Full Disclosure mailing list archives
Re: Linux kernel exploit
From: Dan Rosenberg <dan.j.rosenberg () gmail com>
Date: Wed, 8 Dec 2010 09:26:53 -0500
If you've applied all your Ubuntu updates, the exploit is not going to work. I decided to take a more responsible approach to exploit publishing with this release. Rather than publish a fully weaponized exploit that could be used by script kiddies everywhere to compromise innocent users' machines, I published a limited version that proves the exploitability of the issue without putting too many people at unnecessary risk. As I said, the exploit could be easily adapted to work on any current distribution, since fixes for CVE-2010-4258 are not available yet. Please read the exploit text before you run it next time. ;) Quote: * In the interest of public safety, this exploit was specifically designed to * be limited: * * * The particular symbols I resolve are not exported on Slackware or Debian * * Red Hat does not support Econet by default * * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and * Debian * * However, the important issue, CVE-2010-4258, affects everyone, and it would * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly * more sophisticated version of this that doesn't have the roadblocks I put in * to prevent abuse by script kiddies. * * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64. * -Dan On Tue, Dec 7, 2010 at 4:40 PM, Thomas SOETE <thomas () soete org> wrote:
Failed on Ubuntu 10.10 (2.6.35-23-generic) toms@bifrost:/tmp$ uname -a Linux bifrost 2.6.35-23-generic #41-Ubuntu SMP Wed Nov 24 11:55:36 UTC 2010 x86_64 GNU/Linux toms@bifrost:/tmp$ ./a.out [*] Resolving kernel addresses... [+] Resolved econet_ioctl to 0xffffffffa03d9610 [+] Resolved econet_ops to 0xffffffffa03d9720 [+] Resolved commit_creds to 0xffffffff810863c0 [+] Resolved prepare_kernel_cred to 0xffffffff81086890 [*] Calculating target... [*] Triggering payload... [*] Exploit failed to get root. 2010/12/7 coderman <coderman () gmail com>:On Tue, Dec 7, 2010 at 12:25 PM, Dan Rosenberg <dan.j.rosenberg () gmail com> wrote:... I've included here a proof-of-concept local privilege escalation exploit... * This exploit leverages three vulnerabilities to get root, all of which were * discovered by Nelson Elhage: ... * However, the important issue, CVE-2010-4258, affects everyone, and it would * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly * more sophisticated version of this...nice :) clearly demonstrates why risk is complicated and seemingly minor defects (worth delaying patches for weeks/months? ;) can combine into truly ugly vulnerabilities... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Linux kernel exploit, (continued)
- Re: Linux kernel exploit Benji (Dec 08)
- Re: Linux kernel exploit David Flores (Dec 08)
- Re: Linux kernel exploit Rem7ter (Dec 08)
- Re: Linux kernel exploit Vadim Grinco (Dec 09)
- Re: Linux kernel exploit Jean Pierre Dentone (Dec 09)
- Re: Linux kernel exploit Urlan (Dec 10)
- Re: Linux kernel exploit Rem7ter (Dec 07)
- Re: Linux kernel exploit mezgani ali (Dec 08)
- Re: Linux kernel exploit Thomas SOETE (Dec 08)
- Re: Linux kernel exploit Dan Rosenberg (Dec 08)
- Re: Linux kernel exploit nix (Dec 08)
- Re: Linux kernel exploit Marcus Meissner (Dec 08)
- Re: Linux kernel exploit niklas | brueckenschlaeger (Dec 08)
- Re: Linux kernel exploit R0me0 *** (Dec 13)
- Re: Linux kernel exploit Benji (Dec 13)