LKML confirms hole:
http://lkml.org/lkml/2008/2/10/8

The sample code wouldn't compile for me. And a local exploit doesn't worry me much. At that level someone could just as well steal your hard drive.

I executed the binary on my computer on another machine through ssh...exploit worked.

So all I have to do is bruteforce somebody's insecure ssh? What if they don't even have ssh running?

The thread is for confirmation of a known security hole. If you was to bicker about its severity, start your own thread.

I'm not bickering, just discussing it. I don't see what's wrong with that. The only big deal with this exploit is for enterprise users perhaps, but ubuntu desktop users by large? Doesn't seem that way. Besides this there's tons of little exploits that are found and patched in the kernel all the time.

I'm not bickering, just discussing it. I don't see what's wrong with that. The only big deal with this exploit is for enterprise users perhaps, but ubuntu desktop users by large? Doesn't seem that way. Besides this there's tons of little exploits that are found and patched in the kernel all the time.

k2t0f12d was just pointing out that this is a real issue, and not some rumour. I doubt it was the OP's intent to discuss the extent to which it is a problem.

It's been fixed in 2.6.24.2 while we posted.

"local" does not mean "physical"

It's been fixed in 2.6.24.2 while we posted.

That was quick.

It was posted to /. and someone said it worked on his Debian box but not on Ubuntu.

http://it.slashdot.org/comments.pl?sid=448542&cid=22372754

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953 [debian.org]

The workaround posted in a follow-up in that thread works. I had a few vulnerable (tested) machines that I cannot reboot even if a patched kernel is released in the near future. I tried that fix, then tried the exploit again. The exploit no longer worked after using the fix (workaround).

Those machines were debian x64.

Ubuntu kernels do not appear to have vmsplice enabled by default.

It's been fixed in 2.6.24.2 while we posted.

Built 2.6.25-rc1, where the hole was originally patched. Its good they backported, nvidia's drivers are still broken on 2.6.25.

I dare say this is a naive question, but can someone suggest a simple non-damaging test of whether my system is vulnerable to this?

thanks,

Graham

Download the attached bzipped source, compile it
gcc -o exploit exploit.c
and run it
./exploit

If your computer is vulnerable, you will be logged in as root after execution, if not you will remain a regular user. Obviously, in order for this test to be effective the exploit must be run as a regular user. All the program does is elevate your login to root, nothing else.

THis vulnerability is reported to effect kernel versions 2.6.17 - 2.6.24.1.

Doesn't seem to work on Feisty with the following kernel:

Linux core 2.6.20-16-386 #2 Fri Feb 1 02:52:09 UTC 2008 i686 GNU/Linux

It doesn't even compile on Gutsy

$ uname -a
Linux ubuntu 2.6.22-14-generic #1 SMP Fri Feb 1 04:59:50 UTC 2008 i686 GNU/Linux
$ gcc -o exploit exploit.c
exploit.c:1: error: expected identifier or ‘(’ before ‘<â
exploit.c:1:33: error: too many decimal points in number
exploit.c:1:42: error: too many decimal points in number
exploit.c:20:10: error: #include expects "FILENAME" or <FILENAME>
exploit.c:21:10: error: #include expects "FILENAME" or <FILENAME>
exploit.c:22:10: error: #include expects "FILENAME" or <FILENAME>
exploit.c:23:10: error: #include expects "FILENAME" or <FILENAME>
exploit.c:24:10: error: #include expects "FILENAME" or <FILENAME>

....
more errors

EDIT:
wget breaks code. got it to compile and work.

I have two fiesty boxes and both are immune. The exploit bombs out with a segmentation fault.

My Gutsy box wasn't so tough :rolleyes:

It doesn't even compile on Gutsy

$ uname -a
Linux ubuntu 2.6.22-14-generic #1 SMP Fri Feb 1 04:59:50 UTC 2008 i686 GNU/Linux
$ gcc -o exploit exploit.c
exploit.c:1: error: expected identifier or ‘(’ before ‘<â
exploit.c:1:33: error: too many decimal points in number
exploit.c:1:42: error: too many decimal points in number
exploit.c:20:10: error: #include expects "FILENAME" or <FILENAME>
exploit.c:21:10: error: #include expects "FILENAME" or <FILENAME>
exploit.c:22:10: error: #include expects "FILENAME" or <FILENAME>
exploit.c:23:10: error: #include expects "FILENAME" or <FILENAME>
exploit.c:24:10: error: #include expects "FILENAME" or <FILENAME>

....
more errors

It should compile fine providing you have build-essential installed and you downloaded the exploit code without changing it. For me pasting into a terminal running nano it wouldn't compile. But pasting into gedit it did. Strange.

No problems on Fedora 8 :).
$ uname -a
Linux localhost.localdomain 2.6.23.14-115.fc8 #1 SMP Mon Jan 21 14:20:50 EST 2008 i686 i686 i386 GNU/Linux

No problems on Fedora 8 :).
$ uname -a
Linux localhost.localdomain 2.6.23.14-115.fc8 #1 SMP Mon Jan 21 14:20:50 EST 2008 i686 i686 i386 GNU/Linux

http://forums.fedoraforum.org/showthread.php?t=180819

Ouch, exploit worked on my Gutsy. However, I tested it on laptop and it couldn't connect remotely to my desktop due to firewall security on my router. So for me, this is only a weakness if someone has physical access to my machine (or if they know how to circumvent my router firewall). Still, that's not good.

Compiled and ran in Gutsy, got root. Then I ran the hotfix, which prevented the exploit, but I heard that it makes the system unstable, so I rebooted.

uname -r:

2.6.22-14-generic

Any idea when an updated 2.6.22 kernel will be available in the repositories?

Any idea when an updated 2.6.22 kernel will be available in the repositories?

I'm curious of this as well.

compiled and worked on my gutsy laptop and my feisty server both with stock kernels.

http://forums.fedoraforum.org/showthread.php?t=180819
Wow. I tried again right now because I saw your post, and it actually worked. I'm installing the kernel security update right now.

I'm wondering why the exploit didn't work the first few times when I tried hours ago.

Confirmed on Hardy Heron development kernel:
>uname -a
Linux kyle-ubuntu 2.6.24-5-generic #1 SMP Thu Jan 24 19:45:21 UTC 2008 i686 GNU/Linux

Any one have any idea on when a new dev. Kernel for Hardy will be released (if it hasn't been done already)?

So question to security types out there then (prepare for runon sentence):
What prevents the sequence of commands that sets the uid and gid in mem to zero (in the kernel_code() function) from being included as instruction code used in a buffer overflow against a process with normal user privileges that doesn't necessarily grant 'shell access'. (i.e., internet browser X, say firefox for examples sake).

confirmed on gutsy server 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux

I see there's a fix:

http://www.ubuntu.com/usn/usn-577-1

it would appear as if 2.6.22-14.52 does contain the fix and no longer allows the exploit.

Download the attached bzipped source, compile it
gcc -o exploit exploit.c
and run it
./exploit

If your computer is vulnerable, you will be logged in as root after execution, if not you will remain a regular user. Obviously, in order for this test to be effective the exploit must be run as a regular user. All the program does is elevate your login to root, nothing else.

THis vulnerability is reported to effect kernel versions 2.6.17 - 2.6.24.1.

Many thanks for that. It core-dumped when I ran it, which has to be good, I suppose.

Graham

Many thanks for that. It core-dumped when I ran it, which has to be good, I suppose.

Graham

Core dumped how? If it fails, it should look like this:
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e20000 .. 0xb7e52000
[-] vmsplice: Bad address


Everyone please install your updates! There is a patched kernel available in the updates.

I can confirm the patch:

$ ./exploit
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x100000000000 .. 0x100000001000
[+] page: 0x100000000000
[+] page: 0x100000000038
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4038
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0x2b60984f5000 .. 0x2b6098527000
[-] vmsplice: Bad address
$ apt-cache policy linux-image-2.6.22-14-generic
linux-image-2.6.22-14-generic:
Installed: 2.6.22-14.52
Candidate: 2.6.22-14.52
Version table:
*** 2.6.22-14.52 0
500 http://us.archive.ubuntu.com gutsy-updates/main Packages
500 http://security.ubuntu.com gutsy-security/main Packages
100 /var/lib/dpkg/status
2.6.22-14.46 0
500 cdrom://Ubuntu 7.10 _Gutsy Gibbon_ - Release amd64 (20071017) gutsy/main Packages
500 http://us.archive.ubuntu.com gutsy/main Packages

kryologik@aequitas:~$ apt-cache policy linux-image-2.6.22-14-server
linux-image-2.6.22-14-server:
Installed: 2.6.22-14.52
Candidate: 2.6.22-14.52
Version table:
*** 2.6.22-14.52 0
500 http://us.archive.ubuntu.com gutsy-updates/main Packages
500 http://security.ubuntu.com gutsy-security/main Packages
100 /var/lib/dpkg/status
2.6.22-14.46 0
500 http://us.archive.ubuntu.com gutsy/main Packages

kryologik@aequitas:~$ ./test
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7d9a000 .. 0xb7dcc000
[+] root
root@aequitas:~# id
uid=0(root) gid=0(root) groups=4(adm),20(dialout),24(cdrom),25(floppy),29( audio),30(dip),44(video),46(plugdev),104(scanner), 110(lpadmin),111(admin),1000(kryologik)
root@aequitas:~# uname -a
Linux aequitas 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux


Can someone please tell me why my server is still vulnerable to this attack?

kryologik@aequitas:~$ apt-cache policy linux-image-2.6.22-14-server
linux-image-2.6.22-14-server:
Installed: 2.6.22-14.52
Candidate: 2.6.22-14.52
Version table:
*** 2.6.22-14.52 0
500 http://us.archive.ubuntu.com gutsy-updates/main Packages
500 http://security.ubuntu.com gutsy-security/main Packages
100 /var/lib/dpkg/status
2.6.22-14.46 0
500 http://us.archive.ubuntu.com gutsy/main Packages

kryologik@aequitas:~$ ./test
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7d9a000 .. 0xb7dcc000
[+] root
root@aequitas:~# id
uid=0(root) gid=0(root) groups=4(adm),20(dialout),24(cdrom),25(floppy),29( audio),30(dip),44(video),46(plugdev),104(scanner), 110(lpadmin),111(admin),1000(kryologik)
root@aequitas:~# uname -a
Linux aequitas 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux


Can someone please tell me why my server is still vulnerable to this attack?

I'd say you should go bug-report that on Launchpad and mark it as a security problem.

Hardy has a patch out too - yay hardy.

kyle@kyle-ubuntu:~$ cat /etc/apt/sources.list.d/hardy.list
deb http://archive.ubuntu.com/ubuntu/ hardy main restricted

kyle@kyle-ubuntu:~$ uname -a
Linux kyle-ubuntu 2.6.24-8-generic #1 SMP Thu Feb 14 20:40:45 UTC 2008 i686 GNU/Linux

kyle@kyle-ubuntu:~$ ./a.out
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7da1000 .. 0xb7dd3000
[-] vmsplice: Bad address