[opensuse-security] Possible local root exploit in the kernel
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I post this on request of another lister from the Spanish mail list; I don't have personal knowledge of this problem. I would like to see comments on this. The vulnerability allows a user to become root with any kernel newer than 2.6.17 with vmsplice compiled in. Opensuse 10.3 is affected. A remote attacker gaining access as an unprivileged user (flash hack?) could get root privilege's. Solutions: - recompile kernel without vmsplice - use dynamic patcher from <http://www.ping.uio.no/~mortehu/disable-vmsplice-if-exploitable.c> it uses the exploit to patch the kernel in memory, disabling vmsplice. Compile with cc -o disable-vmsplice-if-exploitable disable-vmsplice-if-exploitable.c and run as user. It could be added to "/etc/rc.d/rc.local" till an update is made available. - ---- That's all the information I have. - -- Cheers -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHr32ptTMYHG2NR9URAt5sAKCR5Zam/fcLch9M0pm1nLoraxzp1gCbBaTM QktfJNQHlT21BTUIAo9rluk= =XBsl -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Sun, Feb 10, 2008 at 11:41:44PM +0100, Carlos E. R. wrote:
Hi,
I post this on request of another lister from the Spanish mail list; I don't have personal knowledge of this problem. I would like to see comments on this.
The vulnerability allows a user to become root with any kernel newer than 2.6.17 with vmsplice compiled in. Opensuse 10.3 is affected. A remote attacker gaining access as an unprivileged user (flash hack?) could get root privilege's.
Solutions:
This problem affects both openSUSE 10.2 and 10.3, older products did not have vmsplice and so are not affected. Theoretically the KOTD should have the fix already, but it is not syncing due to other problems. An update will released probably Monday or Tuesday. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Sun, Feb 10, 2008 at 11:41:44PM +0100, Carlos E. R. wrote:
Hi,
I post this on request of another lister from the Spanish mail list; I don't have personal knowledge of this problem. I would like to see comments on this.
The vulnerability allows a user to become root with any kernel newer than 2.6.17 with vmsplice compiled in. Opensuse 10.3 is affected. A remote attacker gaining access as an unprivileged user (flash hack?) could get root privilege's.
I tried this under opensuse 10.3 kernel=kernel-default-2.6.22.16-0.2 x86. Both the exploit and the kludge fix worked. How long till we have a patch for this? Are you going to call people in to fix it on sunday or wait and have a meeting about it? This bug is on slashdot. There must be thousands of hackers puting this one into metasploit right now! I bet they are putting it on hacked web pages! Speed is of the essence. -- Paul Elliott 1(512)837-1096 pelliott@io.com PMB 181, 11900 Metric Blvd Suite J http://www.io.com/~pelliott/pme/ Austin TX 78758-3117
Paul Elliott escribió:
Are you going to call people in to fix it on sunday or wait and have a meeting about it?
even if sometimes does not look like, programmers have a life and need rest on weekends ;) , packages also need QA and go via th regular mainteniance process, so it may take a while... -- “There is always some madness in love. But there is also always some reason in madness.” - Friedrich Nietzsche Cristian Rodríguez R. Platform/OpenSUSE - Core Services SUSE LINUX Products GmbH Research & Development http://www.opensuse.org/ --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Cristian Rodríguez wrote:
Paul Elliott escribió:
Are you going to call people in to fix it on sunday or wait and have a meeting about it? even if sometimes does not look like, programmers have a life and need rest on weekends ;) , packages also need QA and go via th regular mainteniance process, so it may take a while... It's a local exploit; the attacker has to already be logged into your box to exploit it.
If you have hostile users logged into your box, and this patch is urgent, then you have worse problems than this patch :-) Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin Botnets are the only commercially viable utility computing market --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On 11/02/2008, Crispin Cowan <crispin@crispincowan.com> wrote:
If you have hostile users logged into your box, and this patch is urgent, then you have worse problems than this patch :-)
Yes, it is fortunate that nobody uses linux for public terminals or shared hosting servers. -- Benjamin Weber --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2008-02-10 at 22:02 -0800, Crispin Cowan wrote:
It's a local exploit; the attacker has to already be logged into your box to exploit it.
If you have hostile users logged into your box, and this patch is urgent, then you have worse problems than this patch :-)
It has been suggested that an attacker might gain access through a flash animation on a webpage, as normal user, and then scalate to root. Don't ask me how, I have no idea - I only repeat what I heard, as a parrot :-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHsDNEtTMYHG2NR9URAqDVAJ9mnoDQNt1UjI+qtCeTagyInYCXXQCfVBwg gyGS5wCW/Wp2cqGWZYsoyXQ= =WGu3 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Carlos E. R. schrieb:
The Sunday 2008-02-10 at 22:02 -0800, Crispin Cowan wrote:
It's a local exploit; the attacker has to already be logged into your box to exploit it.
If you have hostile users logged into your box, and this patch is urgent, then you have worse problems than this patch :-)
It has been suggested that an attacker might gain access through a flash animation on a webpage, as normal user, and then scalate to root.
By default, OpenSuSE doesn't install Flash. At least, 10.3 didn't here, but that may have to do with the fact that I run x86_64... Does it concern SLES, too, BTW? I've no VM of it ATM, so I can't try. RHEL5.1 just OOPSed, though. cheers, Rainer --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
By default, OpenSuSE doesn't install Flash. At least, 10.3 didn't here, but that may have to do with the fact that I run x86_64...
Does it concern SLES, too, BTW?
No, SLES runs a older version of the kernel, so its not affected. Thumbs up for SLES:) -- Best regards / Med vennlig hilsen Kim Johansen - WebDeal AS Linux Systems Administrator E-mail: kim@webdeal.no Web: http://www.webdealhosting.com --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Rainer Duffner wrote:
Carlos E. R. schrieb:
The Sunday 2008-02-10 at 22:02 -0800, Crispin Cowan wrote:
It's a local exploit; the attacker has to already be logged into your box to exploit it.
If you have hostile users logged into your box, and this patch is urgent, then you have worse problems than this patch :-)
It has been suggested that an attacker might gain access through a flash animation on a webpage, as normal user, and then scalate to root.
By default, OpenSuSE doesn't install Flash. At least, 10.3 didn't here, but that may have to do with the fact that I run x86_64...
Does it concern SLES, too, BTW? I've no VM of it ATM, so I can't try. RHEL5.1 just OOPSed, though.
True, but Firefox does install it (and others) when you go to site which requires Flash or others) before you can view anything of 'interest'. As a follow-on, Firefox introduced/has an addon, an extension, called NoScript which anyone concerned with avoiding 'fire and brimstone' would immediately install. Ciao. -- If you want to know what a man is like, take a look at how he treats his inferiors not his equals. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Mon, Feb 11, 2008 at 10:52:40PM +1100, Basil Chupin wrote:
Rainer Duffner wrote:
Carlos E. R. schrieb:
The Sunday 2008-02-10 at 22:02 -0800, Crispin Cowan wrote:
It's a local exploit; the attacker has to already be logged into your box to exploit it.
If you have hostile users logged into your box, and this patch is urgent, then you have worse problems than this patch :-)
It has been suggested that an attacker might gain access through a flash animation on a webpage, as normal user, and then scalate to root.
By default, OpenSuSE doesn't install Flash. At least, 10.3 didn't here, but that may have to do with the fact that I run x86_64...
Does it concern SLES, too, BTW? I've no VM of it ATM, so I can't try. RHEL5.1 just OOPSed, though.
True, but Firefox does install it (and others) when you go to site which requires Flash or others) before you can view anything of 'interest'.
As a follow-on, Firefox introduced/has an addon, an extension, called NoScript which anyone concerned with avoiding 'fire and brimstone' would immediately install.
I am currently not aware of code-execution problems in Flash, so these are just vague thoughts. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Marcus Meissner wrote:
On Mon, Feb 11, 2008 at 10:52:40PM +1100, Basil Chupin wrote:
Rainer Duffner wrote:
Carlos E. R. schrieb:
The Sunday 2008-02-10 at 22:02 -0800, Crispin Cowan wrote:
It's a local exploit; the attacker has to already be logged into your box to exploit it.
If you have hostile users logged into your box, and this patch is urgent, then you have worse problems than this patch :-)
It has been suggested that an attacker might gain access through a flash animation on a webpage, as normal user, and then scalate to root.
By default, OpenSuSE doesn't install Flash. At least, 10.3 didn't here, but that may have to do with the fact that I run x86_64...
Does it concern SLES, too, BTW? I've no VM of it ATM, so I can't try. RHEL5.1 just OOPSed, though.
True, but Firefox does install it (and others) when you go to site which requires Flash or others) before you can view anything of 'interest'.
As a follow-on, Firefox introduced/has an addon, an extension, called NoScript which anyone concerned with avoiding 'fire and brimstone' would immediately install.
I am currently not aware of code-execution problems in Flash, so these are just vague thoughts.
Ciao, Marcus "Currently" is probably correct, but it may pay to read what the author of NoScript states-
http://noscript.net/faq#qa1_10 Ciao. -- If you want to know what a man is like, take a look at how he treats his inferiors not his equals. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Carlos E. R. escribió:
It has been suggested that an attacker might gain access through a flash animation on a webpage,
Much more easy actually, you can inject an exploit via a buggy PHPbb forum or similar and then it gets executed as the "apache" user. -- “There is always some madness in love. But there is also always some reason in madness.” - Friedrich Nietzsche Cristian Rodríguez R. Platform/OpenSUSE - Core Services SUSE LINUX Products GmbH Research & Development http://www.opensuse.org/ --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Sun, Feb 10, 2008 at 05:07:11PM -0600, Paul Elliott wrote:
On Sun, Feb 10, 2008 at 11:41:44PM +0100, Carlos E. R. wrote:
Hi,
I post this on request of another lister from the Spanish mail list; I don't have personal knowledge of this problem. I would like to see comments on this.
The vulnerability allows a user to become root with any kernel newer than 2.6.17 with vmsplice compiled in. Opensuse 10.3 is affected. A remote attacker gaining access as an unprivileged user (flash hack?) could get root privilege's.
I tried this under opensuse 10.3 kernel=kernel-default-2.6.22.16-0.2 x86.
Both the exploit and the kludge fix worked.
How long till we have a patch for this?
Are you going to call people in to fix it on sunday or wait and have a meeting about it?
No, we are not calling in people on Sunday. I am trying to get it out today, as I said. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (9)
-
Basil Chupin -
Benji Weber -
Carlos E. R. -
Crispin Cowan -
Cristian Rodríguez -
Kim Johansen -
Marcus Meissner -
Paul Elliott -
Rainer Duffner