Hacker News new | past | comments | ask | show | jobs | submit login
Linux kernel root-level exploit leveraging three previous vulnerabilities (marc.info)
56 points by there on Dec 7, 2010 | hide | past | favorite | 12 comments



Did not work on a server running Debian Lenny with 2.6.26-2-amd64. Worked fine on Ubuntu Server 10.10 with 2.6.35-22-generic-pae though (got root shell).

The comments mention that the exploit for CVE-2010-3850 is limited in regard to Slackware, Debian and Red Hat "in the interest of public safety". Interesting.


Note to everyone here: the interesting issue is CVE-2010-4258 (write a NULL to arbitrary memory on OOPS). The other two issues have been deliberately chosen to be exotic and hard to exploit, but

    * However, the important issue, CVE-2010-4258, affects everyone, and it would
    * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
    * more sophisticated version of this that doesn't have the roadblocks I put in
    * to prevent abuse by script kiddies.
So no, if this happened not to work on your box, you'll still want to upgrade.

[EDIT: this was also pointed out by bdonlan, http://news.ycombinator.com/item?id=1981738]


Information on kernel OOPS for others who were not familiar with the term. http://en.wikipedia.org/wiki/Linux_kernel_oops

Exploit didn't work on my Ubuntu 10.04.1 LTS. It does say the exploits are fixed on Ubuntu, but the socket(PF_ECONET,...) call not working stopped it on my box.


This didn't work on an Arch linux (x86) box. I think I did pacman -Syu last weekend, so it's reasonably up to date.

It also doesn't work on my Slackware server, which has a pretty heavily modified 2.6.23.14 kernel.

In the context of the other comments, does this mean that a lack of a software monoculture keeps these sorts of exploits from damaging the entire population of linux machines?


The exploit is specifically designed to only work on a small subset of kernel builds, as indicated in the header:

   * In the interest of public safety, this exploit was specifically designed to
   * be limited:
   *
   *  * The particular symbols I resolve are not exported   on Slackware or Debian
   *  * Red Hat does not support Econet by default
   *  * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
   *    Debian
   *
   * However, the important issue, CVE-2010-4258, affects everyone, and it would
   * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
   * more sophisticated version of this that doesn't have the roadblocks I put in
   * to prevent abuse by script kiddies.


What a very responsible way of releasing this.

Not that it would take a competent hacker more than a few minutes to figure out how to disable the blocks but at least this rules out a chunk of the 'l33t' crowd from having their way, which just might buy someone enough time to get it patched.


Any countermeasures, besides not using a kernel supporting the Econet protocol? I.e., does there exist a fix for the first CVE addressed in the exploit's comment?


Worked on Ubuntu 10.10 Meerkat. Gotta love it. Instant root.


Failed on mine

    tzury@precision:/tmp$ uname -a
    Linux precision 2.6.32-26-generic #48-Ubuntu SMP Wed Nov 24 10:14:11 UTC 2010 x86_64 GNU/Linux
    tzury@precision:/tmp$ gcc nelson.c 
    tzury@precision:/tmp$ ./a.out 
     [*] Resolving kernel addresses...
     [+] Resolved econet_ioctl to 0xffffffffa00705d0
     [+] Resolved econet_ops to 0xffffffffa00706c0
     [+] Resolved commit_creds to 0xffffffff8108aed0
     [+] Resolved prepare_kernel_cred to 0xffffffff8108b2b0
    [*] Calculating target...
    [*] Triggering payload...
    [*] Exploit failed to get root.


Read the header of the C program.


Perhaps that is because I am well patched.

Anyway, 2.6.32 <= 2.6.37 (my kernel).

Beside, people are here have reported about their Ubuntu boxes which this exploit showed some success at there

    tzury@precision:/tmp$ uname -a
    Linux precision 2.6.32-26-generic #48-Ubuntu SMP Wed Nov 24 10:14:11 UTC 2010 x86_64 GNU/Linux
    tzury@precision:/tmp$ cat /etc/lsb-release 
    DISTRIB_ID=Ubuntu
    DISTRIB_RELEASE=10.04
    DISTRIB_CODENAME=lucid
    DISTRIB_DESCRIPTION="Ubuntu 10.04.1 LTS"
    tzury@precision:/tmp$ gcc full-nelson.c -o full-nelson
    tzury@precision:/tmp$ ./full-nelson 
    [*] Resolving kernel addresses...
     [+] Resolved econet_ioctl to 0xffffffffa01815d0
     [+] Resolved econet_ops to 0xffffffffa01816c0
     [+] Resolved commit_creds to 0xffffffff8108aed0
     [+] Resolved prepare_kernel_cred to 0xffffffff8108b2b0
    [*] Calculating target...
    [*] Triggering payload...
    [*] Exploit failed to get root.


The point was that the comment in the header of the program clearly says:

  * In the interest of public safety, this exploit was specifically designed to
  * be limited:
  *
  *  * The particular symbols I resolve are not exported on Slackware or Debian
  *  * Red Hat does not support Econet by default
  *  * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
  *    Debian




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: