[econet] LTS Maverick backport kernel: Local privilege escalation

Binary package hint: linux-image-2.6.35-22-virtual

While regular 2.6.32-based kernel images as well as maverick's 2.6.35 branch already got some bugfixes for econet module (USN-1023-1) there is a newer local exploit by Dan Rosenberg that combines several exploit discovered by Nelson Elhage to get a root shell: http://seclists.org/fulldisclosure/2010/Dec/85

He made the exploit in a way it shouldn't work on most default (patched) distributions so there is no abuse. This exploit seems not to work in the latest Maverick kernel (See: http://seclists.org/fulldisclosure/2010/Dec/115), but the most recent lts-backport-maverick 2.6.35-22.34 which is in the official repositories can be exploited with the code.

sim@gemini:~$ uname -a
 Linux gemini 2.6.35-22-virtual #34~lucid1-Ubuntu SMP Mon Oct 11 15:07:52 UTC 2010 x86_64 GNU/Linux

sim@gemini:~$ ./a.out
[*] Resolving kernel addresses...
 [+] Resolved econet_ioctl to 0xffffffffa0376510
 [+] Resolved econet_ops to 0xffffffffa0376620
 [+] Resolved commit_creds to 0xffffffff81085dc0
 [+] Resolved prepare_kernel_cred to 0xffffffff81086290
[*] Calculating target...
[*] Triggering payload...
[*] Got root!

# lsmod
Module Size Used by
[...]
econet 11162 2
-> econet is loaded after exploit was run

And yes, you get a working root shell after the exploit run.

Update:
It's only a local flaw but econet got some fixes in both stock lucid and maverick kernel while lts-backport-maverick didn't get them. That's the point. :-)