There is a new local root exploit found in linux kernels 2.6.17 to 2.6.24.1. Here’s a proof-of-concept, which basically works as a “passwordless su”.

I have tested the exploit on a few systems I manage, and it just plain works on a number of them. The distros I have around that are vulnerable are:

• Fedora 8
• CentOS 5/5.1 (and therefore presumably RHEL as well)
• Debian Etch
• Ubuntu 7.10

On one oddball Debian Etch system the exploit segfaulted, but to me that doesn’t rule out that the hole is still there. On older boxes (tested on a couple Debian Sarge systems), the kernel is too old to have the vulnerable vmsplice feature.

The hole is patched in 2.6.24.2, but compiling and installing that on a production system really isn’t a viable alternative.

I’d hate for this to turn into a flamewar on Linux security, or how dangerous a local root exploit really is. It’s there, it’s not the end of the world in any way, but it very much needs fixing. I am really interested in hearing if anyone has seen patched kernels for the main distros, or when they show up. Most of the vulnerable systems I have don’t have any users on them (other than people who have root access “the normal way”), but I currently have a couple of machines locked down (sshd stopped or normal users disabled). Both of those are Debian Etch, and those guys generally are quite snappy in providing security updates.

Edit: There is some kind of “temp fix” available here, which simply disables the vmsplice function call on a running kernel. Haven’t tried it yet, and it apparently mainly crashes the system entirely.

Edit #2: Just received an auto-update from Fedora:

         ID  FEDORA-2008-1423
Type  security
Status  stable
Issued  2008-02-11 20:30:09.696513
Bugs  429364 429412 426574 390531 427641 432229
427518 233255 430663 426480 431360
Description  Update to Linux kernel 2.6.23.15:
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.23.15

Fix vmsplice local root vulnerability:
CVE-2008-0009: Fixed by update to 2.6.23.15.
CVE-2008-0010: Fixed by update to 2.6.23.15.
CVE-2008-0600: Extra fix from upstream applied.

Fix memory leak in netlabel code.
Work around broken Seagate LBA48 disks. (#429364)
Fix futex oops on uniprocessor machine. (#429412)
Add support for new Macbook touchpads. (#426574)
Fix the initio driver broken in 2.6.23. (#390531)
Fix segfaults from using vdso=2. (#427641)
FireWire updates, fixing multiple problems. (#429598)
ACPI: fix multiple problems with brightness controls (#427518)
Fix Megahertz PCMCIA Ethernet adapter (#233255)
Fix oops in netfilter. (#430663)
ACPI: fix early init of EC (#426480)
ALSA: fix audio on some systems with STAC codec (#431360)
Atheros L2 fast Ethernet driver (atl2) for ASUS Eeepc.
ASUS Eeepc ACPI hotkey driver.
Wireless driver updates from upstream.

Filed under: linux, security, vuls