www.centos.org - Forums - CentOS 5 - Security Support

www.centos.org Forum Index

CentOS 5 - Security Support

Remote Exploit

Bottom

Previous Topic

Next Topic

Topic options

Rate Thread

Rate this Thread
Excellent Good Average Bad Terrible

Search Forum

Search Forum

Advanced Search

View mode

View mode
Threaded
Newest First

Poster	Thread

carlosap

Remote Exploit

Newbie

Joined: 2007/4/14

From

Posts: 5

Centos 5.1 Root Exploit

https://bugzilla.redhat.com/show_bug.cgi?id=432251
http://www.milw0rm.com/exploits/5092

When is going to be a kernel update ?

 
[usuario@svca cpp]$ ls
exploit  exploit.c
[usuario@svca cpp]$ uname -a
 Linux svca 2.6.18-53.1.6.el5 #1 SMP Wed Jan 23 11:30:20 EST 2008 i686 i686 i386 GNU/Linux
[usuario@svca cpp]$ whoami    
usuario
[usuario@svca cpp]$ ./exploit 
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f0c000 .. 0xb7f3e000
[+] root
[root@svca cpp]# whoami
root
[root@svca cpp]#

Thanks

Posted on: 2008/2/10 23:36

toracat

Re: Remote Exploit

Moderator

Joined: 2006/9/3

From California, US

Posts: 5070

You might want to follow this thread:

http://lists.centos.org/pipermail/centos/2008-February/094165.html

_________________
Useful links: Search Forums; Forum FAQ; CentOS Wiki

Posted on: 2008/2/11 0:28

NedSlider

Re: Remote Exploit

Moderator

Joined: 2005/10/28

From UK

Posts: 2865

Quote:

carlosap wrote:

When is going to be a kernel update ?

Thanks

...and the simple answer, typically about 24-48 hours after upstream (RH) release an update.

As noted in the discussions listed above, this is a local exploit, not a remote exploit, so unless someone has already gained local access, they are not going to be able to exploit it. That makes it somewhat less critical.

_________________
CentOS - The Sysadmins Choice
ELRepo.org - The Community Enterprise Linux Repository

Posted on: 2008/2/11 1:44

carlosap

Re: Remote Exploit

Newbie

Joined: 2007/4/14

From

Posts: 5

Thanks I will wait the update !

Posted on: 2008/2/11 4:45

FunkyRes

Re: Remote Exploit

Regular Board Member

Joined: 2007/11/24

From

Posts: 80

What this will hit big is multi-user machines on computer campuses.

John is at the math lab of his university.
John uses ssh to connect to the university linux server for his research project.
The math lab computer was previously owned and is running a trojan ssh client.

The cracker who owned the math lab box now has a valid login to the remote linux server.

Debian has a c file that allegedly, when compiled and run, will close the hole (I assume until the next reboot).

Posted on: 2008/2/11 7:55

dysk

Re: Remote Exploit

Newbie

Joined: 2005/3/17

From

Posts: 1

I built some RPMs to fix this problem. They're based on the latest Centos kernel RPM, with the upstream kernel patch.

They're available at http://erek.blumenthals.com/blog/2008/02/11/

Obviously, they haven't gone through the usual upstream QA process, but I know of them being used on about 50 machines and nobody's reported any problems

Regards,
Erek Dyskant

Posted on: 2008/2/11 21:44

cormander

Re: Remote Exploit

Regular Board Member

Joined: 2005/5/16

From Utah

Posts: 131

Hi all,

I about fell out of my chair when I saw this thing spring up. I manage a few shell "gateway" servers with many non-root users on them, with a CentOS 5 machine.

I then took a deep breath after the exploit didn't work on my machines :) I'm using grsecurity-2.1.11, built with the 2.6.23.14 kernel. Technically vulnerable by kernel version #, the exploit failed on my centos 5 machines for basically two reasons:

1) I enabled the TPE portion of grsecurity whichs disallows the execution (users can't run anything that isn't in a root owned direction, that is non-world writable), basically means anything they upload they can't execute, even if they give it execute permissions
2) even when I put the binary in a place where it could run (from the root account), the execution was stopped by PAX and it dumped a messload of messages to syslogd

Whew!

I would STRONGLY recommend grsecurity for anyone who manages a machine where there are local shell accounts, especially when those shell accounts are used by geeks... prevents them from screwing around.

_________________
Cormander
http://www.ravencore.com/

Posted on: 2008/2/12 1:58

toracat

Re: Remote Exploit

Moderator

Joined: 2006/9/3

From California, US

Posts: 5070

The upstream will come up with the patched kernel shortly:

https://bugzilla.redhat.com/show_bug.cgi?id=432251#c39

I'm sure the CentOS team will respond quickly to get our version out

_________________
Useful links: Search Forums; Forum FAQ; CentOS Wiki

Posted on: 2008/2/12 15:36

NedSlider

Re: Remote Exploit

Moderator

Joined: 2005/10/28

From UK

Posts: 2865

Upstream have updates available (kernel-2.6.18-53.1.13.el5) as of earlier today:

https://rhn.redhat.com/errata/RHSA-2008-0129.html

_________________
CentOS - The Sysadmins Choice
ELRepo.org - The Community Enterprise Linux Repository

Posted on: 2008/2/12 18:38

toracat

Re: Remote Exploit

#10

Moderator

Joined: 2006/9/3

From California, US

Posts: 5070

CentOS now has the updated kernel!

http://lists.centos.org/pipermail/centos-announce/2008-February/014684.html

http://lists.centos.org/pipermail/centos-announce/2008-February/014685.html

_________________
Useful links: Search Forums; Forum FAQ; CentOS Wiki

Posted on: 2008/2/13 6:05

gornbo

Re: Remote Exploit

#11

Peeking in the Member Window

Joined: 2008/1/4

From London

Posts: 20

Yep saw that this morning.

Very impressed with the response time.

_________________
Shape Shed - Simple, Elegant Web Design
London, UK
(mt)(dv)3.5 Centos 5.2/PHP5.1.6/MySQL 5.0.45/Postfix 2.3.3

Posted on: 2008/2/13 7:53

AlanBartlett

Re: Remote Exploit

#12

Moderator

Joined: 2007/10/22

From ~/Earth/UK/England/Suffolk

Posts: 5934

Well done to the CentOS development team.

Guess who's now building his custom kernel from the .src.rpm . . .

Alan.

_________________
Alan.

100% Unix & Linux. Co-founder of the ELRepo Project.

Posted on: 2008/2/13 14:15

carlosap

Re: Remote Exploit

#13

Newbie

Joined: 2007/4/14

From

Posts: 5

Thanks CentOS

$ uname -a                                                              
Linux srv 2.6.18-53.1.13.el5 #1 SMP Tue Feb 12 13:01:45 EST 2008 i686 i686 i386 GNU/L
inux                  

-----------------------------------                                                         
 Linux vmsplice Local Root Exploit                                                          
 By qaaz                                                                                    
-----------------------------------                                                         
[+] mmap: 0x0 .. 0x1000                                                                     
[+] page: 0x0                                                                               
[+] page: 0x20                                                                              
[+] mmap: 0x4000 .. 0x5000                                                                  
[+] page: 0x4000                                                                            
[+] page: 0x4020                                                                            
[+] mmap: 0x1000 .. 0x2000                                                                  
[+] page: 0x1000                                                                            
[+] mmap: 0xb7ef0000 .. 0xb7f22000                                                          
[-] vmsplice: Bad address

Posted on: 2008/2/13 18:03

Top

Previous Topic

Next Topic

You cannot start a new topic.

You can view topic.

You cannot reply to posts.

You cannot edit your posts.

You cannot delete your posts.

You cannot add new polls.

You cannot vote in polls.

You cannot attach files to posts.

You cannot post without approval.