http://it.slashdot.org/it/08/02/10/2011257.shtml

xoai@MacBuntu:~$ gcc -o exploit exploit.c
xoai@MacBuntu:~$ ./exploit
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e56000 .. 0xb7e88000
[+] root
root@MacBuntu:~#

Only 2 minutes to get root. I am sure thousands of system out there have this bug and I have to say out loud: holy *****! it works.

Quick (not so quick) fix: upgrade kernel to 2.6.25-rc1

Dang. It does work. Looks like its time to recompile my kernel again.

Theres another fix too, its not permanent, but it fixes it live:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953#14

Worked for me.

Temporarily closed for review.

It doesn't compile for me.

Works on Linux Mint 4 :

Q: How many Martians does it take to screw in a light bulb?
A: One and a half.
icechen1@icechen1-laptop:~/Other/Programming$ gcc -o exploit roothack.c
icechen1@icechen1-laptop:~/Other/Programming$ ./exploit
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7dd3000 .. 0xb7e05000
[+] root
Questionable day.

Ask somebody something.
root@icechen1-laptop:~/Other/Programming#

Quick (not so quick) fix: upgrade kernel to 2.6.25-rc1

It works here as well (the exploit). Any instructions on this?

Who cares? It's a local exploit, if someone has access to your computer you're screwed anyways.

cam someone explain just what this little piece of code does/means

Who cares? It's a local exploit, if someone has access to your computer you're screwed anyways.
"Local" exploits are those that can be run with any kind of shell access. So, this is a problem for anyone with an SSH server that isn't completely locked down.

Who cares? It's a local exploit, if someone has access to your computer you're screwed anyways.
hum, I have access to the computer at school but i dont think its a good idea to test it there. Works at home however

"Local" exploits are those that can be run with any kind of shell access. So, this is a problem for anyone with an SSH server that isn't completely locked down.

Then there's a problem with your SSH server if you allow just anyone to connect. Again, having an exploit this is akin to having the recovery kernel in your boot loader.

If you can do this with ssh then I could cause problems for thousands of peoples (checked that kernel matches). Very serious exploit. Well I am not even going to try that obviously.
:confused:

Then there's a problem with your SSH server if you allow just anyone to connect. Again, having an exploit this is akin to having the recovery kernel in your boot loader.
My university (and many others) allows users to connect to their accounts via SSH. If it were running this Linux kernel (it's not), this exploit could be used to gain root access.

A temporary fix that doesn't require a kernel recompilation is available :


sudo apt-get install build-essential linux-headers-`uname -r`
wget http://www.linux.it/~md/software/novmsplice.tgz
tar xzvf novmsplice.tgz
cd novmsplice
make
sudo cp novmsplice.ko /lib/modules/`uname -r`/kernel/security
sudo depmod -a
sudo modprobe novmsplice

After that, the exploit program segfaults every time you run it.

I also have a precompiled module for Ubuntu Gutsy available, if you don't even want to bother compiling a tiny module (obviously, it is for the 2.6.22-14-generic kernel, which you should have if your system is up-to-date) :


wget ftp://itsuki.fkraiem.org/pub/novmsplice/novmsplice-2.6.22-14-generic.ko
sudo mv novmsplice-2.6.22-14-generic.ko /lib/modules/`uname -r`/kernel/security
sudo depmod -a
sudo modprobe novmsplice

It works here as well (the exploit). Any instructions on this?

http://ph.ubuntuforums.com/showthread.php?t=311158
not so hard...

I wonder how long it would normally take for a similar exploit to be patched up on Windows or Mac :).

I updated my kernel to 2.6.24.2 manually...its fixed. Pretty fancy.

Bugs like these stresses the fact that we all need to use safe passwords.

but this might not entirely hurt us at least because we use sudo... right?

cool thanks for the info

I get this at SuSe Enterprise

vlad@ifsuse:/home/winshare/public> ./exploit
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x100000000000 .. 0x100000001000
[+] page: 0x100000000000
[+] page: 0x100000000038
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4038
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0x2ac565336000 .. 0x2ac565368000
[-] vmsplice: Function not implemented

I tried in my Ubuntu 2.6.22-14-386 :

prakash@myworld:~/Desktop$ ./exploit
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7dad000 .. 0xb7ddf000
[-] vmsplice
:lol: failed!

This shows how fast the Kernel Team can patch holes compared to |\/|$'s "it's coming out in 2 months" procrastination :lolflag:

Yes indeed it does.

Despite the truth in your statement, I have to ask; why why why would you revive this dead thread just to flame Microsoft??

Yes indeed it does.

Despite the truth in your statement, I have to ask; why why why would you revive this dead thread just to flame Microsoft??

I was wondering the same thing.

I don't necessarily care for MS but if there wasn't Microsoft, we wouldn't have anyone to be superior to. :P

Only 2 minutes to get root. I am sure thousands of system out there have this bug and I have to say out loud: holy *****! it works.


How's this post any different than people asking how to enable root access in ubuntu?

This thread is well over a year old, if you have something to say about the current exploit notice have a look here (http://ubuntuforums.org/showthread.php?t=1314361).

This thread is closed