Log inUsernamePassword
Log me on automatically each visit    
Register
Register
Log in to check your private messages
Log in to check your private messages
SMS Forum Index » Announcements

Post new topic   Reply to topic
Local root exploit
View previous topic :: View next topic  
Author Message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece

PostPosted: Thu Feb 14, 2008 1:18 pm    Post subject: Local root exploit Reply with quote

The local root exploit affect kernels 2.6.17-2.6.24.1 despite distribution, and it's not a Slackware issue...
It's a local root and not remote exploit, and don't give full root privileges, can't reboot, halt, add or remove packages for instance but can delete and stop services amongst things and that's a problem.
Of course that all can be done by a user and not someone that has not access to the server, but I believe that an well written web script can do bad things.

An example of the script before the patch (SMS 1.3.5)
Code:
angel@sms:/var/smb/samba$ ./exploit
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e12000 .. 0xb7e44000
[+] root
root@sms:/var/smb/samba$


And after the splice patch (SMS 1.3.6)
Code:

angel@sms:/var/smb/samba$ ./exploit
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7d9e000 .. 0xb7dd0000
[-] vmsplice: Bad address
angel@sms:/var/smb/samba$


The above all tested between SMS 1.3.5 and 1.3.6 native installations.

note: If you boot from SMS.Live.CD-1.3.6 the script will gain root access, but that's because I patched the kernel and not the initrd.gz that boots the liveCD.
If you install it on disk through sms-text-installer you will not have any problems.
I've create although an initrd.gz from the patched kernel too and there will be on SMS.Live.CD-1.3.7


Kernel Patches are available here
If you installed SMS.Live.CD just use livecd.s
Don't forget to run lilo after the installation of the kernel.

For more info about the script look at:
http://lwn.net/SubscriberLink/268783/c6a3f3433044e10b/

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    SMS Forum Index » Announcements All times are GMT + 2 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum

SMS - Superb! Mini Server Project © 2016
Powered by phpBB © 2001, 2002 phpBB Group
iCGstation v1.0 Template By Ray © 2003, 2004 iOptional