

Linux kernel root-level exploit leveraging three previous vulnerabilities - there
http://marc.info/?l=full-disclosure&m=129175358621826&w=2

======
martinp
Did not work on a server running Debian Lenny with 2.6.26-2-amd64. Worked fine
on Ubuntu Server 10.10 with 2.6.35-22-generic-pae though (got root shell).

The comments mention that the exploit for CVE-2010-3850 is limited in regard
to Slackware, Debian and Red Hat "in the interest of public safety".
Interesting.

------
JoachimSchipper
Note to everyone here: the interesting issue is CVE-2010-4258 (write a NULL to
arbitrary memory on OOPS). The other two issues have been deliberately chosen
to be exotic and hard to exploit, but

    
    
        * However, the important issue, CVE-2010-4258, affects everyone, and it would
        * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
        * more sophisticated version of this that doesn't have the roadblocks I put in
        * to prevent abuse by script kiddies.
    

So no, if this happened not to work on your box, you'll still want to upgrade.

[EDIT: this was also pointed out by bdonlan,
<http://news.ycombinator.com/item?id=1981738>]

------
ximeng
Information on kernel OOPS for others who were not familiar with the term.
<http://en.wikipedia.org/wiki/Linux_kernel_oops>

Exploit didn't work on my Ubuntu 10.04.1 LTS. It does say the exploits are
fixed on Ubuntu, but the socket(PF_ECONET,...) call not working stopped it on
my box.

------
bediger
This didn't work on an Arch linux (x86) box. I think I did pacman -Syu last
weekend, so it's reasonably up to date.

It also doesn't work on my Slackware server, which has a pretty heavily
modified 2.6.23.14 kernel.

In the context of the other comments, does this mean that a lack of a software
monoculture keeps these sorts of exploits from damaging the entire population
of linux machines?

~~~
bdonlan
The exploit is specifically designed to only work on a small subset of kernel
builds, as indicated in the header:

    
    
       * In the interest of public safety, this exploit was specifically designed to
       * be limited:
       *
       *  * The particular symbols I resolve are not exported   on Slackware or Debian
       *  * Red Hat does not support Econet by default
       *  * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
       *    Debian
       *
       * However, the important issue, CVE-2010-4258, affects everyone, and it would
       * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
       * more sophisticated version of this that doesn't have the roadblocks I put in
       * to prevent abuse by script kiddies.

~~~
jacquesm
What a very responsible way of releasing this.

Not that it would take a competent hacker more than a few minutes to figure
out how to disable the blocks but at least this rules out a chunk of the
'l33t' crowd from having their way, which just might buy someone enough time
to get it patched.

------
bigfoot
Any countermeasures, besides not using a kernel supporting the Econet
protocol? I.e., does there exist a fix for the first CVE addressed in the
exploit's comment?

------
burningion
Worked on Ubuntu 10.10 Meerkat. Gotta love it. Instant root.

------
tzury
Failed on mine

    
    
        tzury@precision:/tmp$ uname -a
        Linux precision 2.6.32-26-generic #48-Ubuntu SMP Wed Nov 24 10:14:11 UTC 2010 x86_64 GNU/Linux
        tzury@precision:/tmp$ gcc nelson.c 
        tzury@precision:/tmp$ ./a.out 
         [*] Resolving kernel addresses...
         [+] Resolved econet_ioctl to 0xffffffffa00705d0
         [+] Resolved econet_ops to 0xffffffffa00706c0
         [+] Resolved commit_creds to 0xffffffff8108aed0
         [+] Resolved prepare_kernel_cred to 0xffffffff8108b2b0
        [*] Calculating target...
        [*] Triggering payload...
        [*] Exploit failed to get root.

~~~
sgt
Read the header of the C program.

~~~
tzury
Perhaps that is because I am well patched.

Anyway, 2.6.32 <= 2.6.37 (my kernel).

Beside, people are here have reported about their Ubuntu boxes which this
exploit showed some success at there

    
    
        tzury@precision:/tmp$ uname -a
        Linux precision 2.6.32-26-generic #48-Ubuntu SMP Wed Nov 24 10:14:11 UTC 2010 x86_64 GNU/Linux
        tzury@precision:/tmp$ cat /etc/lsb-release 
        DISTRIB_ID=Ubuntu
        DISTRIB_RELEASE=10.04
        DISTRIB_CODENAME=lucid
        DISTRIB_DESCRIPTION="Ubuntu 10.04.1 LTS"
        tzury@precision:/tmp$ gcc full-nelson.c -o full-nelson
        tzury@precision:/tmp$ ./full-nelson 
        [*] Resolving kernel addresses...
         [+] Resolved econet_ioctl to 0xffffffffa01815d0
         [+] Resolved econet_ops to 0xffffffffa01816c0
         [+] Resolved commit_creds to 0xffffffff8108aed0
         [+] Resolved prepare_kernel_cred to 0xffffffff8108b2b0
        [*] Calculating target...
        [*] Triggering payload...
        [*] Exploit failed to get root.

~~~
dredge
The point was that the comment in the header of the program clearly says:

    
    
      * In the interest of public safety, this exploit was specifically designed to
      * be limited:
      *
      *  * The particular symbols I resolve are not exported on Slackware or Debian
      *  * Red Hat does not support Econet by default
      *  * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
      *    Debian

