2.6 kernel local-user root privilege hole
Dan Miller
rambi.dev at gmail.com
Sun Feb 10 21:36:12 EST 2008
This failed with 2.6.23 on x86_64. Get some nice output though:
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x100000000000 .. 0x100000001000
[+] page: 0x100000000000
[+] page: 0x100000000038
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4038
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0x2afd84834000 .. 0x2afd84866000
Killed
On the other hand, 32 bit 2.6.23.1 is successful.
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e37000 .. 0xb7e69000
[+] root
I wonder if 64 bit is immune.
Dan
Michael ODonnell wrote:
>
>> On Feb 10, 2008 7:48 PM, Bill Sconce <sconce at in-spec-inc.com> wrote:
>>> [ I just compiled and tried it. Sure enough, the program below,
>>> run from user mode, gets a root shell. Yike.]
>> I just tried this on Ubuntu-Server (7.04) and it didn't work. Running
>> 2.6.20-16-server
>
> This worked with my 2.6.22 kernel as well as on a 2.6.18-4-k7 kernel.
> It did not work on the RHEL3 system where I tried it because the 2.4
> kernels don't have the vmsplice facility being exploited:
>
> http://en.wikipedia.org/wiki/Splice_%28system_call%29
> http://kerneltrap.org/node/6505
>
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
More information about the gnhlug-discuss
mailing list