Root Exploit? By: xemul on Mon, 18 February 2008 08:21

Previous Topic:	Just looking for a few tips.
Next Topic:	SOLVED Kernel 2.6.20+ ?

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Wed Oct 02 20:10:16 GMT 2024

Total time taken to generate the page: 0.05018 seconds