Hole in Linux kernel provides root rights

Michael Lauzon mlauzon-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Sun Sep 19 07:10:15 UTC 2010


Just found this, does anyone else know about this:

"A vulnerability in the 32-bit compatibility mode of the current Linux
kernel -- and previous versions -- for 64-bit systems can be exploited
to escalate privileges. For instance, attackers can break into a
system and exploit a hole in the web server to get complete root --
also known as superuser -- rights or permissions for a victim's
system.

"According to a report (http://sota.gen.nz/compat2/), the problem
occurs because the 32-bit call emulation layer does not check whether
the call is truly in the Syscall table. Ben Hawkes, who discovered the
problem, says the vulnerability can be exploited to execute arbitrary
code with kernel rights. An exploit
(http://sota.gen.nz/compat2/robert_you_suck.c) -- direct download of
source code -- is already in circulation; in a test conducted by The
H's associates at heise Security on 64-bit Ubuntu 10.04, it opened a
shell with root rights.

"The kernel developers have remedied
(http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git&a=commitdiff&h=c41d68a513c71e35a14f66d71782d27a79a81ea6)
the flaw in the repository, and Linux distributors will probably
(https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3081) soon
publish new kernels to close the hole. Until then, switching off
32-bit ELF support solves the problem if you can do without this
function. For instructions, see: "Workaround for Ac1db1tch3z exploit"
(http://seclists.org/fulldisclosure/2010/Sep/273).

"Hawkes says the vulnerability was discovered
(http://www.h-online.com/news/item/Vulnerability-in-Linux-kernel-allows-for-privilege-escalation-733720.html)
and remedied back in 2007, but at some point in 2008 kernel developers
apparently removed the patch, reintroducing the vulnerability. The
older exploit apparently only needed slight modifications to work with
the new hole."


http://www.h-online.com/open/news/item/Hole-in-Linux-kernel-provides-root-rights-1081317.html

-- 
Sincerely,

Michael Lauzon
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list