[Users] New kernel vuln...
Michael Stauber
mstauber at blueonyx.it
Tue Aug 18 09:02:52 EDT 2009
Hi Konstantin,
> Michael, could you please confirm that you were able to gain root on a
> kernel before 64.4?
Confirmed. I didn't test 028stab064.4 (which was released just a few days
prior to the anouncement of the exploit), but tested older kernels. With the
following kernels I could get root access on the master node with the exploit,
but not inside a VE:
CentOS5:
2.6.18-128.1.1.el5.028stab062.3
2.6.18-92.1.18.el5.028stab060.2
2.6.18-53.1.19.el5.028stab053.14
CentOS4:
2.6.9-023stab043.2 (Very outdated, I know. Last CentOS4 box I have.)
I know, it's an odd mix, but that's what I had running. Production boxes on my
end usually have new kernels, internal devel boxes are often less frequently
patched.
> The kernel is immune due to the fact that 64.4 kernel has the bypassing
> "mmap_min_addr" issue fixed:
> http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html - description
> of the problem
>
> Exploits for the current issue, in their turn, need this hole to gain root
> access.
That's nice to know. Good job. But you're doing this somewhere else than in
net/socket.c I guess? Because net/socket.c took Linus Torvalds patch just fine
w/o any rejects when I rebuilt 028stab064.4 from your SRPM and patched the
hole with this:
----------------------------------------------------------------------
--- ./net/socket.c 2006-09-19 23:42:06.000000000 -0400
+++ ./net/socket.c 2009-08-14 19:24:21.000000000 -0400
@@ -698,7 +698,7 @@
if (more)
flags |= MSG_MORE;
- return sock->ops->sendpage(sock, page, offset, size, flags);
+ return kernel_sendpage(sock, page, offset, size, flags);
}
static struct sock_iocb *alloc_sock_iocb(struct kiocb *iocb,
----------------------------------------------------------------------
--
With best regards
Michael Stauber
--> http://www.aventurin.net
----> http://www.blueonyx.it
More information about the Users
mailing list