[opensuse-security] Recent RDS Exploit
Hello, After reading about the RDS vulnerability identified by VSR Security <http://www.zdnet.com/blog/security/linux-kernel-vulnerability-coughs-up-superuser-rights/7509?tag=nl.e539>, I tested this out for myself by compiling the proof of concept. Here is the output of the test: jfwright@linux-x0ou:~/Downloads> id uid=1000(jfwright) gid=100(users) groups=16(dialout),20(cdrom),33(video),100(users),1000(vboxusers) jfwright@linux-x0ou:~/Downloads> ./linux-rds-exploit [*] Linux kernel >= 2.6.30 RDS socket exploit [*] by Dan Rosenberg [*] Resolving kernel addresses... [+] Resolved rds_proto_ops to 0xffffffffa0f5ee80 [+] Resolved rds_ioctl to 0xffffffffa0f57000 [+] Resolved commit_creds to 0xffffffff810785f0 [+] Resolved prepare_kernel_cred to 0xffffffff81078790 [*] Overwriting function pointer... [*] Triggering payload... [*] Restoring function pointer... [*] Got root! linux-x0ou:~/Downloads> id uid=0(root) gid=0(root) As you can see it works. I then updated the kernel to: Repository: @System Name: kernel-desktop Version: 2.6.34.7-0.4.1 Arch: x86_64 Vendor: openSUSE Installed: Yes Status: up-to-date I have at least a few and possibly many machines that will require a security fix. Is there a planned release date for a security patch, and is there a known work around to prevent this from being exploited? Thanks, James -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hello James! Did you try echo "alias net-pf-21 off" > /etc/modprobe.d/disable-rds ? On 21 of October 2010 22:42:49 James Wright wrote:
Hello,
After reading about the RDS vulnerability identified by VSR Security <http://www.zdnet.com/blog/security/linux-kernel-vulnerability-coughs-up-su peruser-rights/7509?tag=nl.e539>, I tested this out for myself by compiling the proof of concept. Here is the output of the test:
jfwright@linux-x0ou:~/Downloads> id uid=1000(jfwright) gid=100(users) groups=16(dialout),20(cdrom),33(video),100(users),1000(vboxusers) jfwright@linux-x0ou:~/Downloads> ./linux-rds-exploit [*] Linux kernel >= 2.6.30 RDS socket exploit [*] by Dan Rosenberg [*] Resolving kernel addresses... [+] Resolved rds_proto_ops to 0xffffffffa0f5ee80 [+] Resolved rds_ioctl to 0xffffffffa0f57000 [+] Resolved commit_creds to 0xffffffff810785f0 [+] Resolved prepare_kernel_cred to 0xffffffff81078790 [*] Overwriting function pointer... [*] Triggering payload... [*] Restoring function pointer... [*] Got root! linux-x0ou:~/Downloads> id uid=0(root) gid=0(root)
As you can see it works. I then updated the kernel to:
Repository: @System Name: kernel-desktop Version: 2.6.34.7-0.4.1 Arch: x86_64 Vendor: openSUSE Installed: Yes Status: up-to-date
I have at least a few and possibly many machines that will require a security fix. Is there a planned release date for a security patch, and is there a known work around to prevent this from being exploited?
Thanks, James
-- Faithfully yours, Vladislav. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Thank you Vladislav, I have tried just now per your suggestion and it seems that it works! jfwright@linux-x0ou:~/Downloads> ./linux-rds-exploit [*] Linux kernel >= 2.6.30 RDS socket exploit [*] by Dan Rosenberg [*] Could not open socket. Thank you very much! Thanks, James On Thu, Oct 21, 2010 at 4:23 PM, Vladislav Kislyi <vladislav.kisliy@gmail.com> wrote:
Hello James! Did you try echo "alias net-pf-21 off" > /etc/modprobe.d/disable-rds ?
On 21 of October 2010 22:42:49 James Wright wrote:
Hello,
After reading about the RDS vulnerability identified by VSR Security <http://www.zdnet.com/blog/security/linux-kernel-vulnerability-coughs-up-su peruser-rights/7509?tag=nl.e539>, I tested this out for myself by compiling the proof of concept. Here is the output of the test:
jfwright@linux-x0ou:~/Downloads> id uid=1000(jfwright) gid=100(users) groups=16(dialout),20(cdrom),33(video),100(users),1000(vboxusers) jfwright@linux-x0ou:~/Downloads> ./linux-rds-exploit [*] Linux kernel >= 2.6.30 RDS socket exploit [*] by Dan Rosenberg [*] Resolving kernel addresses... [+] Resolved rds_proto_ops to 0xffffffffa0f5ee80 [+] Resolved rds_ioctl to 0xffffffffa0f57000 [+] Resolved commit_creds to 0xffffffff810785f0 [+] Resolved prepare_kernel_cred to 0xffffffff81078790 [*] Overwriting function pointer... [*] Triggering payload... [*] Restoring function pointer... [*] Got root! linux-x0ou:~/Downloads> id uid=0(root) gid=0(root)
As you can see it works. I then updated the kernel to:
Repository: @System Name: kernel-desktop Version: 2.6.34.7-0.4.1 Arch: x86_64 Vendor: openSUSE Installed: Yes Status: up-to-date
I have at least a few and possibly many machines that will require a security fix. Is there a planned release date for a security patch, and is there a known work around to prevent this from being exploited?
Thanks, James
-- Faithfully yours, Vladislav. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Thu, Oct 21, 2010 at 03:42:49PM -0400, James Wright wrote:
I have at least a few and possibly many machines that will require a security fix. Is there a planned release date for a security patch, and is there a known work around to prevent this from being exploited?
Someone already posted the workaround. We will be releasing updated kernels begin of next week. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Thank you Marcus. On Thu, Oct 21, 2010 at 5:47 PM, Marcus Meissner <meissner@suse.de> wrote:
On Thu, Oct 21, 2010 at 03:42:49PM -0400, James Wright wrote:
I have at least a few and possibly many machines that will require a security fix. Is there a planned release date for a security patch, and is there a known work around to prevent this from being exploited?
Someone already posted the workaround.
We will be releasing updated kernels begin of next week.
Ciao, Marcus
-- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hi, Marcus Meissner wrote
On Thu, Oct 21, 2010 at 03:42:49PM -0400, James Wright wrote:
I have at least a few and possibly many machines that will require a security fix. Is there a planned release date for a security patch, and is there a known work around to prevent this from being exploited?
Someone already posted the workaround.
We will be releasing updated kernels begin of next week.
as far as I see all updates are out except for SLES/D 11 SP1 (only GA so far). Can you tell if it is scheduled already? cu, Frank -- Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/ Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/ LMU, Amalienstr. 17 Phone: +49 89 2180-4049 80333 Muenchen, Germany Fax: +49 89 2180-99-4049 * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. * -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Mon, Nov 08, 2010 at 09:24:37AM +0100, Frank Steiner wrote:
Hi,
Marcus Meissner wrote
On Thu, Oct 21, 2010 at 03:42:49PM -0400, James Wright wrote:
I have at least a few and possibly many machines that will require a security fix. Is there a planned release date for a security patch, and is there a known work around to prevent this from being exploited?
Someone already posted the workaround.
We will be releasing updated kernels begin of next week.
as far as I see all updates are out except for SLES/D 11 SP1 (only GA so far). Can you tell if it is scheduled already?
SLE 11 SP1 kernel is in QA ... if all goes well it will go out this week. Btw, the rds module is only in kernel-FLAVOUR-extra, deinstall that or it can be safely deleted usually. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (4)
-
Frank Steiner -
James Wright -
Marcus Meissner -
Vladislav Kislyi