Slashdot Mirror
Linux Kernel 2.6 Local Root Exploit
aquatix writes "This local root exploit (Debian, Ubuntu) seems to work everywhere I try it, as long as it's a Linux kernel version 2.6.17 to 2.6.24.1. If you don't trust your users (which you shouldn't), better compile a new kernel without vmsplice." Here is millw0rm's proof-of-concept code.
This is not an universal problem. It only occurs for those kernels with a specific function compiled in that most installations won't need, and which halfway decent sysadmins won't have as part of the kernel anyhow when they don't need it.
Yet another good example of why you shouldn't hire the sysadmins who blindly use what the vendors ship, but security and performance minded sysadmins who reduce installations to what's actually needed.
And even if it isn't on its way (and while it isn't here) you can still get the source and remove the problematic part if you don't need it. Try recompiling Flash or some other commercial software without the section that has the exploit in ;)
.
Note: The above assumes that the kernel compiles, which may not always go as smoothly or be as you'd like. That doesn't change the fact that it is theoretically possible, though.
The proof-of-concept code only supports x86 and x86_64. Does that mean other architectures are immune?
Looking at the comments at the top of the code, it's described as "quite old code" (assuming you believe the author).
The problem is, even though you're the sole user, that if other exploits appear they could piggyback this to escalate from, say, access as www-user to access as root. Got any http services on that box for your own convenience, and any of those use PHP? Based on past experiences, this might hose you. Got SSH on there? Again, based on past experiences, this might hose you. Sendmail and some kind of mailscanning? Again, this might hose you.
It's not just a matter of whether or not you trust your users - it's also a matter of whether or not you trust anyone who attempts to exploit some other service your box offers to not try for root access once they get in. "Please, Mr Blackhat, you've gained access to my box, but please don't elevate that to root!" sounds more than a little naieve, and even a little stupid, but that's exactly what people who leave a whole lot of locally exploitable vulnerabilities on their boxes are saying. By not leaving this kind of thing laying around, you are making it a little bit more difficult for anyone who does manage to gain access to your box to gain full access to it.
Security is all about healthy paranoia, and a belt AND braces AND duct tape approach can pay dividends.
Am I personally worried about this? On my work machine and servers I administer, hell yeah - always on, always connected, running various things that in the past have had vulnerabilities - of course I am, I'd be stupid not to be. At home (dial-up, behind a firewall with NAT, nothing much in the way of services, turned off most of the time even though I don't usually bother turning off my WEP-protected wireless access point), not so much - and not just because the only accounts are held by me. I don't broadcast the SSID, I have a couple of neighbors with no security on their broadband-connected wireless access points, and I don't run an awful lot in the way of remote services when I do have my home machines running. If I had broadband at home and a machine that was running anything that was remotely accessible, or if I didn't have a vertiable smorgasbord of less security-conscious neighbours - I'd fix this at home in a heartbeat.
Normally the browser would only have access as your user account,
Which it can use to modify your menus so that next time you click that "root terminal" entry the parameters to gksu are a bit different.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
...I have a question for you. I 100% agree this is an advantage of open-source than closed-source software will never have, ever. You've got me on that one, but my immediate thought was "ok, how much would I like to change my own kernel in production systems? About 0% thank-you-very-much".
I mean, hacking stuff in and out of a production system kernel; surely that's a process that would require months of intensive regression testing, etc, etc? I mean, I doubt there are people that know the kernel well enough to do such changes for their own systems, but really, what percentage of you guys honestly and confidently can say "Yeah, let me just fix that for us" knowing your job is on the line if your systems crash around you.
This isn't a troll, this is an honest question.
throw new NoSignatureException();
This local root exploit is very likely to be the one used to infect servers reference in previous Slashdot article Mystery Malware Affecting Linux/Apache Web Servers.
It seems pretty clear that people are using other remote vulnerabilities to gain local user access and then using this local root exploit to install their "malware".
Get those boxes updated as quickly as possible, folks!