[Slackware security] vulnerabilities outstanding 20140101

volkerdi · 01-20-2016, 09:43 PM

Quote:

Originally Posted by volkerdi

Tried it here on x86_64 -current (twice), and here's what I get:

Code:

bash-4.3$ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall
bash-4.3$ ./cve_2016_0728 PP_KEY
uid=3321, euid=3321
Increfing...
finished increfing
forking...
finished forking
caling revoke...
uid=3321, euid=3321
sh-4.3$

I'll be testing 32-bit and 14.1 as well. Earlier versions than 14.1 won't be vulnerable.

The exploit did not work here on -current or 14.1, 64-bit or 32-bit. Earlier versions lack the supposedly vulnerable code.

If anyone has different findings, let me know.

elcore · 01-21-2016, 12:41 AM

I'm not sure if the concept is the real thing, but there is a kernel patch for this exploit on git, I have seen it yesterday.
Just posted because the source web page noted all kernels > 3.8 were affected, I did not test the code that was made public by the author.
Seems that debian and some other distros were patched for it recently, and I've seen comments saying grsec prevents this from happening.
Thank you for testing this, much appreciated.

Darth Vader · 01-21-2016, 03:36 AM

The official Slackware Forum being easily spammed by some (Korean?) junkies can be considered a security vulnerability too, sine-die?

glorsplitz · 01-21-2016, 06:25 AM

Wow this is interesting how well they've spammed this forum, I thought my browsers were screwed up.

mats_b_tegner · 01-21-2016, 06:30 AM

Not just this forum, Linux-Newbie and Linux-Security contains spam posts as well.

Darth Vader · 01-21-2016, 06:39 AM

North Korea hacked us?

I thought that they are Linux friendly, after all, considering that it is their National Operating System...

czezz · 01-21-2016, 09:50 AM

Quote:

I'll be testing 32-bit and 14.1 as well. Earlier versions than 14.1 won't be vulnerable.
The exploit did not work here on -current or 14.1, 64-bit or 32-bit. Earlier versions lack the supposedly vulnerable code.

If anyone has different findings, let me know.

I do have this same result for 14.1 (x64) and additionally did test on my compiled kernel 3.14.28.
Also did not work.
I took exploit source from here: https://gist.github.com/PerceptionPo...6d1c0f8531ff8f

Code:

$ uname -a
Linux slackcrypt 3.14.28 #2 SMP Fri Jan 9 16:20:06 CET 2015 x86_64 Intel(R) Core(TM) i5-4310U CPU @ 2.00GHz GenuineIntel GNU/Linux
$ id
uid=1001(test) gid=100(users) groups=100(users)
$ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall
$ ./cve_2016_0728 PP_KEY
uid=1001, euid=1001
Increfing...
finished increfing
forking...
finished forking
caling revoke...
uid=1001, euid=1001

blancamolinos · 01-21-2016, 03:14 PM

However here is a kernel patch:

https://git.kernel.org/cgit/linux/ke...ccdd9800a540f2

I have run the example in Slackware 14.1 64 bits with kernel 3.10.17 (serie) and 3.10.90 (compiled by me) and according to the example both kernels are malfunctioning.

volkerdi · 01-21-2016, 03:28 PM

Quote:

Originally Posted by blancamolinos

However here is a kernel patch:

https://git.kernel.org/cgit/linux/ke...ccdd9800a540f2

I have run the example in Slackware 14.1 64 bits with kernel 3.10.17 (serie) and 3.10.90 (compiled by me) and according to the example both kernels are malfunctioning.

Yes, the leak.c example shows a problem here as well, but the exploit does not succeed in gaining elevated privileges. Have you tested that?

blancamolinos · 01-21-2016, 03:42 PM

Right now I'm doing it, boss.

blancamolinos · 01-21-2016, 04:34 PM

With Slackware 14.1 64 bits and kernel 3.10.90 the exploit does not succeed in gaining root privileges.

blancamolinos · 01-21-2016, 05:37 PM

Same result with Slackware 14.1 64 bits and kernel 3.10.17: the exploit does not work.

blancamolinos · 01-23-2016, 11:02 AM

Hello, there is a new kernel, v3.10.95 with the patch that reference CVE-2016-0728. There is also other changes related to keyring.

Here is the kernel v3.10.95 ChangeLog:

https://cdn.kernel.org/pub/linux/ker...ngeLog-3.10.95

Manuel

mats_b_tegner · 01-26-2016, 06:49 AM

PHP 5.6.17 and 5.5.39 are out which fixes CVE-2016-1903.

elcore · 01-26-2016, 12:35 PM

Firefox 38.6.0 ESR released.
source