LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-11-2008, 04:52 AM   #1
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: None (src & compile)
Posts: 253

Rep: Reputation: 36
Exclamation CVE-2008-0009/0010/0600 (Linux Privilege Escalation Vulnerabilities)


2.6.24.1 (as of this date, 2008-02-08 15:25 patch-2.6.24.1.bz2 ) may not fully close this hole. The post before this is from Feb. 08. This is dated Feb. 10.

Code:
From: Bastian Blank <bastian@waldi.eu.org>
Date: Sun, 10 Feb 2008 14:47:57 +0000 (+0200)
Subject: splice: fix user pointer access in get_iovec_page_array()
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=712a30e63c8066ed84385b12edbfb804f49cbc44

splice: fix user pointer access in get_iovec_page_array()

Commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user pointer access verification") added the proper access_ok() calls to copy_from_user_mmap_sem() which ensures we can copy the struct iovecs from userspace to the kernel.

But we also must check whether we can access the actual memory region pointed to by the struct iovec to fix the access checks properly.

Signed-off-by: Bastian Blank <waldi@debian.org>
Acked-by: Oliver Pinter <oliver.pntr@gmail.com>
Cc: Jens Axboe <jens.axboe@oracle.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---

diff --git a/fs/splice.c b/fs/splice.c
index 14e2262..9b559ee 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1234,7 +1234,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
 		if (unlikely(!len))
 			break;
 		error = -EFAULT;
-		if (unlikely(!base))
+		if (!access_ok(VERIFY_READ, base, len))
 			break;
 
 		/*
That's the info I found, if someone knows more/better, please post. See the discussion:

http://marc.info/?l=linux-kernel&m=120262352612128&w=2 (Threading breaks, probably from posting with a bad email client)

http://lkml.org/lkml/2008/2/10/8 (Proper threading of articles)
 
Old 02-13-2008, 06:12 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
jayjwa, I've moved your post to a new thread. I think that with the amount of talk this vulnerability has generated on the blogosphere it merits an area for LQ members to discuss it if they wish. It's a pretty serious vulnerability, and AFAICT a huge number of distros had (or have) vulnerable kernels.

Last edited by win32sux; 02-13-2008 at 07:23 PM.
 
Old 02-13-2008, 09:03 PM   #3
carboncopy
Senior Member
 
Registered: Jan 2003
Location: Malaysia
Distribution: Fedora Core, Slackware, Mac OS X, Debian, OpenSUSE
Posts: 1,210
Blog Entries: 4

Rep: Reputation: 45
What is the short term measure one can employ before the patch is officially out?
 
Old 02-13-2008, 09:06 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by carboncopy View Post
What is the short term measure one can employ before the patch is officially out?
The patches have been out for a couple days - 2.6.24.1 fixed CVE-2008-0009 and CVE-2008-0010, while 2.6.24.2 fixed CVE-2008-0600. I can also confirm that at least Debian, Ubuntu, and Slackware (the distros which I am familiar with) have released updated kernel packages with the fixes backported.

Last edited by win32sux; 02-15-2008 at 09:41 PM. Reason: Specified kernel versions.
 
Old 02-15-2008, 08:47 PM   #5
dv502
Member
 
Registered: Sep 2006
Location: USA - NYC
Distribution: Whatever icon you see!
Posts: 642

Rep: Reputation: 57
Kernel security exploit discovered

In case you missed it or was unaware, gentoo discovered a kernel security exploit. This affects all distros using these versions of kernels.

Read more from www.gentoo.org
 
Old 02-15-2008, 09:02 PM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by dv502 View Post
In case you missed it or was unaware, gentoo discovered a kernel security exploit. This affects all distros using these versions of kernels.

Read more from www.gentoo.org
Are you referring to CVE-2008-0009/0010/0600?

EDIT: Well, I think it's a pretty safe bet that you are, so I'm merging this.

Last edited by win32sux; 02-15-2008 at 09:14 PM.
 
Old 02-15-2008, 09:25 PM   #7
dv502
Member
 
Registered: Sep 2006
Location: USA - NYC
Distribution: Whatever icon you see!
Posts: 642

Rep: Reputation: 57
Quote:
Originally Posted by win32sux View Post
Are you referring to CVE-2008-0009/0010/0600?

EDIT: Well, I think it's a pretty safe bet that you are, so I'm merging this.
The article from gentoo said it has been assigned to CVE-2008-0009 and CVE-2008-0010. I don't know what that means. The only thing I understood from that article is that kernels up to 2.6.23 were vulnerable.
 
Old 02-15-2008, 09:25 PM   #8
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
The Gentoo site does provide a nice summary of the whole deal.

I'll quote it here for the benefit of anyone who might have been confused:
Quote:
Two major security flaws in the Linux kernel were reported last weekend. Both flaws have the same impact (root access for local users) and both exist within the vmsplice() system call, which was added to the kernel in 2.6.17. There is no configuration option to exclude vmsplice() so everyone is vulnerable.

One of the security issues existed for the entire lifetime of vmsplice(), so any kernel version from 2.6.17 onwards is vulnerable. This was fixed in 2.6.24.2, 2.6.23.16 and 2.6.22.18. It has been assigned the vulnerability identifier of CVE-2008-0600.

The other security issue first appeared in 2.6.23. It was fixed in 2.6.23.15 and 2.6.24.1. This vulnerability has been assigned CVE-2008-0009 and CVE-2008-0010.
I've edited the thread title to make it a little clearer that this thread can be used to discuss any of those three CVEs.

Thanks for posting the Gentoo link.

Last edited by win32sux; 02-15-2008 at 09:26 PM.
 
Old 02-15-2008, 09:30 PM   #9
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by dv502 View Post
The article from gentoo said it has been assigned to CVE-2008-0009 and CVE-2008-0010. I don't know what that means.
Click here to find out.

Quote:
The only thing I understood from that article is that kernels up to 2.6.23 were vulnerable.
You might want to re-read it.
 
Old 02-18-2008, 09:02 PM   #10
carboncopy
Senior Member
 
Registered: Jan 2003
Location: Malaysia
Distribution: Fedora Core, Slackware, Mac OS X, Debian, OpenSUSE
Posts: 1,210
Blog Entries: 4

Rep: Reputation: 45
I need to double confirm I have actually patched my system.

uname -a on Debian machine gives me
Linux overhyped 2.6.18-xen #1 SMP Tue Feb 12 06:40:50 UTC 2008 x86_64 GNU/Linux

Is it patched? Thanks for helping me verify.
 
Old 02-19-2008, 04:21 PM   #11
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by carboncopy View Post
I need to double confirm I have actually patched my system.

uname -a on Debian machine gives me
Linux overhyped 2.6.18-xen #1 SMP Tue Feb 12 06:40:50 UTC 2008 x86_64 GNU/Linux

Is it patched? Thanks for helping me verify.
You should compare your package version(s) with those in the relevant DSA.
 
Old 02-21-2008, 06:21 AM   #12
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: None (src & compile)
Posts: 253

Original Poster
Rep: Reputation: 36
Just to update on this, there is now malware appearing on various security forums using these issues.

Quote:
This program use the vmsplice bug for install some
basic backdoors.

Credits:
vmsplice exploit coded originaly by qaaz

Actions:
- disable INPUT rules on firewall
- open the 1407 port for execute remote commands
- open a bash session on 14071 port using the inetd daemon
- mail the shadow file for a mail account

Vulnerables systems: Linux 2.6.17 - 2.6.24.1
Hope everyone is patched by now.
 
Old 02-21-2008, 06:40 AM   #13
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by jayjwa View Post
there is now malware appearing on various security forums using these issues.
Thanks for the heads-up.

If you could provide some links to the security news site(s) where you heard this it would be great.
 
Old 02-21-2008, 06:41 AM   #14
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by jayjwa View Post
Just to update on this, there is now malware appearing on various security forums using these issues.


Hope everyone is patched by now.
I'm confused...are you saying that there are documented attacks based on this exploit? Or are you saying that some security sites now have exploit code? If its the latter, from what I understand, there was exploit code out there approximately 2 weeks ago (proof-of-concept code)...people on some channels of freenode were using the exploit code to validate whether their patching was successful.

Last edited by unixfool; 02-21-2008 at 08:44 AM.
 
Old 02-21-2008, 06:50 AM   #15
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by unixfool View Post
I'm confused...are you saying that there are documented attacks based on this exploit? Or are you saying that some security sites now have exploit code? If its the latter, from what I understand, there was exploit code out there approximately 2 weeks ago...people on some channels of freenode were using the exploit code to validate whether their patching was successful.
Yes, indeed. The initial impression I got from his post was that there was now some sort of attack based on this vulnerability carrying-out the actions he listed. But these actions could simply be part of one of the demo exploits which started floating-around a couple weeks ago (before the patches were released). Some clarification by jayjwa would be nice.

Last edited by win32sux; 02-21-2008 at 07:07 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: DistroWatch Weekly: First Look at Mandriva Flash 2008, Gentoo Linux 2008.0 sche LXer Syndicated Linux News 0 01-28-2008 05:30 AM
LXer: 2008 Security Forecast: 'Least Privilege' Engineering Will Gain Momentum LXer Syndicated Linux News 0 01-09-2008 11:10 AM
Linux Privilege Escalation The.Hammer.911 Linux - Security 1 05-10-2007 06:07 PM
LXer: Postgresql Privilege Escalation and Denial of Service ... LXer Syndicated Linux News 0 02-16-2006 02:01 AM
chmod -R 0600 /etc wael_nasreddine Debian 2 03-13-2005 11:41 PM


All times are GMT -5. The time now is 03:42 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration