[BLUG] major exploit in 2.4 and 2.6 linux kernel
sorbetninja at gmail.com
Fri Aug 21 13:34:25 EDT 2009
There was a flaw discovered in the kernel that's been there since 2001
that can be used for privilege escalation. If you have support for one
of several less-common network protocols, a malicious user with local
access can become root very easily.
It has to do with how the kernel allocates network sockets and sets up
protocol listeners on those sockets. There are some functions that are
implemented for some protocols but not others, and when the function is
not implemented, it's supposed to raise a "Not Implemented" exception.
Instead, it references a null pointer. Vulnerable kernels have support
for Appletalk, IPX, bluetooth, pppoe, irda, isdn, and a few others.
>From Linus's commit:
kernel_sendpage() does the proper default case handling for when the
socket doesn't have a native sendpage implementation.
Now, arguably this might be something that we could instead solve by
just specifying that all protocols should do it themselves at the
protocol level, but we really only care about the common protocols.
Does anybody really care about sendpage on something like Appletalk?
Even better is RedHat's mitigation advice:
Best of all is this post I saw on PlanetDebian:
http://blog.bofh.it/debian/id_294 which reads:
cd /lib/modules/$(uname -r)/kernel/ && \
rm net/ipx/ipx.ko net/irda/irda.ko net/x25/x25.ko \
net/ax25/ax25.ko net/bluetooth/bluetooth.ko \
net/sctp/sctp.ko drivers/net/pppoe.ko drivers/net/pppox.ko
Basically, if you use bluetooth or some obscure networking protocol in
your kernel and someone else has local access, you might be vulnerable.
If you remove the modules for those vulnerable protocols, you're fine.
More information about the BLUG