Blog

CRITICAL : Serious kernel bug!!! Root privilege escalation

Tags: Kernel bugroot privilege escalation.

Published on: August 17, 2009 by Arnold Pablo

CRITICAL : Serious kernel bug!!! Root privilege escalation

Scenario:

Tavis Ormandy and Julien Tinnes of the Google Security Team has unleashed a major kernel bug. A serious and critical security flaw has been found in both 2.4 and 2.6 kernel, enabling the attacked to gain the complete root access. I believe this is one major kernel bug in last few years. Distros release the Update… or we have to patch the kernel…Let us discuss about this root privilege exploit bug more,

Believe me, this works 🙁 Seriously works! See below from an exploit running all over the net.

[sages@tech ~]$ chmod +x run.sh
[sages@tech ~]$ ./run.sh
padlina z lublina!
sh-3.2# whoami
root
sh-3.2#

While a patched kernel should show the output as below

[sages@tech ~]$ chmod +x run.sh
[sages@tech ~]$ ./run.sh
padlina z lublina!
mprotect: Cannot allocate memory
[sages@tech ~]$

===============================================================

Linux NULL pointer dereference due to incorrect proto_ops initializations
————————————————————————-

In the Linux kernel, each socket has an associated struct of operations
called proto_ops which contain pointers to functions implementing various
features, such as accept, bind, shutdown, and so on.

If an operation on a particular socket is unimplemented, they are expected
to point the associated function pointer to predefined stubs, for example if
the “accept” operation is undefined it would point to sock_no_accept(). However,
we have found that this is not always the case and some of these pointers are
left uninitialized.

This is not always a security issue, as the kernel validates the pointers at
the call site, such as this example from sock_splice_read:

static ssize_t sock_splice_read(struct file *file, loff_t *ppos,
struct pipe_inode_info *pipe, size_t len,
unsigned int flags)
{
struct socket *sock = file->private_data;

if (unlikely(!sock->ops->splice_read))
return -EINVAL;

return sock->ops->splice_read(sock, ppos, pipe, len, flags);
}

But we have found an example where this is not the case; the sock_sendpage()
routine does not validate the function pointer is valid before dereferencing
it, and therefore relies on the correct initialization of the proto_ops
structure.

We have identified several examples where the initialization is incomplete:

– The SOCKOPS_WRAP macro defined in include/linux/net.h, which appears correct
at first glance, was actually affected. This includes PF_APPLETALK, PF_IPX,
PF_IRDA, PF_X25 and PF_AX25 families.

– Initializations were missing in other protocols, including PF_BLUETOOTH,
PF_IUCV, PF_INET6 (with IPPROTO_SCTP), PF_PPPOX and PF_ISDN.

——————–
Affected Software
————————

All Linux 2.4/2.6 versions since May 2001 are believed to be affected:

– Linux 2.4, from 2.4.4 up to and including 2.4.37.4
– Linux 2.6, from 2.6.0 up to and including 2.6.30.4

——————–
Consequences
———————–

This issue is easily exploitable for local privilege escalation. In order to
exploit this, an attacker would create a mapping at address zero containing
code to be executed with privileges of the kernel, and then trigger a
vulnerable operation using a sequence like this:

/* … */
int fdin = mkstemp(template);
int fdout = socket(PF_PPPOX, SOCK_DGRAM, 0);

unlink(template);

ftruncate(fdin, PAGE_SIZE);

sendfile(fdout, fdin, NULL, PAGE_SIZE);
/* … */

Please note, sendfile() is just one of many ways to cause a sendpage
operation on a socket.

Successful exploitation will lead to complete attacker control of the system.

——————-
Mitigation
———————–

Recent kernels with mmap_min_addr support may prevent exploitation if
the sysctl vm.mmap_min_addr is set above zero. However, administrators
should be aware that LSM based mandatory access control systems, such
as SELinux, may alter this functionality.

It should also be noted that all kernels up to 2.6.30.2 are vulnerable to
published attacks against mmap_min_addr.

——————-
Solution
———————–

Linus committed a patch correcting this issue on 13th August 2009.

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98

——————-
Credit
———————–

This bug was discovered by Tavis Ormandy and Julien Tinnes of the Google
Security Team.

================================================================

Sad part is that there isn’t a patch from distro developers. And we have to manually compile the kernel. Oh guys.. release a patch soon or else my dear servers. Blog of Julien, http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html has more in depth details.

Category : Linux, VPS

[easy-social-share counters=0]
Arnold Pablo

Arnold Pablo

Technology always fascinated me and continues to do so. I started my career back in 2004 as a Junior System Admin and worked in various capacities both in technical and managerial roles. I love to experiment and try out new OSS projects and in free time, go for cycling to the interiors of God's own country, Kerala!

You may also read:

Comments

Add new commentSIGN IN

Let's Connect

Categories

Your Cart

ZPanel migration support for webhosting accounts
Account Migration - ZPanel to ZPanel Migration
Qty: 1
160.00
Expert migration team to outsource your Non-Zpanel to ZPanel migrations.
Account Migration – Non-ZPanel to ZPanel
Qty: 1
400.00
ZPanel server migration through migration experts.
Server Migration - ZPanel to ZPanel
Qty: 1
7,920.00
server migrations to ZPanel Severs from non-zpanel servers
Server Migration - ZPanel to Non-Zpanel
Qty: 1
11,920.00
Placeholder
Coach
Qty: 1
104,930.00
Placeholder
Live Chat Support Team - Sales
Qty: 1
256,000.00
Placeholder
Live Chat Support Team - Billing
Qty: 1
256,000.00
24/7 Sales and Billing support through dedicated sales and billing team
Dedicated Team plan - Sales/Billing
Qty: 1
224,000.00
level2 dedicated night shift support
Dedicated Night Shift Support - Owls
Qty: 1
96,000.00
Shift support for level1 dedicated night shift support
Dedicated Night Shift Support - NightJars
Qty: 1
48,000.00
Four member level3 semi-dedicated technical support team for advanced helpdesk and server adminsitration requirements.
Semi-dedicated Team - Technical - Masters
Qty: 1
320,000.00
level2 semi-dedicated technical support team for dedicated 24/7 server administration and helpdesk support
Semi-dedicated Team- Technical - Abbots
Qty: 1
200,000.00
Placeholder
Choose the number of L1 Soldiers for your team
Qty: 1
79,920.00
Level3 dedicated technical support team for complete hosting support solutions
Dedicated Team - Technical- GrandMasters
Qty: 1
576,000.00
level1 dedicated technical support team
Dedicated Team - Technical -Monks
Qty: 1
256,000.00
Part time graphic designer availability for your custom design requirements
Hire a part time Graphic designer - (4 hours x 22 days)
Qty: 1
63,920.00
A dedicated graphic designer can help you with logo design, website design etc. with high level of professional competency and time bound delivery.
Dedicated Staff - Graphic Designer - (8 hours x 22 days)
Qty: 1
119,920.00
Get a dedicated level3 server administrator for your dedicated server management operations.rver administration and helpdesk support.
Dedicated Staff- Server Admin- Commander
Qty: 1
159,920.00
Dedicated level3E server administrator for escalation support.
Dedicated Staff- Server Admin - Zen Master
Qty: 1
199,920.00
dedicatd level2 server administrrator for sever administration and webhosting support
Dedicated Staff- Server Admin - Warrior
Qty: 1
119,920.00
level1 server administrator for dedicated server administration
Dedicated Staff - Server Admin - Soldier
Qty: 1
79,920.00
VPS node management plan for setting up of VPS node and virtualization assistance.
VPS - Node Management
Qty: 1
2,400.00
VPS live chat for the technical, sales and billing issues for the VPS node and the VPSes hosted on it.
Live Chat - VPS Node
Qty: 1
6,320.00
Subtotal
₹3,189,490.00
APPLY
23