Kernel 2.6.32-358 Local Privilege Escalation

Support for security such as Firewalls and securing linux
oesman
Posts: 3
Joined: 2013/05/14 13:37:05

Kernel 2.6.32-358 Local Privilege Escalation

Post by oesman » 2013/05/14 13:42:06

Thought I'd let you guys know about this since most people don't run custom kernels:

http://xxxxsheep.org/~sd/warez/semtex.c

Patch: https://patchwork.kernel.org/patch/2441281/

Currently works to give root on CentOS 6 with latest kernel:

[omg@secure ~]$ gcc -O2 semtex.c
[omg@secure ~]$ ./a.out
2.6.37-3.x x86_64
sd@xxxxsheep.org 2010
-sh-4.1# whoami
root
-sh-4.1# uname -a
Linux secure 2.6.32-358.6.1.el6.x86_64 #1 SMP Tue Apr 23 19:29:00 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
-sh-4.1#

EDIT: To point out, the exploit is for a newer kernel version, but it seems the exploit itself was backported into 2.6.32 by CentOS.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Kernel 2.6.32-358 Local Privilege Escalation

Post by TrevorH » 2013/05/14 14:52:52

I've edited your post to remove the profanity from the URL and email addresses. Anyone who wants to download the exploit can easily find it using google and it helps to keep our forums child friendly!

The exploit appears to only work on 64 bit systems and only if the code is compiled with gcc -O2. It's not specific to the 358 series of kernels - I've seen reports of it working as far back as 2.6.32-220*. Installing kmod-tpe from ELRepo would be one way of preventing the exploit since that stops all executables from running if they are not owned root:root!

oesman
Posts: 3
Joined: 2013/05/14 13:37:05

Re: Kernel 2.6.32-358 Local Privilege Escalation

Post by oesman » 2013/05/14 14:58:02

No problem. You are correct, it works on 2.6.32 because the same bug was backported to 2.6.32 from newer versions, which is normal since CentOS relies on backporting. And yes it's for x86_64, but I figure it affects most people, who's not running 64-bit in these days of cheap ram and good compatibility :)?

User avatar
toracat
Site Admin
Posts: 7518
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Kernel 2.6.32-358 Local Privilege Escalation

Post by toracat » 2013/05/14 15:57:55

[quote]
Installing kmod-tpe from ELRepo would be one way of preventing the exploit since that stops all executables from running if they are not owned root:root![/quote]
More detailed info can be found on ELRepo's [url=http://elrepo.org/tiki/kmod-tpe]kmod-tpe[/url] page.

User avatar
toracat
Site Admin
Posts: 7518
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Re: Kernel 2.6.32-358 Local Privilege Escalation

Post by toracat » 2013/05/14 17:00:25

Because the current mainline (stable) kernels from kernel.org have been fixed, another workaround will be to use ELRepo's [url=http://elrepo.org/tiki/kernel-ml]kernel-ml[/url] or [url=http://elrepo.org/tiki/kernel-lt]kernel-lt[/url] until the distro kernel gets a patch.

User avatar
toracat
Site Admin
Posts: 7518
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Re: Kernel 2.6.32-358 Local Privilege Escalation

Post by toracat » 2013/05/14 17:14:35

Upstream BZ at https://bugzilla.redhat.com/show_bug.cgi?id=962792 .

User avatar
toracat
Site Admin
Posts: 7518
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Re: Kernel 2.6.32-358 Local Privilege Escalation

Post by toracat » 2013/05/14 19:31:17

CentOSPlus *test* kernel with the patch is now available from:

http://people.centos.org/toracat/kernel/6/plus/perfbugfix/x86_64/

It was confirmed to work. Only the 64-bit kernel is provided because the 32-bit kernel is not affected.

NOTE: this is not an official release by CentOS.

nouvo09
Posts: 184
Joined: 2009/09/19 19:21:36
Location: Paris, France

Re: Kernel 2.6.32-358 Local Privilege Escalation

Post by nouvo09 » 2013/05/14 21:35:19

[quote]
oesman wrote:
who's not running 64-bit in these days of cheap ram and good compatibility :)?[/quote]

I am not. I never found one reason to run a 64 bits system while we have a PAE 32 bits which never has issue with 3rd parts programs.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Kernel 2.6.32-358 Local Privilege Escalation

Post by TrevorH » 2013/05/14 21:37:37

Also, from that upstream bugzilla, a workaround for [u]the current exploit only[/u] is to run `sysctl kernel.perf_event_paranoid=2` but the system is still vulnerable to an attack, just not one that has been devised (or published) yet.

User avatar
toracat
Site Admin
Posts: 7518
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Re: Kernel 2.6.32-358 Local Privilege Escalation

Post by toracat » 2013/05/14 23:13:56

The distro kernel (not the centosplus one) with the patch is now available from :

http://people.centos.org/hughesjr/c6kernel/2.6.32-358.6.1.el6.cve20132094/x86_64/

It was confirmed that this kernel is not exploitable. This is signed by the centos-6 test key and you can install the key by running (optional) :

rpm --import http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-Testing-6

Post Reply