|
Title: SECURITY: Local Privilege Escalation in Linux Kernels Post by: Trippy on August 13, 2009, 09:06:00 PM A major security flaw in the Linux kernel was just announced today. There's a trivial exploit using it to elevate code to kernel privileges. Linus committed a patch that fixes this today but that means all but the latest 2.4 - 2.6 kernels out there are potentially vulnerable to this unless
Annoucement (http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html) Patch (diff) (http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e694958388c50148389b0e9b9e9e8945cf0f1b98;hp=a3620f7545344f932873bf98fbdf416b49409c8e) Edit: potentially vulnerable, newer kernels (e.g. 2.6.23+ which added mmap_min_addr) and security patches may mitigate this exploit Edit2: okay it looks like there was a way to bypass mmap_min_addr (http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html) through 2.6.30.2 :uhrr: CVE-2009-2692 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2692) announcement Ubuntu bug tracker (https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.15/+bug/413656) (priority is set to "Medium" :oh_i_see:) RedHat bug tracker (https://bugzilla.redhat.com/show_bug.cgi?id=516949) Sample exploit code (http://seclists.org/fulldisclosure/2009/Aug/0180.html) Title: Re: SECURITY: Local Privilege Escalation in Linux Kernels Post by: fuser on August 14, 2009, 12:20:41 AM This is insanely major as the disclosure was published on the same day as a patch. With any code injection vectors a remote host can be rooted.
RHEL5 with a recent plus a proper /proc/sys/vm/mmap_min_addr set above zero without SELinux should be safe. Oh well there goes friday to patching :uhrr: Title: Re: SECURITY: Local Privilege Escalation in Linux Kernels Post by: Trippy on August 14, 2009, 12:57:56 AM This is insanely major as the disclosure was published on the same day as a patch. Yes I don't know why they did it this way given the publishers are a couple of Google people (i.e. not black hats). My guess is there was a "zero-day" exploit using this that somebody stumbled across and so they hastily put together the disclosure/advisory.RHEL5 with a recent plus a proper /proc/sys/vm/mmap_min_addr set above zero without SELinux should be safe. Oh well there goes friday to patching :uhrr: SELinux actually does help against remote attackers as it doesn't allow network daemons to map to page 0. If you have local access on a machine with SELinux running, though, you can exploit this hole.http://eparis.livejournal.com/ Title: Re: SECURITY: Local Privilege Escalation in Linux Kernels Post by: Trippy on August 14, 2009, 01:45:17 AM Linus' comments on this latest exploit:
http://marc.info/?l=linux-kernel&m=125020668308465&w=2 Quote There's the NULL pointer fix that was already talked up on Slashdot, but So it sounds like this was known but kept under wraps to allow vendors to update their kernels but then somebody leaked that info somewhere.quite frankly, assuming we got all the "you can't map things at zero" issues fixed from the last scare, that one hopefully wasn't quite as bad as it could have been. [ What was perhaps an interesting (if trivial) detail is that if it hadn't been for vendor-sec apparently leaking like a sieve, we'd have delayed the fix until the next -rc due to trying to be polite to vendors. So this may be one of the few time I'm actually happy about vendor-sec (even if it's because it failed to work the way it's supposed to ;), since I heartily dislike embargoes. ] Title: Re: SECURITY: Local Privilege Escalation in Linux Kernels Post by: Ookii on August 14, 2009, 08:24:11 AM So when can I 'apt-get upgrade' my problems away?
Also I thought this was local only. Title: Re: SECURITY: Local Privilege Escalation in Linux Kernels Post by: fuser on August 14, 2009, 11:37:31 AM Hey Trippy, the CVE is set and pretty upto date in the database now:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2692 Also I thought this was local only. If you can run code ie sql injection or other exploits you can be remotely exploited. Usually running a remote exploit gives you access to the daemons owner so its still a bit harder to exploit a system but tagging this exploit along now provides a very easy way to bust open and rootshell a host. Oh and here's redhats mitigation https://bugzilla.redhat.com/show_bug.cgi?id=516949#c10 Title: Re: SECURITY: Local Privilege Escalation in Linux Kernels Post by: Trippy on August 14, 2009, 06:32:13 PM I can't get the sample exploit code to compile on my machines :oh_i_see:
http://seclists.org/fulldisclosure/2009/Aug/0180.html Title: Re: SECURITY: Local Privilege Escalation in Linux Kernels Post by: Trippy on August 20, 2009, 11:19:55 PM So when can I 'apt-get upgrade' my problems away? Ubuntu kernel updates were released yesterday:Also I thought this was local only. http://www.ubuntu.com/usn/usn-819-1 Title: Re: SECURITY: Local Privilege Escalation in Linux Kernels Post by: Righ on August 21, 2009, 10:30:54 PM I can't get the sample exploit code to compile on my machines :oh_i_see: http://seclists.org/fulldisclosure/2009/Aug/0180.html Depending on the default assembler environment you might have to pass some flags to gcc, particularly on 64 bit systems. It does seem to work on a lot of systems regardless of architecture. You might also want to play with this one: http://milw0rm.com/sploits/2009-wunderbar_emporium.tgz Here's the Android port: http://packetstormsecurity.org/filedesc/android-root-20090816.tar-gz.html Does anybody remember why we care about SVR4 compatibility after SCO bought it? Title: Re: SECURITY: Local Privilege Escalation in Linux Kernels Post by: Yegolev on August 22, 2009, 05:42:08 PM I thought it was all POSIX this and that now and UNIX was just an easy label. I work with mostly one variant, though, so I'm probably in the dark but we don't care about SCO. Particularly since IBM doesn't give a shit about compatibility unless it makes a sale, like the Linux compatibility they stuck in AIX 5.
Title: Re: SECURITY: Local Privilege Escalation in Linux Kernels Post by: fuser on August 24, 2009, 09:44:57 AM RHEL4 (https://rhn.redhat.com/errata/RHSA-2009-1223.html) fixes just went live CentOS4 has patched i386/x64.
Edit: RHEL5 (https://rhn.redhat.com/errata/RHSA-2009-1222.html) fixes just went live, CentOS5 should be done today |