Kernel 2.6.32-358 Local Privilege Escalation

Support for security such as Firewalls and securing linux

Kernel 2.6.32-358 Local Privilege Escalation

Postby oesman » 2013/05/14 13:42:06

Thought I'd let you guys know about this since most people don't run custom kernels:

http://xxxxsheep.org/~sd/warez/semtex.c

Patch: https://patchwork.kernel.org/patch/2441281/

Currently works to give root on CentOS 6 with latest kernel:

[omg@secure ~]$ gcc -O2 semtex.c
[omg@secure ~]$ ./a.out
2.6.37-3.x x86_64
sd@xxxxsheep.org 2010
-sh-4.1# whoami
root
-sh-4.1# uname -a
Linux secure 2.6.32-358.6.1.el6.x86_64 #1 SMP Tue Apr 23 19:29:00 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
-sh-4.1#

EDIT: To point out, the exploit is for a newer kernel version, but it seems the exploit itself was backported into 2.6.32 by CentOS.
oesman
 
Posts: 3
Joined: 2013/05/14 13:37:05

Re: Kernel 2.6.32-358 Local Privilege Escalation

Postby TrevorH » 2013/05/14 14:52:52

I've edited your post to remove the profanity from the URL and email addresses. Anyone who wants to download the exploit can easily find it using google and it helps to keep our forums child friendly!

The exploit appears to only work on 64 bit systems and only if the code is compiled with gcc -O2. It's not specific to the 358 series of kernels - I've seen reports of it working as far back as 2.6.32-220*. Installing kmod-tpe from ELRepo would be one way of preventing the exploit since that stops all executables from running if they are not owned root:root!
User avatar
TrevorH
Forum Moderator
 
Posts: 9147
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Kernel 2.6.32-358 Local Privilege Escalation

Postby oesman » 2013/05/14 14:58:02

No problem. You are correct, it works on 2.6.32 because the same bug was backported to 2.6.32 from newer versions, which is normal since CentOS relies on backporting. And yes it's for x86_64, but I figure it affects most people, who's not running 64-bit in these days of cheap ram and good compatibility :)?
oesman
 
Posts: 3
Joined: 2013/05/14 13:37:05

Kernel 2.6.32-358 Local Privilege Escalation

Postby toracat » 2013/05/14 15:57:55

Installing kmod-tpe from ELRepo would be one way of preventing the exploit since that stops all executables from running if they are not owned root:root!

More detailed info can be found on ELRepo's kmod-tpe page.
User avatar
toracat
Forum Moderator
 
Posts: 6695
Joined: 2006/09/03 16:37:24
Location: California, US

Re: Kernel 2.6.32-358 Local Privilege Escalation

Postby toracat » 2013/05/14 17:00:25

Because the current mainline (stable) kernels from kernel.org have been fixed, another workaround will be to use ELRepo's kernel-ml or kernel-lt until the distro kernel gets a patch.
User avatar
toracat
Forum Moderator
 
Posts: 6695
Joined: 2006/09/03 16:37:24
Location: California, US

Re: Kernel 2.6.32-358 Local Privilege Escalation

Postby toracat » 2013/05/14 17:14:35

User avatar
toracat
Forum Moderator
 
Posts: 6695
Joined: 2006/09/03 16:37:24
Location: California, US

Re: Kernel 2.6.32-358 Local Privilege Escalation

Postby toracat » 2013/05/14 19:31:17

CentOSPlus *test* kernel with the patch is now available from:

http://people.centos.org/toracat/kernel ... ix/x86_64/

It was confirmed to work. Only the 64-bit kernel is provided because the 32-bit kernel is not affected.

NOTE: this is not an official release by CentOS.
User avatar
toracat
Forum Moderator
 
Posts: 6695
Joined: 2006/09/03 16:37:24
Location: California, US

Re: Kernel 2.6.32-358 Local Privilege Escalation

Postby nouvo09 » 2013/05/14 21:35:19

oesman wrote:
who's not running 64-bit in these days of cheap ram and good compatibility :)?


I am not. I never found one reason to run a 64 bits system while we have a PAE 32 bits which never has issue with 3rd parts programs.
nouvo09
 
Posts: 44
Joined: 2009/09/19 19:21:36

Re: Kernel 2.6.32-358 Local Privilege Escalation

Postby TrevorH » 2013/05/14 21:37:37

Also, from that upstream bugzilla, a workaround for the current exploit only is to run `sysctl kernel.perf_event_paranoid=2` but the system is still vulnerable to an attack, just not one that has been devised (or published) yet.
User avatar
TrevorH
Forum Moderator
 
Posts: 9147
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Kernel 2.6.32-358 Local Privilege Escalation

Postby toracat » 2013/05/14 23:13:56

The distro kernel (not the centosplus one) with the patch is now available from :

http://people.centos.org/hughesjr/c6ker ... 94/x86_64/

It was confirmed that this kernel is not exploitable. This is signed by the centos-6 test key and you can install the key by running (optional) :

rpm --import http://mirror.centos.org/centos/RPM-GPG ... -Testing-6
User avatar
toracat
Forum Moderator
 
Posts: 6695
Joined: 2006/09/03 16:37:24
Location: California, US

Next

Return to CentOS 6 - Security Support

Who is online

Users browsing this forum: No registered users and 0 guests