SECURITY: Local Privilege Escalation in Linux Kernels

[Trippy]

A major security flaw in the Linux kernel was just announced today. There's a trivial exploit using it to elevate code to kernel privileges. Linus committed a patch that fixes this today but that means all but the latest 2.4 - 2.6 kernels out there are potentially vulnerable to this unless you've manually applied the patch yourself and recompiled.

Annoucement

Patch (diff)

Edit: potentially vulnerable, newer kernels (e.g. 2.6.23+ which added mmap_min_addr) and security patches may mitigate this exploit

Edit2: okay it looks like there was a way to bypass mmap_min_addr through 2.6.30.2

CVE-2009-2692 announcement

Ubuntu bug tracker (priority is set to "Medium" )

RedHat bug tracker

Sample exploit code

[fuser]

This is insanely major as the disclosure was published on the same day as a patch. With any code injection vectors a remote host can be rooted.

RHEL5 with a recent plus a proper /proc/sys/vm/mmap_min_addr set above zero without SELinux should be safe. Oh well there goes friday to patching

[Trippy]

This is insanely major as the disclosure was published on the same day as a patch.

Yes I don't know why they did it this way given the publishers are a couple of Google people (i.e. not black hats). My guess is there was a "zero-day" exploit using this that somebody stumbled across and so they hastily put together the disclosure/advisory.

RHEL5 with a recent plus a proper /proc/sys/vm/mmap_min_addr set above zero without SELinux should be safe. Oh well there goes friday to patching

SELinux actually does help against remote attackers as it doesn't allow network daemons to map to page 0. If you have local access on a machine with SELinux running, though, you can exploit this hole.

http://eparis.livejournal.com/

[Trippy]

Linus' comments on this latest exploit:

http://marc.info/?l=linux-kernel&m=125020668308465&w=2

There's the NULL pointer fix that was already talked up on Slashdot, but
quite frankly, assuming we got all the "you can't map things at zero"
issues fixed from the last scare, that one hopefully wasn't quite as bad
as it could have been.

[ What was perhaps an interesting (if trivial) detail is that if it
  hadn't been for vendor-sec apparently leaking like a sieve, we'd have
  delayed the fix until the next -rc due to trying to be polite to
  vendors.

  So this may be one of the few time I'm actually happy about vendor-sec
  (even if it's because it failed to work the way it's supposed to ;),
  since I heartily dislike embargoes. ]

So it sounds like this was known but kept under wraps to allow vendors to update their kernels but then somebody leaked that info somewhere.

[Ookii]

So when can I 'apt-get upgrade' my problems away?

Also I thought this was local only.

[fuser]

Hey Trippy, the CVE is set and pretty upto date in the database now:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2692

Also I thought this was local only.

If you can run code ie sql injection or other exploits you can be remotely exploited. Usually running a remote exploit gives you access to the daemons owner so its still a bit harder to exploit a system but tagging this exploit along now provides a very easy way to bust open and rootshell a host.

Oh and here's redhats mitigation https://bugzilla.redhat.com/show_bug.cgi?id=516949#c10

[Trippy]

I can't get the sample exploit code to compile on my machines

http://seclists.org/fulldisclosure/2009/Aug/0180.html

[Trippy]

So when can I 'apt-get upgrade' my problems away?

Also I thought this was local only.

Ubuntu kernel updates were released yesterday:

http://www.ubuntu.com/usn/usn-819-1

[Righ]

I can't get the sample exploit code to compile on my machines

http://seclists.org/fulldisclosure/2009/Aug/0180.html

Depending on the default assembler environment you might have to pass some flags to gcc, particularly on 64 bit systems. It does seem to work on a lot of systems regardless of architecture. You might also want to play with this one:

http://milw0rm.com/sploits/2009-wunderbar_emporium.tgz

Here's the Android port:

http://packetstormsecurity.org/filedesc/android-root-20090816.tar-gz.html

Does anybody remember why we care about SVR4 compatibility after SCO bought it?

[Yegolev]

I thought it was all POSIX this and that now and UNIX was just an easy label.  I work with mostly one variant, though, so I'm probably in the dark but we don't care about SCO.  Particularly since IBM doesn't give a shit about compatibility unless it makes a sale, like the Linux compatibility they stuck in AIX 5.

[fuser]

RHEL4 fixes just went live CentOS4 has patched i386/x64.

Edit:
RHEL5 fixes just went live, CentOS5 should be done today