subject:"\[Kernel\-packages\] \[Bug 190587\] Re\: Local root exploit in kernel 2.6.17 \- 2.6.24 \(vmsplice\)"

[Kernel-packages] [Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)

2021-10-15 Thread Bug Watch Updater

Launchpad has imported 9 comments from the remote bug at
https://bugzilla.kernel.org/show_bug.cgi?id=9924.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

On 2008-02-09T15:00:59+00:00 slava wrote:

Latest working kernel version: 
Earliest failing kernel version: 2.6.17
Distribution: Gentoo
Hardware Environment:
Software Environment:
Problem Description:
Two root exploits have been reported:
http://milw0rm.com/exploits/5093
http://milw0rm.com/exploits/5092

Both exploits cause kernel Oops or (randomly) give root privilegies to
the user.

Here is the same bug reported in gentoo bugzilla:
http://bugs.gentoo.org/show_bug.cgi?id=209460

Steps to reproduce:
Compile and run the exploit.

Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-
source-2.6.22/+bug/190587/comments/0

On 2008-02-09T16:30:03+00:00 dsd wrote:

Assuming this is about CVE-2008-0009/10, this is fixed with "[PATCH]
splice: missing user pointer access verification" which is included in
2.6.24.1 and 2.6.23.15. If someone can confirm my assumption, please
close this bug.

Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-
source-2.6.22/+bug/190587/comments/1

On 2008-02-09T22:01:27+00:00 tm wrote:

It's not properly fixed in 2.6.24.1. E.g. see
http://bugs.gentoo.org/show_bug.cgi?id=209460

Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-
source-2.6.22/+bug/190587/comments/2

On 2008-02-10T03:19:49+00:00 dsd wrote:

http://bugzilla.kernel.org/show_bug.cgi?id=9924

> It's not properly fixed in 2.6.24.1. E.g. see
> http://bugs.gentoo.org/show_bug.cgi?id=209460

Indeed, I can confirm this.

2.6.24.1 fixes this exploit:
http://milw0rm.com/exploits/5093
(labelled "Diane Lane ...")

but does not fix this one, which still gives me root access on 2.6.24.1:
http://milw0rm.com/exploits/5092
("jessica_biel_naked_in_my_bed.c")

alternative link to the still-working exploit:
http://bugs.gentoo.org/attachment.cgi?id=143059&action=view

Daniel

Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-
source-2.6.22/+bug/190587/comments/4

On 2008-02-10T03:31:36+00:00 rpilar wrote:

This is NOT fixed in 2.6.24.1: 
http://www.securityfocus.com/data/vulnerabilities/exploits/27704.c
But this probably is: 
http://www.securityfocus.com/data/vulnerabilities/exploits/27704-2.c (at least 
I can't reproduce it).

Linux Rimmer 2.6.24.1 #4 SMP PREEMPT Sat Feb 9 16:50:17 CET 2008 i686
GNU/Linux

Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-
source-2.6.22/+bug/190587/comments/5

On 2008-02-10T03:31:37+00:00 dsd wrote:

I have personally tested both exploits under a recent 2.6.22 release, 
latest 2.6.23 and latest 2.6.24. Results:

http://milw0rm.com/exploits/5093 ("diane_lane")
This was a bug added in 2.6.23, still present in 2.6.24, but fixed by 
the most recent -stable releases for both branches:
- Not exploitable in 2.6.22.10
- Not exploitable in 2.6.23.15
- Not exploitable in 2.6.24.1
so this one is done and dusted...

http://milw0rm.com/exploits/5092 ("jessica_biel")
alt link: http://bugs.gentoo.org/attachment.cgi?id=143059&action=view
This is still exploitable in the latest kernel releases and the exploit 
source suggests it has been present since 2.6.17
- Exploitable in 2.6.22.10
- Exploitable in 2.6.23.15
- Exploitable in 2.6.24.1

Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-
source-2.6.22/+bug/190587/comments/6

On 2008-02-10T04:08:25+00:00 anonymous wrote:

Reply-To: a...@redhat.com

On Sun, Feb 10, 2008 at 11:28:51AM +, Daniel Drake wrote:
> I have personally tested both exploits under a recent 2.6.22 release, 
> latest 2.6.23 and latest 2.6.24. Results:

There's a fix/explanation proposed for the other one on linux-kernel

Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-
source-2.6.22/+bug/190587/comments/7

On 2008-02-10T15:32:01+00:00 dsd wrote:

fixed in Linus' tree as 712a30e63c8066ed84385b12edbfb804f49cbc44

Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-
source-2.6.22/+bug/190587/comments/19

On 2021-10-15T17:59:43+00:00 ucelsanicin wrote:

Possibly similar to 23220 however on 64-bit recent Debian sid with
trivial code I see : https://www.webb-dev.co.uk/category/cr

[Kernel-packages] [Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)

2019-06-10 Thread Bug Watch Updater

Launchpad has imported 35 comments from the remote bug at
https://bugzilla.redhat.com/show_bug.cgi?id=432251.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.


On 2008-02-10T13:37:47+00:00 mjc wrote:

A new system call named vmsplice() was introduced in the 2.6.17
release of the Linux kernel. 

COSEINC reported two issues affecting vmsplice, CVE-2008-0009 and
CVE-2008-0010.

On Saturday 20080210 a public exploit was released that utilised a similar flaw
in vmsplice (vmsplice_to_pipe function) to allow a local user to gain privileges
on some architectures.  

See also
http://marc.info/?t=12026365533&r=1&w=2

This issue will affect kernels 2.6.17+ and therefore affected Red Hat Enterprise
Linux 5, but not Red Hat Enterprise Linux 4, 3, or 2.1.

Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-
source-2.6.22/+bug/190587/comments/8


On 2008-02-10T16:39:00+00:00 mjc wrote:

Note that there may be a  little confusion as there are actually three vmsplice
issues:

CVE-2008-0009 is already fixed upstream, does not affect any RHEL,  has no
public exploit.  Upstream patch is the second hunk of:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8811930dc74a503415b35c4a79d14fb0b408a361

CVE-2008-0010 is already fixed upstream, does not affect any RHEL, but has
a public exploit. ( http://www.milw0rm.com/exploits/5093 )
Upstream patch is the first hunk of:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8811930dc74a503415b35c4a79d14fb0b408a361

CVE-2008-0600 is not yet fixed upstream, affects RHEL5,
and has a public exploit ( http://www.milw0rm.com/exploits/5092 )


Reply at: 
https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.22/+bug/190587/comments/12


On 2008-02-10T18:11:58+00:00 mjc wrote:

Proposed patch for RHEL5 from Al Viro

diff -urN linux-2.6.18.x86_64/fs/splice.c linux-2.6.18.x86_64-fix/fs/splice.c
--- linux-2.6.18.x86_64/fs/splice.c 2008-02-10 11:08:19.0 -0500
+++ linux-2.6.18.x86_64-fix/fs/splice.c 2008-02-10 11:31:06.0 -0500
@@ -1154,6 +1154,9 @@
if (unlikely(!base))
break;
 
+   if (unlikely(!access_ok(VERIFY_READ, base, len)))
+   break;
+
/*
 * Get this base offset and number of pages, then map
 * in the user pages.




Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-
source-2.6.22/+bug/190587/comments/14


On 2008-02-10T20:42:39+00:00 mjc wrote:

Confirmed the patch blocks this issue for Red Hat Enterprise Linux 5; this
specific exploit prints "[-] vmsplice: Bad address" and fails.

Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-
source-2.6.22/+bug/190587/comments/20


On 2008-02-10T21:17:01+00:00 mjc wrote:

Upstream fix:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44


Reply at: 
https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.22/+bug/190587/comments/22


On 2008-02-10T22:05:50+00:00 mjc wrote:

For Red Hat Enterprise Linux 5:
CVSS v2 Base score: 7.2 (High) (AV:L/AC:L/Au:N/C:C/I:C/A:C)

Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-
source-2.6.22/+bug/190587/comments/24


On 2008-02-10T23:16:13+00:00 redhat wrote:

We added a quick and dirty patch for the problem here:
http://home.powertech.no/oystein/ptpatch2008/

It is a kernel module that disables vmsplice, and logs any attempts to exploit
the bug.
As it it a loadable module it can easily be deployed on systems that can not be
updated with a new kernel for various reasons.

Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-
source-2.6.22/+bug/190587/comments/29


On 2008-02-10T23:38:28+00:00 seva wrote:

Ola,

I tried that module on a test system and got:
   kernel: general protection fault:  [1] SMP 

Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-
source-2.6.22/+bug/190587/comments/31


On 2008-02-11T03:29:52+00:00 ryan wrote:

The make file required some modification for PAE kernels due to path issues;
once compiled module fails to load with:
insmod: error inserting 'ptpatch2008.ko': -1

[Kernel-packages] [Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)

2017-10-27 Thread Bug Watch Updater

** Changed in: centos
   Importance: Unknown => Critical

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/190587

Title:
  Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)

Status in Linux:
  Fix Released
Status in Ubuntu:
  Fix Released
Status in gplcver package in Ubuntu:
  Invalid
Status in linux package in Ubuntu:
  Fix Released
Status in linux-source-2.6.15 package in Ubuntu:
  Invalid
Status in linux-source-2.6.17 package in Ubuntu:
  Fix Released
Status in linux-source-2.6.20 package in Ubuntu:
  Fix Released
Status in linux-source-2.6.22 package in Ubuntu:
  Fix Released
Status in CentOS:
  Fix Released
Status in Debian:
  Fix Released
Status in linux package in Fedora:
  Fix Released
Status in Gentoo Linux:
  Fix Released
Status in Mandriva:
  Fix Released

Bug description:
  https://bugs.gentoo.org/show_bug.cgi?id=209460 works on at least Hardy
  2.6.24-7, Edgy 2.6.17-12, but not on Feisty 2.6.20-16.

To manage notifications about this bug go to:
https://bugs.launchpad.net/linux/+bug/190587/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)

2017-10-26 Thread Bug Watch Updater

Launchpad has imported 29 comments from the remote bug at
https://bugzilla.redhat.com/show_bug.cgi?id=432229.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.


On 2008-02-10T06:08:43+00:00 Philip wrote:

Description of problem:

Local user can obtain root access (as described below).

This bug is being actively exploited in the wild -- our server was just broken
in to by an attacker using it. (They got a user's password by previously
compromising a machine somewhere else where that user had an account, and
installed a modified ssh binary on it to record user names and passwords. Then
they logged in to our site as that user, exploited CVE-2008-0010, and became 
root).

It is EXTREMELY urgent that a fixed kernel be provided ASAP given that this bug
is being actively exploited in the wild.

There is a fix listed upstream in 2.6.23.15 and 2.6.24.1. However, even after
applying that patch and recompiling the kernel, the escalation-of-privilege
exploit still worked so I am wondering if 2.6.23.15 does not completely fix it.

Version-Release number of selected component (if applicable):

All 2.6.23.x kernels

How reproducible: 100%

Steps to Reproduce:
1. Download http://downloads.securityfocus.com/vulnerabilities/exploits/27704.c
2. cc -o exploit 27704.c
3. [as non-privileged user] ./exploit
  
Actual results:

Root shell

Expected results:

No root shell.

Additional info:

When I altered the kernel spec file for 2.6.23.14-115.fc8 to pull 2.6.23.15
instead of 2.6.23.14 (and altered linux-2.6-highres-timers.patch to apply
cleanly, and removed the already-included-in-2.6.23.15 patches
linux-2.6-net-silence-noisy-printks.patch and
linux-2.6-freezer-fix-apm-emulation-breakage.patch), rebuilt a new kernel RPM,
installed it, and rebooted, the above exploit still worked. So it is possible an
additional patch is needed against 2.6.23, unless I just goofed somehow in my
kernel rebuild. (I did check and the file fs/splice.c was correctly patched and
included the lines that were suppose to fix this problem...)

Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-
source-2.6.22/+bug/190587/comments/1


On 2008-02-10T06:47:58+00:00 Bojan wrote:

I see 2.6.23.15 has been built in Koji. When is this going to get pushed into
stable updates?

Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-
source-2.6.22/+bug/190587/comments/2


On 2008-02-10T12:10:53+00:00 Pavel wrote:

*** Bug 432244 has been marked as a duplicate of this bug. ***

Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-
source-2.6.22/+bug/190587/comments/5


On 2008-02-10T14:14:23+00:00 Pavel wrote:

Relevant information about patch: http://lkml.org/lkml/2008/2/10/118

Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-
source-2.6.22/+bug/190587/comments/8


On 2008-02-10T14:19:44+00:00 Pavel wrote:

Relevant discussion at gmane.linux.kernel mailing list:
http://thread.gmane.org/gmane.linux.kernel/637339

Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-
source-2.6.22/+bug/190587/comments/9


On 2008-02-10T15:21:14+00:00 Jon wrote:

Bringing in RH Security Response team.

Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-
source-2.6.22/+bug/190587/comments/10


On 2008-02-10T19:38:37+00:00 Philip wrote:

I can confirm that applying the patch at the bottom of
http://lkml.org/lkml/2008/2/10/118 (thanks, Pavel!), as well as applying the
patch in 2.6.23.15/2.6.24.1, does indeed prevent the published exploit from
working on our system.

Whether or not it closes all attack vectors, it is probably worth pushing out at
least as an interim update since it prevents the published exploit from working
and that published exploit is being actively exploited in the wild.

Note that I believe a new CVE identifier has been assigned for the vulnerability
that 2.6.23.15/2.6.24.1 does not fix: CVE-2008-0600

Also note that, unlike CVE-2008-0009/0010, this is not specific to the
2.6.23/2.6.24 kernels. Older kernels are vulnerable too (including, for 
example, 
2.6.18-53.1.4.el5 -- on that kernel, it is necessary to add
#define PAGE_SIZE getpagesize() to the published exploit, but with that addition
it works to get an instant root shell.)

I am *extremely* thankful this is only a local escalation-of-privilege and not a
remote root. It's bad enough as it is given what seems

[Kernel-packages] [Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)

[Kernel-packages] [Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)

[Kernel-packages] [Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)

[Kernel-packages] [Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)

4 matches

Site Navigation

Mail list logo

Footer information