Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)

Bug #190587 reported by Hirvinen on 2008-02-10
408
Affects Status Importance Assigned to Milestone
Linux
Fix Released
High
CentOS
Fix Released
Critical
Debian
Fix Released
Unknown
Gentoo Linux
Fix Released
Undecided
Unassigned
Mandriva
Fix Released
Critical
Ubuntu
Undecided
Unassigned
gplcver (Ubuntu)
Undecided
Unassigned
linux (Fedora)
Fix Released
Critical
linux (Ubuntu)
High
Unassigned
linux-source-2.6.15 (Ubuntu)
Undecided
Unassigned
linux-source-2.6.17 (Ubuntu)
High
Jamie Strandboge
linux-source-2.6.20 (Ubuntu)
High
Jamie Strandboge
linux-source-2.6.22 (Ubuntu)
High
Jamie Strandboge

Bug Description

https://bugs.gentoo.org/show_bug.cgi?id=209460 works on at least Hardy 2.6.24-7, Edgy 2.6.17-12, but not on Feisty 2.6.20-16.

I can confirm this in Gutsy:

$ gcc exploit.c -o exploit
$ whoami
heikki
$ ./exploit
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7d90000 .. 0xb7dc2000
[+] root
$ whoami
root

Kernel 2.6.22-14-generic

I confirm this in Hardy Heron
kernel 2.6.24-7-generic

Risto H. Kurppa (risto.kurppa) wrote :

Confirm on Gutsy:
rhk@rubert:~$ gcc exploit2.c -o exploit2
rhk@rubert:~$ ./exploit2
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e04000 .. 0xb7e36000
[+] root
root@rubert:~# uname -a
Linux rubert 2.6.22-14-generic #1 SMP Fri Feb 1 04:59:50 UTC 2008 i686 GNU/Linux
root@rubert:~#

Martin Peeks (martinp23) wrote :
83 comments hidden view all 122 comments

A new system call named vmsplice() was introduced in the 2.6.17
release of the Linux kernel.

COSEINC reported two issues affecting vmsplice, CVE-2008-0009 and CVE-2008-0010.

On Saturday 20080210 a public exploit was released that utilised a similar flaw
in vmsplice (vmsplice_to_pipe function) to allow a local user to gain privileges
on some architectures.

See also
http://marc.info/?t=120263655300003&r=1&w=2

This issue will affect kernels 2.6.17+ and therefore affected Red Hat Enterprise
Linux 5, but not Red Hat Enterprise Linux 4, 3, or 2.1.

Note that there may be a little confusion as there are actually three vmsplice
issues:

CVE-2008-0009 is already fixed upstream, does not affect any RHEL, has no
public exploit. Upstream patch is the second hunk of:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8811930dc74a503415b35c4a79d14fb0b408a361

CVE-2008-0010 is already fixed upstream, does not affect any RHEL, but has
a public exploit. ( http://www.milw0rm.com/exploits/5093 )
Upstream patch is the first hunk of:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8811930dc74a503415b35c4a79d14fb0b408a361

CVE-2008-0600 is not yet fixed upstream, affects RHEL5,
and has a public exploit ( http://www.milw0rm.com/exploits/5092 )

83 comments hidden view all 122 comments
tonfa (bboissin) wrote :

actually the bug exploitable from 2.6.17-2.6.24 is CVE-2008-0600. CVE-2008-0009/10 only affect
.23 and .24 (so only hardy is affected)

see http://lkml.org/lkml/2008/2/10/177 for details

(btw this bug is pretty scary, it works almost anywhere you can have a shell...)

84 comments hidden view all 122 comments

Proposed patch for RHEL5 from Al Viro

diff -urN linux-2.6.18.x86_64/fs/splice.c linux-2.6.18.x86_64-fix/fs/splice.c
--- linux-2.6.18.x86_64/fs/splice.c 2008-02-10 11:08:19.000000000 -0500
+++ linux-2.6.18.x86_64-fix/fs/splice.c 2008-02-10 11:31:06.000000000 -0500
@@ -1154,6 +1154,9 @@
                if (unlikely(!base))
                        break;

+ if (unlikely(!access_ok(VERIFY_READ, base, len)))
+ break;
+
                /*
                 * Get this base offset and number of pages, then map
                 * in the user pages.

83 comments hidden view all 122 comments
Iulian Udrea (iulian) wrote :

Confirmed in Hardy - 2.6.24

Changed in linux-source-2.6.24:
importance: Undecided → Critical
status: New → Confirmed
Václav Šmilauer (eudoxos) wrote :

I confirm that on hardy and gutsy. I also confirm that the hotfix referenced in debian bugreport http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953 which sets the first byte of sys_vmsplice to RET in /dev/mem ( http://www.ping.uio.no/~mortehu/disable-vmsplice-if-exploitable.c ) works and prevents the exploit from functioning. I don't know if having that function returning can otherwise adversely affect the system, though.

83 comments hidden view all 122 comments

Confirmed the patch blocks this issue for Red Hat Enterprise Linux 5; this
specific exploit prints "[-] vmsplice: Bad address" and fails.

83 comments hidden view all 122 comments
Paul Sladen (sladen) wrote :

RHEL tracker is at: https://bugzilla.redhat.com/show_bug.cgi?id=432251 but LP won't allow adding a second entry (in addition to the one for Fedora).

84 comments hidden view all 122 comments

For Red Hat Enterprise Linux 5:
CVSS v2 Base score: 7.2 (High) (AV:L/AC:L/Au:N/C:C/I:C/A:C)

83 comments hidden view all 122 comments
Ante Karamatić (ivoks) wrote :

Gutsy/amd64 is affected too.

sancheztavo (sancheztavo) wrote :

Confirmed in Gutsy. Kernel 2.6.22-14-generic

Andrew Martin (werdz) wrote :

Confirmed on feisty AMD64 (i386 isn't affected, AMD64 is).

81 comments hidden view all 122 comments

We added a quick and dirty patch for the problem here:
http://home.powertech.no/oystein/ptpatch2008/

It is a kernel module that disables vmsplice, and logs any attempts to exploit
the bug.
As it it a loadable module it can easily be deployed on systems that can not be
updated with a new kernel for various reasons.

80 comments hidden view all 122 comments
Ante Karamatić (ivoks) wrote :

I also confirm that suggested hotfix fixes the problem until next reboot, of course.

81 comments hidden view all 122 comments

Ola,

I tried that module on a test system and got:
  <name> kernel: general protection fault: 0000 [1] SMP

80 comments hidden view all 122 comments

steve@genesis:~/bin$ gcc exploitsrv.c -o exploitsrv
steve@genesis:~/bin$ whoami
steve
steve@genesis:~/bin$ ./exploitsrv
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e44000 .. 0xb7e76000
[+] root
root@genesis:~/bin# uname -a
Linux genesis 2.6.22-14-server #1 SMP Fri Feb 1 05:28:54 UTC 2008 i686 GNU/Linux
root@genesis:~/bin#

Kees Cook (kees) wrote :

The Security Team is working on getting the fix built up. We should have updated kernels available shortly.

Changed in linux-source-2.6.17:
assignee: nobody → keescook
importance: Undecided → Critical
status: New → In Progress
Changed in linux-source-2.6.20:
assignee: nobody → keescook
importance: Undecided → High
status: New → In Progress
Changed in linux:
importance: Critical → High
milestone: none → hardy-alpha-5
status: Confirmed → In Progress
Changed in linux-source-2.6.17:
importance: Critical → High
Changed in linux-source-2.6.22:
assignee: nobody → keescook
importance: Critical → High
status: Confirmed → In Progress
Luis Alcaraz Leal (lalcaraz) wrote :

Luis Alcaraz (Mexico)
Confirmed on Ubuntu 7.10 2.6.22-14-generic
---
lalcaraz@lalcaraz-laptop:~$ vim exploit.c
lalcaraz@lalcaraz-laptop:~$ gcc exploit.c -o exploit
lalcaraz@lalcaraz-laptop:~$ whoami
lalcaraz
lalcaraz@lalcaraz-laptop:~$ ./exploit
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e29000 .. 0xb7e5b000
[+] root
root@lalcaraz-laptop:~# whoami
root
root@lalcaraz-laptop:~# uname -a
Linux lalcaraz-laptop 2.6.22-14-generic #1 SMP Fri Feb 1 04:59:50 UTC 2008 i686 GNU/Linux
root@lalcaraz-laptop:~#

79 comments hidden view all 122 comments

The make file required some modification for PAE kernels due to path issues;
once compiled module fails to load with:
insmod: error inserting 'ptpatch2008.ko': -1 Invalid module format

(double checked to confirm the system.map and modules paths are in fact valid to
the current running kernel version on the system)

78 comments hidden view all 122 comments
Fadi Kaba (fadi-kaba) wrote :

Hi guys,

Just got a question in regards to the above theory, you have mentioned that kernel 2.6.17-2.6.24 is affected whereas a normal user have the ability to login as root with no password and sudo command,so my question here is that I have two version of Kernel on two separate machines 2.6.15-26 and 2.6.16 are these kernel affected as well.

If they are what patch should we follow to stop this from happening

It will be please of some expert answer my query as I am new to Linux and security topics

Thanks in advanced
Fadi

79 comments hidden view all 122 comments

@Ryan, make sure you have kernel-PAE-devel installed, and then undo your
Makefile path changes. The modules compile and insmod properly for me. Thanks,
Ola!

Created attachment 294535
x86_64 panic on ptpach module load

to clarify, the module from comment#10 panic's on x86_64 for me.

(In reply to comment #13)
> @Ryan, make sure you have kernel-PAE-devel installed, and then undo your
> Makefile path changes. The modules compile and insmod properly for me. Thanks,
> Ola!

Perfect, that did the trick - had not realized there was a specific pae-devel
package.

81 comments hidden view all 122 comments
Ante Karamatić (ivoks) wrote :

Fadi, no, 2.6.15 isn't affected. I can't test 2.6.16, but it also shouldn't be affected.

Thanks Ante,
How did you test kernel 2.6.15 I have a machine here with kernel 2.6.16 and
might test on it

On Feb 11, 2008 5:47 PM, Ante Karamatić <email address hidden> wrote:

> Fadi, no, 2.6.15 isn't affected. I can't test 2.6.16, but it also
> shouldn't be affected.
>
> --
> Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
> https://bugs.launchpad.net/bugs/190587
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in Source Package "linux" in Ubuntu: In Progress
> Status in Source Package "linux-source-2.6.17" in Ubuntu: In Progress
> Status in Source Package "linux-source-2.6.20" in Ubuntu: In Progress
> Status in Source Package "linux-source-2.6.22" in Ubuntu: In Progress
> Status in Debian GNU/Linux: Unknown
> Status in Source Package "linux" in Fedora: Unknown
> Status in Gentoo Linux: Unknown
> Status in Mandriva Linux: Unknown
>
> Bug description:
> https://bugs.gentoo.org/show_bug.cgi?id=209460 works on at least Hardy
> 2.6.24-7, Edgy 2.6.17-12, but not on Feisty 2.6.20-16.
>

--
Regards,
Fadi Kaba
<email address hidden>

Fadi Kaba (fadi-kaba) wrote :

2008/2/11 Fadi Kaba <email address hidden>:

> Thanks Ante,
> How did you test kernel 2.6.15 I have a machine here with kernel 2.6.16and might test on it
>
>
> On Feb 11, 2008 5:47 PM, Ante Karamatić <email address hidden> wrote:
>
> > Fadi, no, 2.6.15 isn't affected. I can't test 2.6.16, but it also
> > shouldn't be affected.
> >
> > --
> > Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
> > https://bugs.launchpad.net/bugs/190587
> > You received this bug notification because you are a direct subscriber
> > of the bug.
> >
> > Status in Source Package "linux" in Ubuntu: In Progress
> > Status in Source Package "linux-source-2.6.17" in Ubuntu: In Progress
> > Status in Source Package "linux-source-2.6.20" in Ubuntu: In Progress
> > Status in Source Package "linux-source-2.6.22" in Ubuntu: In Progress
> > Status in Debian GNU/Linux: Unknown
> > Status in Source Package "linux" in Fedora: Unknown
> > Status in Gentoo Linux: Unknown
> > Status in Mandriva Linux: Unknown
> >
> > Bug description:
> > https://bugs.gentoo.org/show_bug.cgi?id=209460 works on at least Hardy
> > 2.6.24-7, Edgy 2.6.17-12, but not on Feisty 2.6.20-16.
> >
>
>
>
> --
> Regards,
> Fadi Kaba
> <email address hidden>

--
Regards,
Fadi Kaba
<email address hidden>

Mathieu Marquer (slasher-fun) wrote :

Temporary fix :

* Download http://www.ping.uio.no/~mortehu/disable-vmsplice-if-exploitable.c
* Compile it using gcc (so "gcc disable-vmsplice-if-exploitable.c -o rm_exploit") as normal user
* Run it as normal user
--> You are now protected until the next reboot of the system

Mathieu Marquer (slasher-fun) wrote :

Just some corrections to my previous post :

Line 4 :
* Compile it using gcc (so "gcc disable-vmsplice-if-exploitable.c -o rm_exploit" without the quotes) as normal user
Line 5 :
* Run it as normal user ("./rm_exploit" without the quotes)

Kees Cook (kees) wrote :

For record, Dapper (2.6.15) is not affected.

Also, CVEs for these issues are:
CVE-2008-0009 (2.6.22+), CVE-2008-0010 (2.6.17+ -- see get_iovec_page_array prior to 2.6.22), CVE-2008-0600 (2.6.17+).

Changed in linux-source-2.6.15:
status: New → Invalid

Hi,

This doesn't work, because it still creates a DoS condition when it
alters your memory map.

On Mon, 2008-02-11 at 07:08 +0000, slasher-fun wrote:
> Temporary fix :
>
> * Download http://www.ping.uio.no/~mortehu/disable-vmsplice-if-exploitable.c
> * Compile it using gcc (so "gcc disable-vmsplice-if-exploitable.c -o rm_exploit") as normal user
> * Run it as normal user
> --> You are now protected until the next reboot of the system
>

75 comments hidden view all 122 comments

*** Bug 432308 has been marked as a duplicate of this bug. ***

*** Bug 432288 has been marked as a duplicate of this bug. ***

On kernel-2.6.18-53.1.6.el5xen (x86_64) this exploit makes kernel panic.

Changed in linux:
status: Unknown → Fix Committed

Not to detract from the real work, but can someone describe the
access-restricted bugs marked as blocking this? (Bug #432252, Bug #432253). Thanks.

These are simply tracking bugs for specific affected products.

78 comments hidden view all 122 comments
79 comments hidden view all 122 comments

In reply to comment #20; there are some bugs in the exploit which means that it
doesn't work directly on x86_64 machines, although it can be modified to do so.

I can confirm the sample exploit will segfault on athlon on a bare system (would
likely be patchable), but will work as supplied on a XenU.

Segfault: Linux xxxx 2.6.23.9-85.fc8 #1 SMP Fri Dec 7 15:49:59 EST 2007 i686
athlon i386 GNU/Linux

Exploitable: Linux xxxx 2.6.21-2952.fc8xen #1 SMP Mon Nov 19 07:06:55 EST 2007
i686 athlon i386 GNU/Linux

The exploit worked for me w/o a segfault on i386 Duron (
kernel-2.6.18-53.1.6.el5 ) and x86_64 Athlon X2 (5200+ - same kernel but x86_64
install)

on i386 it did not consistently work, and I'm guessing related, the machine had
to be rebooted as it kept dropping ssh connections after the exploit was run.

Both boxes are CentOS (opposed to RHEL) if it matters.

80 comments hidden view all 122 comments
nabil2199 (nabil2199-gmail) wrote :

confirmed in gutsy 2.6.22-14-generic

Tim Gardner (timg-tpi) wrote :

Kees - from what I can tell CVE-2008-0009 and CVE-2008-0010 affect only 2.6.23 through 2.6.24.1. CVE-2008-0600 affects 2.6.17 through 2.6.24.1.

Greg k-h:
"It has been given CVE-2008-0600 to address this issue (09 and 10 only
affect .23 and .24 kernels, and have been fixed.)"

We'll get all 3 CVEs fixed in the 2.6.24.2 stable tree, upon which Hardy 2.6.24-7.13 will be based.

I am packaging fixes for Edgy/Feisty/Gusty .

80 comments hidden view all 122 comments

I verified it working on RHEL5 and RHEL 5.1 32bit boxes using both the older and
newer -53 kernels in both single and SMP installs.

The exploit does seem to make the systems unstable and they have crashed after
running a little longer after someone uses this exploit.

79 comments hidden view all 122 comments
Boglizk (boglizk) wrote :

Seems to fail on this part:

        if (!uid || !gid)
                die("!@#$", 0);

-------

boglizk@thebox:~$ gcc linux_vmsplice.c
boglizk@thebox:~$ ./a.out
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[-] !@#$
boglizk@thebox:~$ uname -a
Linux thebox 2.6.22-14-generic #1 SMP Fri Feb 1 04:59:50 UTC 2008 i686 GNU/Linux

80 comments hidden view all 122 comments

I've compiled an interim RPM for my internal use, as I considered this safer
than the kernel module which has caused panics. It's the same as 2.6.18-53
Centos, but with the upstream kernel patch applied. Obviously your mileage may vary.

http://erek.blumenthals.com/blog/2008/02/11/rhel-5-centos-5-kernel-rpms-patched-against-vmsplice-local-root-exploit/

That's against 2.6.53.1.6, not 2.6.53 as I said previously.

Hey boys, Debian has already fixed this, where is Red Hat? Thank you very much.

> Hey boys, Debian has already fixed this, where is Red Hat? Thank you very much.

Doing quality control on the produced updates, presumably.

RHAT had it fixed on 2/8 see the .79 kernel in:

http://people.redhat.com/dzickus/el5/79.el5

I tested it on i686 and was unable to use millw0rm exploit 5092 or 5093. it also
fixes another NFS issue from bug 431092.

83 comments hidden view all 122 comments
®om (rom1v) wrote :

Why priority is "high" but no "critical"?
Is there a higher criticity than a root exploit in 3 seconds?

84 comments hidden view all 122 comments

(In reply to comment #31)
> RHAT had it fixed on 2/8 see the .79 kernel in:
>
> http://people.redhat.com/dzickus/el5/79.el5
>
> I tested it on i686 and was unable to use millw0rm exploit 5092 or 5093. it also
> fixes another NFS issue from bug 431092.

However, keep in mind that it is a TEST kernel. The .78 kernel I tested and
confirmed about the nfs fix is UNstable and some people are experiencing system
instability / crashes.

The Red Hat Security Response Team is working with engineering and QA on the
updated packages for Red Hat Enterprise Linux 5. We'll release them immediately
to the Red Hat Network once they pass our testing and QA processes.

(Updated Fedora kernels are currently being pushed live and will be available soon)

84 comments hidden view all 122 comments
Jan M. (fijam7) wrote :

Yes, a remote root exploit.

Tom Lippincott (tom-cs) wrote :

Hi,
I was wondering how others are dealing with this, beyond the runtime patch on bootup. It seems like a tossup between grabbing/patching kernel source and waiting for the security update, does anyone know a rough eta on a safe gutsy kernel package? Thanks for the help, this is new territory for me.

yaztromo (tromo) wrote :

Tom, the present hotfix is dangerous. See http://lists.debian.org/debian-kernel/2008/02/msg00387.html

Indeed, I ran the hotfix on my desktop last night (gutsy with latest
updates) and as soon as it finished, running programs began to crash.
I wasn't able to see any error messages to dmesg, but the system was
unstable enough that I had to reboot it. I would *not* recommend
running the hotfix.

Jan M. (fijam7) wrote :
Michael Trunner (trunneml) wrote :

@Boglizk: Not run it as root.

46 comments hidden view all 122 comments

FYI..this ptpatch2008 kernel module compiles fine, but causes a GPF/crash on a
AMD64 box when insmod is attempted.

33 comments hidden view all 122 comments

The system tap does not seem to catch/deny every run of the exploit in my
testing. They all seem to get logged, but many of them still get a root prompt.

The system is also still unstable, and either the exploit running multiple times
or the system tap eventually cause a kernel crash.

32 comments hidden view all 122 comments

kernel-2.6.23.15-137.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.

46 comments hidden view all 122 comments
Tim Gardner (timg-tpi) wrote :

The fix for this vulnerability is in the 2.6.24.2 tree against which Hardy was recently updated and is in the process of being packaged for upload.

Changed in linux-source-2.6.17:
status: In Progress → Fix Committed
Changed in linux-source-2.6.20:
status: In Progress → Fix Committed
Changed in linux-source-2.6.22:
status: In Progress → Fix Committed
Changed in linux:
status: In Progress → Fix Committed
80 comments hidden view all 122 comments

(In reply to comment #16)
> (In reply to comment #13)
> > @Ryan, make sure you have kernel-PAE-devel installed, and then undo your
> > Makefile path changes. The modules compile and insmod properly for me.
Thanks,
> > Ola!
> Perfect, that did the trick - had not realized there was a specific pae-devel
> package.

I was able to successfully compile the module on a FC5 system, but when trying
to add via insmod, I get:

insmod: error inserting 'ptpatch2008.ko': -1 Operation not permitted

79 comments hidden view all 122 comments
cybaix (cybaix) wrote :

What about Gutsy, any update when the fix will be released?

80 comments hidden view all 122 comments

(In reply to comment #36)
> The system tap does not seem to catch/deny every run of the exploit in my
> testing. They all seem to get logged, but many of them still get a root prompt.

The systemtap script proposed in comment #35 is a poor choice, so is
now hidden in order to avoid misleading the public. It interfered
with multiple functions in fs/splice.c, and did not actually block
the vmsplice attempt but rather just attempt to log and punish it.

If you have the prerequisites for this tool though, try the simpler
script listed in bug #432229 comment #17.

33 comments hidden view all 122 comments

Will kernel-xen packages also be created?

45 comments hidden view all 122 comments
Yuri (ycsapo) wrote :

Contrary to what I've been reading, I can confirm this on feisty, at least with AMD processor:

ycsapo@pie:~$ grep "model name" /proc/cpuinfo
model name : Dual-Core AMD Opteron(tm) Processor 2218
model name : Dual-Core AMD Opteron(tm) Processor 2218
model name : Dual-Core AMD Opteron(tm) Processor 2218
model name : Dual-Core AMD Opteron(tm) Processor 2218
ycsapo@pie:~$ uname -a
Linux pie 2.6.20-16-generic #2 SMP Thu Jan 31 22:39:18 UTC 2008 x86_64 GNU/Linux
ycsapo@pie:~$ ./exploit
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x100000000000 .. 0x100000001000
[+] page: 0x100000000000
[+] page: 0x100000000038
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4038
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0x2ac0a9f0d000 .. 0x2ac0a9f3f000
[+] root
root@pie:~# whoami
root
root@pie:~#

I also confirm the suggested hotfix (disable-vmsplice-if-exploitable.c) works:

ycsapo@pie:~$ cc disable-vmsplice-if-exploitable.c
ycsapo@pie:~$ ./a.out
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x100000000000 .. 0x100000001000
[+] page: 0x100000000000
[+] page: 0x100000000038
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4038
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0x2acad5163000 .. 0x2acad5195000
[+] root
Exploit gone!
ycsapo@pie:~$ ./exploit
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x100000000000 .. 0x100000001000
[+] page: 0x100000000000
[+] page: 0x100000000038
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4038
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0x2b010025b000 .. 0x2b010028d000
[-] vmsplice
ycsapo@pie:~$ whoami
ycsapo

On Tue, Feb 12, 2008 at 03:18:36AM -0000, Yuri wrote:
> Contrary to what I've been reading, I can confirm this on feisty, at
> least with AMD processor:

of course feisty is exploitable it works for 2.6.17-2.6.24.1 (and see
the summary of the bug, 2.6.20 is mentionned).

--
:wq

Changed in linux:
status: Fix Committed → Fix Released
79 comments hidden view all 122 comments

Just a quick status update; we have updated kernel packages released for Fedora
(see linked bugs) and are finishing up the QA process for Red Hat Enterprise
Linux 5. We expect this to be completed shortly (pending successful completion
of testing). This will be RHSA-2008:0129.

Changed in linux-source-2.6.22:
status: Fix Committed → Fix Released

This vulnerability, CVE-2008-0600, did not affect Red Hat Enterprise Linux 2.1,
3, or 4. Updated packages to correct this vulnerability are now available for
Red Hat Enterprise Linux along with our advisory at the URL:

https://rhn.redhat.com/errata/RHSA-2008-0129.html

Since all Red Hat and Fedora products are not updated, closing the bug.

34 comments hidden view all 122 comments

(In reply to comment #26)
> Will kernel-xen packages also be created?
>

bug #432517 was created to track kernel-xen packages.

Changed in linux-source-2.6.17:
assignee: keescook → jamie-strandboge
status: Fix Committed → Fix Released
Changed in linux-source-2.6.20:
assignee: keescook → jamie-strandboge
status: Fix Committed → Fix Released
Changed in linux-source-2.6.22:
assignee: keescook → jamie-strandboge
Changed in linux:
status: Fix Committed → Fix Released
Timo Aaltonen (tjaalton) on 2008-02-28
Changed in linux-source-2.6.24:
status: New → Fix Released
35 comments hidden view all 122 comments

*** Bug 432319 has been marked as a duplicate of this bug. ***

Changed in gplcver:
status: New → Invalid
Changed in linux:
status: Unknown → Fix Released
34 comments hidden view all 122 comments

*** Bug 441414 has been marked as a duplicate of this bug. ***

Changed in linux:
importance: Unknown → High
Changed in mandriva:
importance: Unknown → Critical
Changed in linux (Fedora):
importance: Unknown → Critical
Changed in centos:
importance: Unknown → Critical
Displaying first 40 and last 40 comments. View all 122 comments or add a comment.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.