Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)

I can confirm this in Gutsy:

$ gcc exploit.c -o exploit
$ whoami
heikki
$ ./exploit
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7d90000 .. 0xb7dc2000
[+] root
$ whoami
root

Kernel 2.6.22-14-generic

I confirm this in Hardy Heron
kernel 2.6.24-7-generic

Confirm on Gutsy:
rhk@rubert:~$ gcc exploit2.c -o exploit2
rhk@rubert:~$ ./exploit2
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e04000 .. 0xb7e36000
[+] root
root@rubert:~# uname -a
Linux rubert 2.6.22-14-generic #1 SMP Fri Feb 1 04:59:50 UTC 2008 i686 GNU/Linux
root@rubert:~#

http://bugzilla.kernel.org/show_bug.cgi?id=9924

Also able to confirm on Hardy.

actually the bug exploitable from 2.6.17-2.6.24 is CVE-2008-0600. CVE-2008-0009/10 only affect
.23 and .24 (so only hardy is affected)

see http://lkml.org/lkml/2008/2/10/177 for details

(btw this bug is pretty scary, it works almost anywhere you can have a shell...)

Confirmed in Hardy - 2.6.24

I confirm that on hardy and gutsy. I also confirm that the hotfix referenced in debian bugreport http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953 which sets the first byte of sys_vmsplice to RET in /dev/mem ( http://www.ping.uio.no/~mortehu/disable-vmsplice-if-exploitable.c ) works and prevents the exploit from functioning. I don't know if having that function returning can otherwise adversely affect the system, though.

RHEL tracker is at: https://bugzilla.redhat.com/show_bug.cgi?id=432251 but LP won't allow adding a second entry (in addition to the one for Fedora).

Gutsy/amd64 is affected too.

Confirmed in Gutsy. Kernel 2.6.22-14-generic

Upstream fix:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44

Confirmed on feisty AMD64 (i386 isn't affected, AMD64 is).

I also confirm that suggested hotfix fixes the problem until next reboot, of course.

steve@genesis:~/bin$ gcc exploitsrv.c -o exploitsrv
steve@genesis:~/bin$ whoami
steve
steve@genesis:~/bin$ ./exploitsrv
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e44000 .. 0xb7e76000
[+] root
root@genesis:~/bin# uname -a
Linux genesis 2.6.22-14-server #1 SMP Fri Feb 1 05:28:54 UTC 2008 i686 GNU/Linux
root@genesis:~/bin#

The Security Team is working on getting the fix built up. We should have updated kernels available shortly.

Luis Alcaraz (Mexico)
Confirmed on Ubuntu 7.10 2.6.22-14-generic
---
lalcaraz@lalcaraz-laptop:~$ vim exploit.c
lalcaraz@lalcaraz-laptop:~$ gcc exploit.c -o exploit
lalcaraz@lalcaraz-laptop:~$ whoami
lalcaraz
lalcaraz@lalcaraz-laptop:~$ ./exploit
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e29000 .. 0xb7e5b000
[+] root
root@lalcaraz-laptop:~# whoami
root
root@lalcaraz-laptop:~# uname -a
Linux lalcaraz-laptop 2.6.22-14-generic #1 SMP Fri Feb 1 04:59:50 UTC 2008 i686 GNU/Linux
root@lalcaraz-laptop:~#

Hi guys,

Just got a question in regards to the above theory, you have mentioned that kernel 2.6.17-2.6.24 is affected whereas a normal user have the ability to login as root with no password and sudo command,so my question here is that I have two version of Kernel on two separate machines 2.6.15-26 and 2.6.16 are these kernel affected as well.

If they are what patch should we follow to stop this from happening

It will be please of some expert answer my query as I am new to Linux and security topics

Thanks in advanced
Fadi

Fadi, no, 2.6.15 isn't affected. I can't test 2.6.16, but it also shouldn't be affected.

Thanks Ante,
How did you test kernel 2.6.15 I have a machine here with kernel 2.6.16 and
might test on it

On Feb 11, 2008 5:47 PM, Ante Karamatić <email address hidden> wrote:

> Fadi, no, 2.6.15 isn't affected. I can't test 2.6.16, but it also
> shouldn't be affected.
>
> --
> Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
> https://bugs.launchpad.net/bugs/190587
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in Source Package "linux" in Ubuntu: In Progress
> Status in Source Package "linux-source-2.6.17" in Ubuntu: In Progress
> Status in Source Package "linux-source-2.6.20" in Ubuntu: In Progress
> Status in Source Package "linux-source-2.6.22" in Ubuntu: In Progress
> Status in Debian GNU/Linux: Unknown
> Status in Source Package "linux" in Fedora: Unknown
> Status in Gentoo Linux: Unknown
> Status in Mandriva Linux: Unknown
>
> Bug description:
> https://bugs.gentoo.org/show_bug.cgi?id=209460 works on at least Hardy
> 2.6.24-7, Edgy 2.6.17-12, but not on Feisty 2.6.20-16.
>

--
Regards,
Fadi Kaba
<email address hidden>

2008/2/11 Fadi Kaba <email address hidden>:

> Thanks Ante,
> How did you test kernel 2.6.15 I have a machine here with kernel 2.6.16and might test on it
>
>
> On Feb 11, 2008 5:47 PM, Ante Karamatić <email address hidden> wrote:
>
> > Fadi, no, 2.6.15 isn't affected. I can't test 2.6.16, but it also
> > shouldn't be affected.
> >
> > --
> > Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
> > https://bugs.launchpad.net/bugs/190587
> > You received this bug notification because you are a direct subscriber
> > of the bug.
> >
> > Status in Source Package "linux" in Ubuntu: In Progress
> > Status in Source Package "linux-source-2.6.17" in Ubuntu: In Progress
> > Status in Source Package "linux-source-2.6.20" in Ubuntu: In Progress
> > Status in Source Package "linux-source-2.6.22" in Ubuntu: In Progress
> > Status in Debian GNU/Linux: Unknown
> > Status in Source Package "linux" in Fedora: Unknown
> > Status in Gentoo Linux: Unknown
> > Status in Mandriva Linux: Unknown
> >
> > Bug description:
> > https://bugs.gentoo.org/show_bug.cgi?id=209460 works on at least Hardy
> > 2.6.24-7, Edgy 2.6.17-12, but not on Feisty 2.6.20-16.
> >
>
>
>
> --
> Regards,
> Fadi Kaba
> <email address hidden>

--
Regards,
Fadi Kaba
<email address hidden>

Temporary fix :

* Download http://www.ping.uio.no/~mortehu/disable-vmsplice-if-exploitable.c
* Compile it using gcc (so "gcc disable-vmsplice-if-exploitable.c -o rm_exploit") as normal user
* Run it as normal user
--> You are now protected until the next reboot of the system

Just some corrections to my previous post :

Line 4 :
* Compile it using gcc (so "gcc disable-vmsplice-if-exploitable.c -o rm_exploit" without the quotes) as normal user
Line 5 :
* Run it as normal user ("./rm_exploit" without the quotes)

For record, Dapper (2.6.15) is not affected.

Also, CVEs for these issues are:
CVE-2008-0009 (2.6.22+), CVE-2008-0010 (2.6.17+ -- see get_iovec_page_array prior to 2.6.22), CVE-2008-0600 (2.6.17+).

Hi,

This doesn't work, because it still creates a DoS condition when it
alters your memory map.

On Mon, 2008-02-11 at 07:08 +0000, slasher-fun wrote:
> Temporary fix :
>
> * Download http://www.ping.uio.no/~mortehu/disable-vmsplice-if-exploitable.c
> * Compile it using gcc (so "gcc disable-vmsplice-if-exploitable.c -o rm_exploit") as normal user
> * Run it as normal user
> --> You are now protected until the next reboot of the system
>

Fixes for CVE-2008-0009, CVE-2008-0010:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=8811930dc74a503415b35c4a79d14fb0b408a361

Fixes for CVE-2008-0600:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44

CVE-2008-0600 fixed in 2.6.22.18 [1,2]

[1] http://lkml.org/lkml/2008/2/11/27
[2] http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.22.y.git;a=commitdiff;h=af395d8632d0524be27d8774a1607e68bdb4dd7f

confirmed in gutsy 2.6.22-14-generic

Kees - from what I can tell CVE-2008-0009 and CVE-2008-0010 affect only 2.6.23 through 2.6.24.1. CVE-2008-0600 affects 2.6.17 through 2.6.24.1.

Greg k-h:
"It has been given CVE-2008-0600 to address this issue (09 and 10 only
affect .23 and .24 kernels, and have been fixed.)"

We'll get all 3 CVEs fixed in the 2.6.24.2 stable tree, upon which Hardy 2.6.24-7.13 will be based.

I am packaging fixes for Edgy/Feisty/Gusty .

Seems to fail on this part:

        if (!uid || !gid)
                die("!@#$", 0);

-------

boglizk@thebox:~$ gcc linux_vmsplice.c
boglizk@thebox:~$ ./a.out
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[-] !@#$
boglizk@thebox:~$ uname -a
Linux thebox 2.6.22-14-generic #1 SMP Fri Feb 1 04:59:50 UTC 2008 i686 GNU/Linux

Why priority is "high" but no "critical"?
Is there a higher criticity than a root exploit in 3 seconds?

Yes, a remote root exploit.

Hi,
I was wondering how others are dealing with this, beyond the runtime patch on bootup. It seems like a tossup between grabbing/patching kernel source and waiting for the security update, does anyone know a rough eta on a safe gutsy kernel package? Thanks for the help, this is new territory for me.

Tom, the present hotfix is dangerous. See http://lists.debian.org/debian-kernel/2008/02/msg00387.html

Indeed, I ran the hotfix on my desktop last night (gutsy with latest
updates) and as soon as it finished, running programs began to crash.
I wasn't able to see any error messages to dmesg, but the system was
unstable enough that I had to reboot it. I would *not* recommend
running the hotfix.

Duh. What about using the patch from the upstream? https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.22/+bug/190587/comments/26

@Boglizk: Not run it as root.

The fix for this vulnerability is in the 2.6.24.2 tree against which Hardy was recently updated and is in the process of being packaged for upload.

What about Gutsy, any update when the fix will be released?

Contrary to what I've been reading, I can confirm this on feisty, at least with AMD processor:

ycsapo@pie:~$ grep "model name" /proc/cpuinfo
model name : Dual-Core AMD Opteron(tm) Processor 2218
model name : Dual-Core AMD Opteron(tm) Processor 2218
model name : Dual-Core AMD Opteron(tm) Processor 2218
model name : Dual-Core AMD Opteron(tm) Processor 2218
ycsapo@pie:~$ uname -a
Linux pie 2.6.20-16-generic #2 SMP Thu Jan 31 22:39:18 UTC 2008 x86_64 GNU/Linux
ycsapo@pie:~$ ./exploit
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x100000000000 .. 0x100000001000
[+] page: 0x100000000000
[+] page: 0x100000000038
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4038
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0x2ac0a9f0d000 .. 0x2ac0a9f3f000
[+] root
root@pie:~# whoami
root
root@pie:~#

I also confirm the suggested hotfix (disable-vmsplice-if-exploitable.c) works:

ycsapo@pie:~$ cc disable-vmsplice-if-exploitable.c
ycsapo@pie:~$ ./a.out
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x100000000000 .. 0x100000001000
[+] page: 0x100000000000
[+] page: 0x100000000038
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4038
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0x2acad5163000 .. 0x2acad5195000
[+] root
Exploit gone!
ycsapo@pie:~$ ./exploit
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x100000000000 .. 0x100000001000
[+] page: 0x100000000000
[+] page: 0x100000000038
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4038
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0x2b010025b000 .. 0x2b010028d000
[-] vmsplice
ycsapo@pie:~$ whoami
ycsapo

On Tue, Feb 12, 2008 at 03:18:36AM -0000, Yuri wrote:
> Contrary to what I've been reading, I can confirm this on feisty, at
> least with AMD processor:

of course feisty is exploitable it works for 2.6.17-2.6.24.1 (and see
the summary of the bug, 2.6.20 is mentionned).

--
:wq

I also confirm this in Hardy.

When will the fixe be upgraded in repositories (gutsy)?

The exploit does not seem to work on feisty:
$ gcc vmsplice.c -o vmsp
$ ./vmsp
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e20000 .. 0xb7e52000
Segmentation fault (core dumped)

But the exploit works on Gusty and the fix in http://home.powertech.no/oystein/ptpatch2008/ptpatch2008.c seems to work:

Remember that the Makefile (http://home.powertech.no/oystein/ptpatch2008/Makefile) has to be downloaded also. After you run make all, there will be a kernel module called ptpatch2008.ko in the same directory. Insert the module into the kernel:
#insmod ptpatch2008.ko

This will prevent the privilege escalation as long as the machine is not rebooted. You can also insert the module at startup in the event the machine is rebooted. This has worked for me so far, until we get an official fix in the repository.

This bug was fixed in the package linux-source-2.6.22 - 2.6.22-14.52

---------------
linux-source-2.6.22 (2.6.22-14.52) gutsy-security; urgency=low

  [Tim Gardner]

  * splice: fix user pointer access in get_iovec_page_array()
    (CVE-2008-0600)
    - LP: #190587

 -- Tim Gardner <email address hidden> Mon, 11 Feb 2008 10:01:17 -0700

http://www.ubuntu.com/usn/usn-577-1

Thanks for the people who helped with fixing this bug! But I have a question: why had fedora and debian already released a updated kernel yesterday to fix this problem and why ubuntu just now with many hours delay to the other great distributions? Did you have any problem apling the debian-patch to the ubuntu kernel?

greets

Fedora and Debian do not support as many releases as Ubuntu and thus the time consumption to package and test if any regressions appear is longer than for others.

But honestly, the time frame from the patches being published to having security updates in Ubuntu was ~ 48 hours, which is good in my opinion. Just compare it to once a month (granted that for such critical bugs MS would probably do an exception)

Thanks for the answer. Of course you are right, that 48h isn't that long for a just local exploit. And of course any comparison with MS is surely won by ubuntu :) I was just wondering why debian's updated kernel was so many hours before ubuntu's released. The places to patch the kernel-source should be exactly the same in both.

>> thus the time consumption to package and test if
>> any regressions appear is longer than for others.
Means that there is an all or nothing policy? So even if the i386-patch would have been created and tested it hadn't been released before the patches for generic- and 64bit-kernels had been created and released?

greets

On Tue, 2008-02-12 at 18:50 +0000, Martin Jürgens wrote:
> But honestly, the time frame from the patches being published to
> having security updates in Ubuntu was ~ 48 hours, which is good in my
> opinion. Just compare it to once a month (granted that for such
> critical bugs MS would probably do an exception)

Eh, not necessarily. Microsoft took 18 months to fix a critical remote
code execution exploit in their TCP/IP stack:

http://www.microsoft.com/technet/security/Bulletin/MS06-032.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-001.mspx

Ubuntu has done most excellently in getting this patched as soon as it
did. Microsoft likes to sling mud at projects like Ubuntu for the
number of open bugs that there are on the public bug trackers, but there
is no point to it---it's pure FUD. We can't see what bugs they have in
their internal trackers, and there are probably more of them (and far
worse) than we have in ours. What we can see is that they take a long
time to close critical security flaws in their operating system, and
that is one of the many reasons there are to use Ubuntu. Let's not
forget that. 48 hours? That's hardly nothing. Even 96 is nothing.

 --- Mike

--
Michael B. Trausch <email address hidden>
home: 404-592-5746, 1 www.trausch.us
cell: 678-522-7934 im: <email address hidden>, jabber
Ubuntu Unofficial Backports Project: http://backports.trausch.us/

On Tue, 2008-02-12 at 19:11 +0000, Adna rim wrote:
> Means that there is an all or nothing policy? So even if the
> i386-patch would have been created and tested it hadn't been released
> before the patches for generic- and 64bit-kernels had been created and
> released?

IIRC, the kernels are all put into a build queue at the same time.
There is testing before it's sent off to be built by the machines that
build for the repository. This would not be unlike the way PPA works.

 --- Mike

--
Michael B. Trausch <email address hidden>
home: 404-592-5746, 1 www.trausch.us
cell: 678-522-7934 im: <email address hidden>, jabber
Ubuntu Unofficial Backports Project: http://backports.trausch.us/

My compliments for the fast response for this exploit. I have just one question left about this exploit: I have just executed the proof-of-concept code (http://www.milw0rm.com/exploits/5092) again with the updated kernel. Is there no memory corruption at all with this new kernel version?
Or should I reboot my pc after running the proof-of-concept) just for sure?
Thanks.

It seems to me that as the number of Ubuntu's supported releases continues to grow, it's going to get harder for the development team to verify bugs and get fixes out for all the supported versions. Aside from reporting bugs and exploits, how can users with programming experience assist with this?

I think that the number of supported releases should stay fairly static as support for older releases is dropped. For example, Edgy is only supported on the desktop until April, when Hardy is released.

Running Hardy Heron, Latest updates:
kyle@ubuntu:~$ uname -a
Linux ubuntu 2.6.24-7-generic #1 SMP Thu Feb 7 01:29:58 UTC 2008 i686 GNU/Linux
kyle@ubuntu:~$ whoami
kyle
kyle@ubuntu:~$ ./local
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] addr: 0xc011d7e0
[+] root
root@ubuntu:~# whoami
root
root@ubuntu:~#

linux (2.6.24-8.13) hardy; urgency=low

  [Soren Hansen]

  * Add missing iscsi modules to kernel udebs

  [Stefan Bader]

  * Lower message level for PCI memory and I/O allocation.

  [Tim Gardner]

  * Enabled IP_ADVANCED_ROUTER and IP_MULTIPLE_TABLES in sparc, hppa
    - LP: #189560
  * Compile RealTek 8139 using PIO method.
    - LP: #90271
  * Add WD WD800ADFS NCQ horkage quirk support.
    - LP: #147858

  [Upstream Kernel Changes]

  * Introduce WEXT scan capabilities
  * DVB: cx23885: add missing subsystem ID for Hauppauge HVR1800 Retail
  * slab: fix bootstrap on memoryless node
  * vm audit: add VM_DONTEXPAND to mmap for drivers that need it
    (CVE-2008-0007)
  * USB: keyspan: Fix oops
  * usb gadget: fix fsl_usb2_udc potential OOPS
  * USB: CP2101 New Device IDs
  * USB: add support for 4348:5523 WinChipHead USB->RS 232 adapter
  * USB: Sierra - Add support for Aircard 881U
  * USB: Adding YC Cable USB Serial device to pl2303
  * USB: sierra driver - add devices
  * USB: ftdi_sio - enabling multiple ELV devices, adding EM1010PC
  * USB: ftdi-sio: Patch to add vendor/device id for ATK_16IC CCD
  * USB: sierra: add support for Onda H600/Zte MF330 datacard to USB Driver
    for Sierra Wireless
  * USB: remove duplicate entry in Option driver and Pl2303 driver for
    Huawei modem
  * USB: pl2303: add support for RATOC REX-USB60F
  * USB: ftdi driver - add support for optical probe device
  * USB: use GFP_NOIO in reset path
  * USB: Variant of the Dell Wireless 5520 driver
  * USB: storage: Add unusual_dev for HP r707
  * USB: fix usbtest halt check on big endian systems
  * USB: handle idVendor of 0x0000
  * forcedeth: mac address mcp77/79
  * lockdep: annotate epoll
  * sys_remap_file_pages: fix ->vm_file accounting
  * PCI: Fix fakephp deadlock
  * ACPI: update ACPI blacklist
  * x86: restore correct module name for apm
  * sky2: restore multicast addresses after recovery
  * sky2: fix for WOL on some devices
  * b43: Fix suspend/resume
  * b43: Drop packets we are not able to encrypt
  * b43: Fix dma-slot resource leakage
  * b43legacy: fix PIO crash
  * b43legacy: fix suspend/resume
  * b43legacy: drop packets we are not able to encrypt
  * b43legacy: fix DMA slot resource leakage
  * selinux: fix labeling of /proc/net inodes
  * b43: Reject new firmware early
  * sched: let +nice tasks have smaller impact
  * sched: fix high wake up latencies with FAIR_USER_SCHED
  * fix writev regression: pan hanging unkillable and un-straceable
  * Driver core: Revert "Fix Firmware class name collision"
  * drm: the drm really should call pci_set_master..
  * splice: missing user pointer access verification (CVE-2008-0009/10)
  * Linux 2.6.24.1
  * splice: fix user pointer access in get_iovec_page_array()
  * Linux 2.6.24.2

 -- Tim Gardner < <email address hidden>> Thu, 07 Feb 2008 06:50:13 -0700

Per Gentoo, it's now fixed in all releases.

No, I don't want to join at LinkedIn!