CentOS

Thought I'd let you guys know about this since most people don't run custom kernels:

http://xxxxsheep.org/~sd/warez/semtex.c

Patch: https://patchwork.kernel.org/patch/2441281/

Currently works to give root on CentOS 6 with latest kernel:

[omg@secure ~]$ gcc -O2 semtex.c
[omg@secure ~]$ ./a.out
2.6.37-3.x x86_64
sd@xxxxsheep.org 2010
-sh-4.1# whoami
root
-sh-4.1# uname -a
Linux secure 2.6.32-358.6.1.el6.x86_64 #1 SMP Tue Apr 23 19:29:00 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
-sh-4.1#

EDIT: To point out, the exploit is for a newer kernel version, but it seems the exploit itself was backported into 2.6.32 by CentOS.

I've edited your post to remove the profanity from the URL and email addresses. Anyone who wants to download the exploit can easily find it using google and it helps to keep our forums child friendly!

The exploit appears to only work on 64 bit systems and only if the code is compiled with gcc -O2. It's not specific to the 358 series of kernels - I've seen reports of it working as far back as 2.6.32-220*. Installing kmod-tpe from ELRepo would be one way of preventing the exploit since that stops all executables from running if they are not owned root:root!

No problem. You are correct, it works on 2.6.32 because the same bug was backported to 2.6.32 from newer versions, which is normal since CentOS relies on backporting. And yes it's for x86_64, but I figure it affects most people, who's not running 64-bit in these days of cheap ram and good compatibility :)?

[quote]
Installing kmod-tpe from ELRepo would be one way of preventing the exploit since that stops all executables from running if they are not owned root:root![/quote]
More detailed info can be found on ELRepo's [url=http://elrepo.org/tiki/kmod-tpe]kmod-tpe[/url] page.

Because the current mainline (stable) kernels from kernel.org have been fixed, another workaround will be to use ELRepo's [url=http://elrepo.org/tiki/kernel-ml]kernel-ml[/url] or [url=http://elrepo.org/tiki/kernel-lt]kernel-lt[/url] until the distro kernel gets a patch.

Upstream BZ at https://bugzilla.redhat.com/show_bug.cgi?id=962792 .

CentOSPlus *test* kernel with the patch is now available from:

http://people.centos.org/toracat/kernel/6/plus/perfbugfix/x86_64/

It was confirmed to work. Only the 64-bit kernel is provided because the 32-bit kernel is not affected.

NOTE: this is not an official release by CentOS.

[quote]
oesman wrote:
who's not running 64-bit in these days of cheap ram and good compatibility :)?[/quote]

I am not. I never found one reason to run a 64 bits system while we have a PAE 32 bits which never has issue with 3rd parts programs.

Also, from that upstream bugzilla, a workaround for [u]the current exploit only[/u] is to run `sysctl kernel.perf_event_paranoid=2` but the system is still vulnerable to an attack, just not one that has been devised (or published) yet.

The distro kernel (not the centosplus one) with the patch is now available from :

http://people.centos.org/hughesjr/c6kernel/2.6.32-358.6.1.el6.cve20132094/x86_64/

It was confirmed that this kernel is not exploitable. This is signed by the centos-6 test key and you can install the key by running (optional) :

rpm --import http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-Testing-6