brentaal Posted September 18, 2010 Share Posted September 18, 2010 Hole in Linux kernel provides root rights A vulnerability in the 32-bit compatibility mode of the current Linux kernel (and previous versions) for 64-bit systems can be exploited to escalate privileges. For instance, attackers can break into a system and exploit a hole in the web server to get complete root (also known as superuser) rights or permissions for a victim's system. According to a report, the problem occurs because the 32-bit call emulation layer does not check whether the call is truly in the Syscall table. Ben Hawkes, who discovered the problem, says the vulnerability can be exploited to execute arbitrary code with kernel rights. An exploit (direct download of source code) is already in circulation; in a test conducted by The H's associates at heise Security on 64-bit Ubuntu 10.04, it opened a shell with root rights. The kernel developers have remedied the flaw in the repository, and Linux distributors will probably soon publish new kernels to close the hole. Until then, switching off 32-bit ELF support solves the problem if you can do without this function. For instructions, see: "Workaround for Ac1db1tch3z exploit". Hawkes says the vulnerability was discovered and remedied back in 2007, but at some point in 2008 kernel developers apparently removed the patch, reintroducing the vulnerability. The older exploit apparently only needed slight modifications to work with the new hole. Source Link to comment Share on other sites More sharing options...
+Frank B. Subscriber² Posted September 18, 2010 Subscriber² Share Posted September 18, 2010 For research purposes I logged in to a university shell account on a Fedora 13 x64 machine and tried out the exploit. It works. Link to comment Share on other sites More sharing options...
iwod Posted September 18, 2010 Share Posted September 18, 2010 So there goes the vulnerability not been exploited theory for Linux for x years........( I remember reading it somewhere ) Link to comment Share on other sites More sharing options...
Growled Member Posted September 18, 2010 Member Share Posted September 18, 2010 Hawkes says the vulnerability was discovered and remedied back in 2007, but at some point in 2008 kernel developers apparently removed the patch, reintroducing the vulnerability. The older exploit apparently only needed slight modifications to work with the new hole. That was real bright. One huge problem with open source is quality control. Link to comment Share on other sites More sharing options...
Dwarden Posted September 18, 2010 Share Posted September 18, 2010 That was real bright. One huge problem with open source is quality control. trust me you see such mistakes being done in closed source software all the time ... every of the big software players had such problem in past decade ... Link to comment Share on other sites More sharing options...
undu Posted September 18, 2010 Share Posted September 18, 2010 For research purposes I logged in to a university shell account on a Fedora 13 x64 machine and tried out the exploit. It works. Doesn't compile here, the constant 'ORIG_RAX' isn't recognized. :( Link to comment Share on other sites More sharing options...
Subject Delta Posted September 18, 2010 Share Posted September 18, 2010 That was real bright. One huge problem with open source is quality control. Agreed, it is interesting that the patch was removed and nobody in the FOSS community questioned or noticed it before :/ also equally scary that the hack isn't that hard to pull off. Link to comment Share on other sites More sharing options...
ZekeComa Posted September 19, 2010 Share Posted September 19, 2010 This exploit is already fixed in my distro. So no need to worry now. Link to comment Share on other sites More sharing options...
deadite66 Posted September 19, 2010 Share Posted September 19, 2010 Doesn't compile here, the constant 'ORIG_RAX' isn't recognized. :( same. lee@sakura:/storage$ gcc -o a.out robert_you_suck.c robert_you_suck.c: In function \u2018docall\u2019: robert_you_suck.c:106: warning: cast from pointer to integer of different size robert_you_suck.c:108: warning: format \u2018%lx\u2019 expects type \u2018long unsigned int\u2019, but argument 2 has type \u2018uint64_t\u2019 robert_you_suck.c:110: warning: cast to pointer from integer of different size robert_you_suck.c:116: warning: cast from pointer to integer of different size robert_you_suck.c:117: warning: cast from pointer to integer of different size robert_you_suck.c: In function \u2018main\u2019: robert_you_suck.c:133: warning: integer constant is too large for \u2018long\u2019 type robert_you_suck.c:134: warning: integer constant is too large for \u2018long\u2019 type robert_you_suck.c:135: warning: integer constant is too large for \u2018long\u2019 type robert_you_suck.c:138: warning: cast to pointer from integer of different size robert_you_suck.c:171: error: \u2018ORIG_RAX\u2019 undeclared (first use in this function) robert_you_suck.c:171: error: (Each undeclared identifier is reported only once robert_you_suck.c:171: error: for each function it appears in.) lee@sakura:/storage$ cat /proc/version Linux version 2.6.32-24-generic (buildd@palmer) (gcc version 4.4.3 (Ubuntu 4.4.3-4ubuntu5) ) #42-Ubuntu SMP Fri Aug 20 14:24:04 UTC 2010 Link to comment Share on other sites More sharing options...
Kreuger Posted September 19, 2010 Share Posted September 19, 2010 Considering its been fixed, its not much of a big deal. As long as they dont remove the fix again haha. On a side note, why is half the OP written in black? Kinda hard to read on the Midnight theme. Link to comment Share on other sites More sharing options...
Gutierrez Posted September 19, 2010 Share Posted September 19, 2010 same here... cant compile 'ORIG_RAX' Link to comment Share on other sites More sharing options...
brentaal Posted September 19, 2010 Author Share Posted September 19, 2010 Considering its been fixed, its not much of a big deal. As long as they dont remove the fix again haha. On a side note, why is half the OP written in black? Kinda hard to read on the Midnight theme. Sorry, I was using WYSIWYG for a couple of days but ended up turning it off now. Too much trouble with all the formatting that gets copied from articles... Link to comment Share on other sites More sharing options...
Kreuger Posted September 20, 2010 Share Posted September 20, 2010 No biggy. I was just confused that it changed half way through Link to comment Share on other sites More sharing options...
honda Posted September 20, 2010 Share Posted September 20, 2010 For research purposes I logged in to a university shell account on a Fedora 13 x64 machine and tried out the exploit. It works. Thanks for the demo and screenshot :) Link to comment Share on other sites More sharing options...
Recommended Posts