[BLUG] major exploit in 2.4 and 2.6 linux kernel

[Barry Schatz]

There was a flaw discovered in the kernel that's been there since 2001
that can be used for privilege escalation. If you have support for one
of several less-common network protocols, a malicious user with local
access can become root very easily.

It has to do with how the kernel allocates network sockets and sets up
protocol listeners on those sockets. There are some functions that are
implemented for some protocols but not others, and when the function is
not implemented, it's supposed to raise a "Not Implemented" exception.
Instead, it references a null pointer. Vulnerable kernels have support
for Appletalk, IPX, bluetooth, pppoe, irda, isdn, and a few others.

>From Linus's commit:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98

    kernel_sendpage() does the proper default case handling for when the
    socket doesn't have a native sendpage implementation.

    Now, arguably this might be something that we could instead solve by
    just specifying that all protocols should do it themselves at the
    protocol level, but we really only care about the common protocols.
    Does anybody really care about sendpage on something like Appletalk?
    Not likely.

Even better is RedHat's mitigation advice:
https://bugzilla.redhat.com/show_bug.cgi?id=516949#c10

Best of all is this post I saw on PlanetDebian:
http://blog.bofh.it/debian/id_294 which reads:

  cd /lib/modules/$(uname -r)/kernel/ && \
    rm net/ipx/ipx.ko net/irda/irda.ko net/x25/x25.ko \
    net/ax25/ax25.ko net/bluetooth/bluetooth.ko \
    net/sctp/sctp.ko drivers/net/pppoe.ko drivers/net/pppox.ko

Basically, if you use bluetooth or some obscure networking protocol in
your kernel and someone else has local access, you might be vulnerable.
If you remove the modules for those vulnerable protocols, you're fine.

-Barry