Full Disclosure: Re: Linux kernel exploit

[Dan Rosenberg <dan.j.rosenberg () gmail com>]

If you've applied all your Ubuntu updates, the exploit is not going to
work.  I decided to take a more responsible approach to exploit
publishing with this release.  Rather than publish a fully weaponized
exploit that could be used by script kiddies everywhere to compromise
innocent users' machines, I published a limited version that proves
the exploitability of the issue without putting too many people at
unnecessary risk.  As I said, the exploit could be easily adapted to
work on any current distribution, since fixes for CVE-2010-4258 are
not available yet.

Please read the exploit text before you run it next time.  ;)

Quote:

* In the interest of public safety, this exploit was specifically designed to
* be limited:
*
*  * The particular symbols I resolve are not exported on Slackware or Debian
*  * Red Hat does not support Econet by default
*  * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
*    Debian
*
* However, the important issue, CVE-2010-4258, affects everyone, and it would
* be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
* more sophisticated version of this that doesn't have the roadblocks I put in
* to prevent abuse by script kiddies.
*
* Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
*

-Dan

On Tue, Dec 7, 2010 at 4:40 PM, Thomas SOETE <thomas () soete org> wrote:
> Failed on Ubuntu 10.10 (2.6.35-23-generic)
>
> toms () bifrost:/tmp$ uname -a
> Linux bifrost 2.6.35-23-generic #41-Ubuntu SMP Wed Nov 24 11:55:36 UTC
> 2010 x86_64 GNU/Linux
>
> toms () bifrost:/tmp$ ./a.out
> [*] Resolving kernel addresses...
>  [+] Resolved econet_ioctl to 0xffffffffa03d9610
>  [+] Resolved econet_ops to 0xffffffffa03d9720
>  [+] Resolved commit_creds to 0xffffffff810863c0
>  [+] Resolved prepare_kernel_cred to 0xffffffff81086890
> [*] Calculating target...
> [*] Triggering payload...
> [*] Exploit failed to get root.
>
>
>
> 2010/12/7 coderman <coderman () gmail com>:
> > On Tue, Dec 7, 2010 at 12:25 PM, Dan Rosenberg
> > <dan.j.rosenberg () gmail com> wrote:
> > > ... I've included here a proof-of-concept local privilege escalation exploit...
> > >  * This exploit leverages three vulnerabilities to get root, all of which were
> > >  * discovered by Nelson Elhage:
> > > ...
> > >  * However, the important issue, CVE-2010-4258, affects everyone, and it would
> > >  * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
> > >  * more sophisticated version of this...
> > nice :)
> >
> > clearly demonstrates why risk is complicated and seemingly minor
> > defects (worth delaying patches for weeks/months? ;) can combine into
> > truly ugly vulnerabilities...
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/