Pages: [1]
|
|
|
Author
|
Topic: SECURITY: Local Privilege Escalation in Linux Kernels (Read 2310 times)
|
Trippy
Administrator
Posts: 23626
|
A major security flaw in the Linux kernel was just announced today. There's a trivial exploit using it to elevate code to kernel privileges. Linus committed a patch that fixes this today but that means all but the latest 2.4 - 2.6 kernels out there are potentially vulnerable to this unless you've manually applied the patch yourself and recompiled. AnnoucementPatch (diff)Edit: potentially vulnerable, newer kernels (e.g. 2.6.23+ which added mmap_min_addr) and security patches may mitigate this exploit Edit2: okay it looks like there was a way to bypass mmap_min_addr through 2.6.30.2 CVE-2009-2692 announcement Ubuntu bug tracker (priority is set to "Medium" ) RedHat bug trackerSample exploit code
|
|
« Last Edit: August 14, 2009, 06:32:45 PM by Trippy »
|
|
|
|
|
fuser
Terracotta Army
Posts: 1572
|
This is insanely major as the disclosure was published on the same day as a patch. With any code injection vectors a remote host can be rooted. RHEL5 with a recent plus a proper /proc/sys/vm/mmap_min_addr set above zero without SELinux should be safe. Oh well there goes friday to patching
|
|
|
|
Trippy
Administrator
Posts: 23626
|
This is insanely major as the disclosure was published on the same day as a patch. Yes I don't know why they did it this way given the publishers are a couple of Google people (i.e. not black hats). My guess is there was a "zero-day" exploit using this that somebody stumbled across and so they hastily put together the disclosure/advisory. RHEL5 with a recent plus a proper /proc/sys/vm/mmap_min_addr set above zero without SELinux should be safe. Oh well there goes friday to patching SELinux actually does help against remote attackers as it doesn't allow network daemons to map to page 0. If you have local access on a machine with SELinux running, though, you can exploit this hole. http://eparis.livejournal.com/
|
|
|
|
Trippy
Administrator
Posts: 23626
|
Linus' comments on this latest exploit: http://marc.info/?l=linux-kernel&m=125020668308465&w=2There's the NULL pointer fix that was already talked up on Slashdot, but quite frankly, assuming we got all the "you can't map things at zero" issues fixed from the last scare, that one hopefully wasn't quite as bad as it could have been.
[ What was perhaps an interesting (if trivial) detail is that if it hadn't been for vendor-sec apparently leaking like a sieve, we'd have delayed the fix until the next -rc due to trying to be polite to vendors.
So this may be one of the few time I'm actually happy about vendor-sec (even if it's because it failed to work the way it's supposed to ;), since I heartily dislike embargoes. ]
So it sounds like this was known but kept under wraps to allow vendors to update their kernels but then somebody leaked that info somewhere.
|
|
|
|
Ookii
Staff Emeritus
Posts: 2676
is actually Trippy
|
So when can I 'apt-get upgrade' my problems away?
Also I thought this was local only.
|
|
|
|
fuser
Terracotta Army
Posts: 1572
|
|
|
« Last Edit: August 14, 2009, 11:39:04 AM by fuser »
|
|
|
|
|
Trippy
Administrator
Posts: 23626
|
|
|
|
|
Trippy
Administrator
Posts: 23626
|
|
|
|
|
Righ
Terracotta Army
Posts: 6542
Teaching the world Google-fu one broken dream at a time.
|
|
The camera adds a thousand barrels. - Steven Colbert
|
|
|
Yegolev
Moderator
Posts: 24440
2/10 WOULD NOT INGEST
|
I thought it was all POSIX this and that now and UNIX was just an easy label. I work with mostly one variant, though, so I'm probably in the dark but we don't care about SCO. Particularly since IBM doesn't give a shit about compatibility unless it makes a sale, like the Linux compatibility they stuck in AIX 5.
|
Why am I homeless? Why do all you motherfuckers need homes is the real question. They called it The Prayer, its answer was law Mommy come back 'cause the water's all gone
|
|
|
fuser
Terracotta Army
Posts: 1572
|
RHEL4 fixes just went live CentOS4 has patched i386/x64. Edit: RHEL5 fixes just went live, CentOS5 should be done today
|
|
« Last Edit: August 24, 2009, 09:47:19 AM by fuser »
|
|
|
|
|
|
Pages: [1]
|
|
|
|