Hello,
After reading about the RDS vulnerability identified by VSR Security http://www.zdnet.com/blog/security/linux-kernel-vulnerability-coughs-up-superuser-rights/7509?tag=nl.e539, I tested this out for myself by compiling the proof of concept. Here is the output of the test:
jfwright@linux-x0ou:~/Downloads> id uid=1000(jfwright) gid=100(users) groups=16(dialout),20(cdrom),33(video),100(users),1000(vboxusers) jfwright@linux-x0ou:~/Downloads> ./linux-rds-exploit [*] Linux kernel >= 2.6.30 RDS socket exploit [*] by Dan Rosenberg [*] Resolving kernel addresses... [+] Resolved rds_proto_ops to 0xffffffffa0f5ee80 [+] Resolved rds_ioctl to 0xffffffffa0f57000 [+] Resolved commit_creds to 0xffffffff810785f0 [+] Resolved prepare_kernel_cred to 0xffffffff81078790 [*] Overwriting function pointer... [*] Triggering payload... [*] Restoring function pointer... [*] Got root! linux-x0ou:~/Downloads> id uid=0(root) gid=0(root)
As you can see it works. I then updated the kernel to:
Repository: @System Name: kernel-desktop Version: 2.6.34.7-0.4.1 Arch: x86_64 Vendor: openSUSE Installed: Yes Status: up-to-date
I have at least a few and possibly many machines that will require a security fix. Is there a planned release date for a security patch, and is there a known work around to prevent this from being exploited?
Thanks, James
Hello James! Did you try echo "alias net-pf-21 off" > /etc/modprobe.d/disable-rds ?
On 21 of October 2010 22:42:49 James Wright wrote:
Hello,
After reading about the RDS vulnerability identified by VSR Security http://www.zdnet.com/blog/security/linux-kernel-vulnerability-coughs-up-su peruser-rights/7509?tag=nl.e539, I tested this out for myself by compiling the proof of concept. Here is the output of the test:
jfwright@linux-x0ou:~/Downloads> id uid=1000(jfwright) gid=100(users) groups=16(dialout),20(cdrom),33(video),100(users),1000(vboxusers) jfwright@linux-x0ou:~/Downloads> ./linux-rds-exploit [*] Linux kernel >= 2.6.30 RDS socket exploit [*] by Dan Rosenberg [*] Resolving kernel addresses... [+] Resolved rds_proto_ops to 0xffffffffa0f5ee80 [+] Resolved rds_ioctl to 0xffffffffa0f57000 [+] Resolved commit_creds to 0xffffffff810785f0 [+] Resolved prepare_kernel_cred to 0xffffffff81078790 [*] Overwriting function pointer... [*] Triggering payload... [*] Restoring function pointer... [*] Got root! linux-x0ou:~/Downloads> id uid=0(root) gid=0(root)
As you can see it works. I then updated the kernel to:
Repository: @System Name: kernel-desktop Version: 2.6.34.7-0.4.1 Arch: x86_64 Vendor: openSUSE Installed: Yes Status: up-to-date
I have at least a few and possibly many machines that will require a security fix. Is there a planned release date for a security patch, and is there a known work around to prevent this from being exploited?
Thanks, James
Thank you Vladislav,
I have tried just now per your suggestion and it seems that it works!
jfwright@linux-x0ou:~/Downloads> ./linux-rds-exploit [*] Linux kernel >= 2.6.30 RDS socket exploit [*] by Dan Rosenberg [*] Could not open socket.
Thank you very much!
Thanks, James
On Thu, Oct 21, 2010 at 4:23 PM, Vladislav Kislyi vladislav.kisliy@gmail.com wrote:
Hello James! Did you try echo "alias net-pf-21 off" > /etc/modprobe.d/disable-rds ?
On 21 of October 2010 22:42:49 James Wright wrote:
Hello,
After reading about the RDS vulnerability identified by VSR Security http://www.zdnet.com/blog/security/linux-kernel-vulnerability-coughs-up-su peruser-rights/7509?tag=nl.e539, I tested this out for myself by compiling the proof of concept. Here is the output of the test:
jfwright@linux-x0ou:~/Downloads> id uid=1000(jfwright) gid=100(users) groups=16(dialout),20(cdrom),33(video),100(users),1000(vboxusers) jfwright@linux-x0ou:~/Downloads> ./linux-rds-exploit [*] Linux kernel >= 2.6.30 RDS socket exploit [*] by Dan Rosenberg [*] Resolving kernel addresses... [+] Resolved rds_proto_ops to 0xffffffffa0f5ee80 [+] Resolved rds_ioctl to 0xffffffffa0f57000 [+] Resolved commit_creds to 0xffffffff810785f0 [+] Resolved prepare_kernel_cred to 0xffffffff81078790 [*] Overwriting function pointer... [*] Triggering payload... [*] Restoring function pointer... [*] Got root! linux-x0ou:~/Downloads> id uid=0(root) gid=0(root)
As you can see it works. I then updated the kernel to:
Repository: @System Name: kernel-desktop Version: 2.6.34.7-0.4.1 Arch: x86_64 Vendor: openSUSE Installed: Yes Status: up-to-date
I have at least a few and possibly many machines that will require a security fix. Is there a planned release date for a security patch, and is there a known work around to prevent this from being exploited?
Thanks, James
-- Faithfully yours, Vladislav. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Thu, Oct 21, 2010 at 03:42:49PM -0400, James Wright wrote:
I have at least a few and possibly many machines that will require a security fix. Is there a planned release date for a security patch, and is there a known work around to prevent this from being exploited?
Someone already posted the workaround.
We will be releasing updated kernels begin of next week.
Ciao, Marcus
Thank you Marcus.
On Thu, Oct 21, 2010 at 5:47 PM, Marcus Meissner meissner@suse.de wrote:
On Thu, Oct 21, 2010 at 03:42:49PM -0400, James Wright wrote:
I have at least a few and possibly many machines that will require a security fix. Is there a planned release date for a security patch, and is there a known work around to prevent this from being exploited?
Someone already posted the workaround.
We will be releasing updated kernels begin of next week.
Ciao, Marcus
Hi,
Marcus Meissner wrote
On Thu, Oct 21, 2010 at 03:42:49PM -0400, James Wright wrote:
I have at least a few and possibly many machines that will require a security fix. Is there a planned release date for a security patch, and is there a known work around to prevent this from being exploited?
Someone already posted the workaround.
We will be releasing updated kernels begin of next week.
as far as I see all updates are out except for SLES/D 11 SP1 (only GA so far). Can you tell if it is scheduled already?
cu, Frank
On Mon, Nov 08, 2010 at 09:24:37AM +0100, Frank Steiner wrote:
Hi,
Marcus Meissner wrote
On Thu, Oct 21, 2010 at 03:42:49PM -0400, James Wright wrote:
I have at least a few and possibly many machines that will require a security fix. Is there a planned release date for a security patch, and is there a known work around to prevent this from being exploited?
Someone already posted the workaround.
We will be releasing updated kernels begin of next week.
as far as I see all updates are out except for SLES/D 11 SP1 (only GA so far). Can you tell if it is scheduled already?
SLE 11 SP1 kernel is in QA ... if all goes well it will go out this week.
Btw, the rds module is only in kernel-FLAVOUR-extra, deinstall that or it can be safely deleted usually.
Ciao, Marcus
-
Frank Steiner -
James Wright -
Marcus Meissner -
Vladislav Kislyi