Thursday, October 21, 2010

Found a new vulnerability in the Linux Kernel 2.30 and above

In 10/19/2010 Dan Rosenberg from VSR found a local privilege escalation vulnerability in RDS protocol as implemented in the Linux Kernel.

Because kernel functions responsible for copying data between kernel and user space failed to verify that a user-provided address actually resided in the user segment, a local attacker could issue specially crafted socket function calls to write abritrary values into kernel memory. By leveraging this capability, it is possible for unprivileged users to escalate privileges to root.

This vulnerability affects unpatched versions of the Linux kernel, starting from 2.6.30, where the RDS protocol was first included. Installations are only vulnerable if the CONFIG_RDS kernel configuration option is set, and if there are no restrictions on unprivileged users loading packet family modules, as is the case on most stock distributions.

Kernel versions affected

As the RDS protocol was included in the kernel for the first time in 2.6.30, every version starting from it and with CONFIG_RDS option set is vulnerable.

Fixing the problem

The distributions already have updates on the kernel that you may use.
If you are using Debian, try to verify your "Upgradeable Packages" in aptitude and then go into "kernel" menu, update all packages in this menu and then y
ou are safe.

You can patch your kernel in the raw way using this link: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=799c10559d60f159ab2232203f222f18fa3c4a5f

You can prevent the RDS kernel module from loading too, as root do:


echo "alias net-pf-21 off" > /etc/modprobe.d/disable-rds

The exploit is already public and you can find it on VSR Security Site.

Reference

http://www.vsecurity.com/resources/advisory/20101019-1/

1 Comments:

Anonymous Anonymous said...

pmlwvyw anl bryby black cocks

yisal!

csssn vzphzg crd girl models

7:09 PM  

Post a Comment

<< Home