[Kernel-packages] [Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
Launchpad has imported 9 comments from the remote bug at https://bugzilla.kernel.org/show_bug.cgi?id=9924. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2008-02-09T15:00:59+00:00 slava wrote: Latest working kernel version: Earliest failing kernel version: 2.6.17 Distribution: Gentoo Hardware Environment: Software Environment: Problem Description: Two root exploits have been reported: http://milw0rm.com/exploits/5093 http://milw0rm.com/exploits/5092 Both exploits cause kernel Oops or (randomly) give root privilegies to the user. Here is the same bug reported in gentoo bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=209460 Steps to reproduce: Compile and run the exploit. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/0 On 2008-02-09T16:30:03+00:00 dsd wrote: Assuming this is about CVE-2008-0009/10, this is fixed with "[PATCH] splice: missing user pointer access verification" which is included in 2.6.24.1 and 2.6.23.15. If someone can confirm my assumption, please close this bug. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/1 On 2008-02-09T22:01:27+00:00 tm wrote: It's not properly fixed in 2.6.24.1. E.g. see http://bugs.gentoo.org/show_bug.cgi?id=209460 Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/2 On 2008-02-10T03:19:49+00:00 dsd wrote: http://bugzilla.kernel.org/show_bug.cgi?id=9924 > It's not properly fixed in 2.6.24.1. E.g. see > http://bugs.gentoo.org/show_bug.cgi?id=209460 Indeed, I can confirm this. 2.6.24.1 fixes this exploit: http://milw0rm.com/exploits/5093 (labelled "Diane Lane ...") but does not fix this one, which still gives me root access on 2.6.24.1: http://milw0rm.com/exploits/5092 ("jessica_biel_naked_in_my_bed.c") alternative link to the still-working exploit: http://bugs.gentoo.org/attachment.cgi?id=143059&action=view Daniel Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/4 On 2008-02-10T03:31:36+00:00 rpilar wrote: This is NOT fixed in 2.6.24.1: http://www.securityfocus.com/data/vulnerabilities/exploits/27704.c But this probably is: http://www.securityfocus.com/data/vulnerabilities/exploits/27704-2.c (at least I can't reproduce it). Linux Rimmer 2.6.24.1 #4 SMP PREEMPT Sat Feb 9 16:50:17 CET 2008 i686 GNU/Linux Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/5 On 2008-02-10T03:31:37+00:00 dsd wrote: I have personally tested both exploits under a recent 2.6.22 release, latest 2.6.23 and latest 2.6.24. Results: http://milw0rm.com/exploits/5093 ("diane_lane") This was a bug added in 2.6.23, still present in 2.6.24, but fixed by the most recent -stable releases for both branches: - Not exploitable in 2.6.22.10 - Not exploitable in 2.6.23.15 - Not exploitable in 2.6.24.1 so this one is done and dusted... http://milw0rm.com/exploits/5092 ("jessica_biel") alt link: http://bugs.gentoo.org/attachment.cgi?id=143059&action=view This is still exploitable in the latest kernel releases and the exploit source suggests it has been present since 2.6.17 - Exploitable in 2.6.22.10 - Exploitable in 2.6.23.15 - Exploitable in 2.6.24.1 Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/6 On 2008-02-10T04:08:25+00:00 anonymous wrote: Reply-To: a...@redhat.com On Sun, Feb 10, 2008 at 11:28:51AM +, Daniel Drake wrote: > I have personally tested both exploits under a recent 2.6.22 release, > latest 2.6.23 and latest 2.6.24. Results: There's a fix/explanation proposed for the other one on linux-kernel Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/7 On 2008-02-10T15:32:01+00:00 dsd wrote: fixed in Linus' tree as 712a30e63c8066ed84385b12edbfb804f49cbc44 Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/19 On 2021-10-15T17:59:43+00:00 ucelsanicin wrote: Possibly similar to 23220 however on 64-bit recent Debian sid with trivial code I see : https://www.webb-dev.co.uk/category/cr
[Kernel-packages] [Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
Launchpad has imported 35 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=432251. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2008-02-10T13:37:47+00:00 mjc wrote: A new system call named vmsplice() was introduced in the 2.6.17 release of the Linux kernel. COSEINC reported two issues affecting vmsplice, CVE-2008-0009 and CVE-2008-0010. On Saturday 20080210 a public exploit was released that utilised a similar flaw in vmsplice (vmsplice_to_pipe function) to allow a local user to gain privileges on some architectures. See also http://marc.info/?t=12026365533&r=1&w=2 This issue will affect kernels 2.6.17+ and therefore affected Red Hat Enterprise Linux 5, but not Red Hat Enterprise Linux 4, 3, or 2.1. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/8 On 2008-02-10T16:39:00+00:00 mjc wrote: Note that there may be a little confusion as there are actually three vmsplice issues: CVE-2008-0009 is already fixed upstream, does not affect any RHEL, has no public exploit. Upstream patch is the second hunk of: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8811930dc74a503415b35c4a79d14fb0b408a361 CVE-2008-0010 is already fixed upstream, does not affect any RHEL, but has a public exploit. ( http://www.milw0rm.com/exploits/5093 ) Upstream patch is the first hunk of: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8811930dc74a503415b35c4a79d14fb0b408a361 CVE-2008-0600 is not yet fixed upstream, affects RHEL5, and has a public exploit ( http://www.milw0rm.com/exploits/5092 ) Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.22/+bug/190587/comments/12 On 2008-02-10T18:11:58+00:00 mjc wrote: Proposed patch for RHEL5 from Al Viro diff -urN linux-2.6.18.x86_64/fs/splice.c linux-2.6.18.x86_64-fix/fs/splice.c --- linux-2.6.18.x86_64/fs/splice.c 2008-02-10 11:08:19.0 -0500 +++ linux-2.6.18.x86_64-fix/fs/splice.c 2008-02-10 11:31:06.0 -0500 @@ -1154,6 +1154,9 @@ if (unlikely(!base)) break; + if (unlikely(!access_ok(VERIFY_READ, base, len))) + break; + /* * Get this base offset and number of pages, then map * in the user pages. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/14 On 2008-02-10T20:42:39+00:00 mjc wrote: Confirmed the patch blocks this issue for Red Hat Enterprise Linux 5; this specific exploit prints "[-] vmsplice: Bad address" and fails. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/20 On 2008-02-10T21:17:01+00:00 mjc wrote: Upstream fix: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44 Reply at: https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.22/+bug/190587/comments/22 On 2008-02-10T22:05:50+00:00 mjc wrote: For Red Hat Enterprise Linux 5: CVSS v2 Base score: 7.2 (High) (AV:L/AC:L/Au:N/C:C/I:C/A:C) Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/24 On 2008-02-10T23:16:13+00:00 redhat wrote: We added a quick and dirty patch for the problem here: http://home.powertech.no/oystein/ptpatch2008/ It is a kernel module that disables vmsplice, and logs any attempts to exploit the bug. As it it a loadable module it can easily be deployed on systems that can not be updated with a new kernel for various reasons. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/29 On 2008-02-10T23:38:28+00:00 seva wrote: Ola, I tried that module on a test system and got: kernel: general protection fault: [1] SMP Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/31 On 2008-02-11T03:29:52+00:00 ryan wrote: The make file required some modification for PAE kernels due to path issues; once compiled module fails to load with: insmod: error inserting 'ptpatch2008.ko': -1
[Kernel-packages] [Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
** Changed in: centos Importance: Unknown => Critical -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/190587 Title: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) Status in Linux: Fix Released Status in Ubuntu: Fix Released Status in gplcver package in Ubuntu: Invalid Status in linux package in Ubuntu: Fix Released Status in linux-source-2.6.15 package in Ubuntu: Invalid Status in linux-source-2.6.17 package in Ubuntu: Fix Released Status in linux-source-2.6.20 package in Ubuntu: Fix Released Status in linux-source-2.6.22 package in Ubuntu: Fix Released Status in CentOS: Fix Released Status in Debian: Fix Released Status in linux package in Fedora: Fix Released Status in Gentoo Linux: Fix Released Status in Mandriva: Fix Released Bug description: https://bugs.gentoo.org/show_bug.cgi?id=209460 works on at least Hardy 2.6.24-7, Edgy 2.6.17-12, but not on Feisty 2.6.20-16. To manage notifications about this bug go to: https://bugs.launchpad.net/linux/+bug/190587/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
Launchpad has imported 29 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=432229. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2008-02-10T06:08:43+00:00 Philip wrote: Description of problem: Local user can obtain root access (as described below). This bug is being actively exploited in the wild -- our server was just broken in to by an attacker using it. (They got a user's password by previously compromising a machine somewhere else where that user had an account, and installed a modified ssh binary on it to record user names and passwords. Then they logged in to our site as that user, exploited CVE-2008-0010, and became root). It is EXTREMELY urgent that a fixed kernel be provided ASAP given that this bug is being actively exploited in the wild. There is a fix listed upstream in 2.6.23.15 and 2.6.24.1. However, even after applying that patch and recompiling the kernel, the escalation-of-privilege exploit still worked so I am wondering if 2.6.23.15 does not completely fix it. Version-Release number of selected component (if applicable): All 2.6.23.x kernels How reproducible: 100% Steps to Reproduce: 1. Download http://downloads.securityfocus.com/vulnerabilities/exploits/27704.c 2. cc -o exploit 27704.c 3. [as non-privileged user] ./exploit Actual results: Root shell Expected results: No root shell. Additional info: When I altered the kernel spec file for 2.6.23.14-115.fc8 to pull 2.6.23.15 instead of 2.6.23.14 (and altered linux-2.6-highres-timers.patch to apply cleanly, and removed the already-included-in-2.6.23.15 patches linux-2.6-net-silence-noisy-printks.patch and linux-2.6-freezer-fix-apm-emulation-breakage.patch), rebuilt a new kernel RPM, installed it, and rebooted, the above exploit still worked. So it is possible an additional patch is needed against 2.6.23, unless I just goofed somehow in my kernel rebuild. (I did check and the file fs/splice.c was correctly patched and included the lines that were suppose to fix this problem...) Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/1 On 2008-02-10T06:47:58+00:00 Bojan wrote: I see 2.6.23.15 has been built in Koji. When is this going to get pushed into stable updates? Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/2 On 2008-02-10T12:10:53+00:00 Pavel wrote: *** Bug 432244 has been marked as a duplicate of this bug. *** Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/5 On 2008-02-10T14:14:23+00:00 Pavel wrote: Relevant information about patch: http://lkml.org/lkml/2008/2/10/118 Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/8 On 2008-02-10T14:19:44+00:00 Pavel wrote: Relevant discussion at gmane.linux.kernel mailing list: http://thread.gmane.org/gmane.linux.kernel/637339 Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/9 On 2008-02-10T15:21:14+00:00 Jon wrote: Bringing in RH Security Response team. Reply at: https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/10 On 2008-02-10T19:38:37+00:00 Philip wrote: I can confirm that applying the patch at the bottom of http://lkml.org/lkml/2008/2/10/118 (thanks, Pavel!), as well as applying the patch in 2.6.23.15/2.6.24.1, does indeed prevent the published exploit from working on our system. Whether or not it closes all attack vectors, it is probably worth pushing out at least as an interim update since it prevents the published exploit from working and that published exploit is being actively exploited in the wild. Note that I believe a new CVE identifier has been assigned for the vulnerability that 2.6.23.15/2.6.24.1 does not fix: CVE-2008-0600 Also note that, unlike CVE-2008-0009/0010, this is not specific to the 2.6.23/2.6.24 kernels. Older kernels are vulnerable too (including, for example, 2.6.18-53.1.4.el5 -- on that kernel, it is necessary to add #define PAGE_SIZE getpagesize() to the published exploit, but with that addition it works to get an instant root shell.) I am *extremely* thankful this is only a local escalation-of-privilege and not a remote root. It's bad enough as it is given what seems