[econet] LTS Maverick backport kernel: Local privilege escalation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-lts-backport-maverick (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: linux-image-
While regular 2.6.32-based kernel images as well as maverick's 2.6.35 branch already got some bugfixes for econet module (USN-1023-1) there is a newer local exploit by Dan Rosenberg that combines several exploit discovered by Nelson Elhage to get a root shell: http://
He made the exploit in a way it shouldn't work on most default (patched) distributions so there is no abuse. This exploit seems not to work in the latest Maverick kernel (See: http://
sim@gemini:~$ uname -a
Linux gemini 2.6.35-22-virtual #34~lucid1-Ubuntu SMP Mon Oct 11 15:07:52 UTC 2010 x86_64 GNU/Linux
sim@gemini:~$ ./a.out
[*] Resolving kernel addresses...
[+] Resolved econet_ioctl to 0xffffffffa0376510
[+] Resolved econet_ops to 0xffffffffa0376620
[+] Resolved commit_creds to 0xffffffff81085dc0
[+] Resolved prepare_kernel_cred to 0xffffffff81086290
[*] Calculating target...
[*] Triggering payload...
[*] Got root!
# lsmod
Module Size Used by
[...]
econet 11162 2
-> econet is loaded after exploit was run
And yes, you get a working root shell after the exploit run.
Update:
It's only a local flaw but econet got some fixes in both stock lucid and maverick kernel while lts-backport-
tags: | added: exploit root |
description: | updated |
Thanks for reporting this issue.
Packages that fix this issue are currently in the -proposed repository.
I'm marking this bug as a duplicate of the SRU tracker bug.