2.6 kernel local-user root privilege hole
Ben Scott
dragonhawk at gmail.com
Sun Feb 10 21:24:10 EST 2008
On Feb 10, 2008 7:48 PM, Bill Sconce <sconce at in-spec-inc.com> wrote:
> [ I just compiled and tried it. Sure enough, the program below,
> run from user mode, gets a root shell. Yike.]
Another day, another exploit. Local privilege escalation often
isn't even rated as "highest threat" these days. It's the remote
exploits -- regardless of privilege level -- that are the biggest
problem. (Nobody really cares if the botnet program running on your
box is running as "httpd" or "root".) Which is not to say that this
should be ignored. Certainly, if you happen to be running less
trusted local users on a critical box, it's a high priority.
Universities, I'm sure, are are scrambling. Thanks for the heads-up.
Slashdot has picked it up:
http://it.slashdot.org/it/08/02/10/2011257.shtml
According to the Slashdot summary, it is the vmsplice() syscall is
vulnerable. It was introduced in 2.6.17.
Somebody in the Slashdot comments posted a link to code that
exploits the vulnerability to block the vmsplice() syscall in the
running kernel. No need to reboot! ;-)
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953#14
I saw someone on Slashdot saying Ubuntu didn't appear to have
compiled vmsplice into all their kernels; dunno if that's true or not.
Red Hat is tracking the bug; someone says say RHEL 5 is the only
vulnerable release.
https://bugzilla.redhat.com/show_bug.cgi?id=432251
> There doesn't seem to be any activity on the list since early
> Saturday; I imagine that someone else has written about this already.
The list has been quiet. <melodrama>"Too quiet."</melodrama> ;-)
-- Ben
More information about the gnhlug-discuss
mailing list