Wheezy is vulnerable to CVE-2013-2094
Hi. Was just alerted of a kernel bug in RHEL [1], but when testing the sample code on Wheezy as an unprivileged user it successfully gives me a root prompt. Kind of suboptimal. :-( Any idea when this is fixed? [1] https://bugzilla.redhat.com/show_bug.cgi?id=962792
Re: Wheezy is vulnerable to CVE-2013-2094
On 14 May 2013 18:36, John Andreasson andreassonj...@gmail.com wrote: Hi. Was just alerted of a kernel bug in RHEL [1], but when testing the sample code on Wheezy as an unprivileged user it successfully gives me a root prompt. Kind of suboptimal. :-( Any idea when this is fixed? [1] https://bugzilla.redhat.com/show_bug.cgi?id=962792 Hi John, I'm unable to replicate this 'issue' on my up to date Wheezy laptop. gavin@caelyn:~$ uname -a Linux caelyn 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux When I run the compiled binary of this exploit as my unprivileged user I get the following error:- gavin@caelyn:~$ ./getroot 2.6.37-3.x x86_64 sd@f***sheep.org 2010 getroot: getroot.c:81: main: Assertion `p = memmem(code, 1024, needle, 8)' failed. Aborted What kernel are you able to replicate this bug with ? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN=HbLKvPKCop39STjdivBFGCaymjzmmH1FvfU=qNMitrNYJ=w...@mail.gmail.com
Re: Wheezy is vulnerable to CVE-2013-2094
On Tue, May 14, 2013 at 09:36:12AM -0700, John Andreasson wrote: Hi. Was just alerted of a kernel bug in RHEL [1], but when testing the sample code on Wheezy as an unprivileged user it successfully gives me a root prompt. Kind of suboptimal. :-( Any idea when this is fixed? We're investigating it now and will provide a fix ASAP. -dann [1] https://bugzilla.redhat.com/show_bug.cgi?id=962792 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130514172905.gb6...@dannf.org
Re: Wheezy is vulnerable to CVE-2013-2094
On Tuesday, May 14, 2013, Gavin wrote: On 14 May 2013 18:36, John Andreasson andreassonj...@gmail.comjavascript:; wrote: Hi. Was just alerted of a kernel bug in RHEL [1], but when testing the sample code on Wheezy as an unprivileged user it successfully gives me a root prompt. Kind of suboptimal. :-( Any idea when this is fixed? [1] https://bugzilla.redhat.com/show_bug.cgi?id=962792 Hi John, I'm unable to replicate this 'issue' on my up to date Wheezy laptop. gavin@caelyn:~$ uname -a Linux caelyn 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux When I run the compiled binary of this exploit as my unprivileged user I get the following error:- gavin@caelyn:~$ ./getroot 2.6.37-3.x x86_64 sd@f***sheep.org 2010 getroot: getroot.c:81: main: Assertion `p = memmem(code, 1024, needle, 8)' failed. Aborted What kernel are you able to replicate this bug with ? Hi. I'm on the same kernel version/arch. Did you compile with -O2? I had to compile with that flag for it to work.
Re: Wheezy is vulnerable to CVE-2013-2094
Gavin netmatt...@gmail.com writes: On 14 May 2013 18:36, John Andreasson andreassonj...@gmail.com wrote: Was just alerted of a kernel bug in RHEL [1], but when testing the sample code on Wheezy as an unprivileged user it successfully gives me a root prompt. Kind of suboptimal. :-( Any idea when this is fixed? [1] https://bugzilla.redhat.com/show_bug.cgi?id=962792 Hi John, I'm unable to replicate this 'issue' on my up to date Wheezy laptop. gavin@caelyn:~$ uname -a Linux caelyn 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux When I run the compiled binary of this exploit as my unprivileged user I get the following error:- gavin@caelyn:~$ ./getroot 2.6.37-3.x x86_64 sd@f***sheep.org 2010 getroot: getroot.c:81: main: Assertion `p = memmem(code, 1024, needle, 8)' failed. Aborted What kernel are you able to replicate this bug with ? At first I thought the same thing, however compile with -O2: $ gcc -O2 semtex.c ./a.out 2.6.37-3.x x86_64 s...@fucksheep.org 2010 root@xo-laptop:/tmp# uname -a Linux xo-laptop 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux -- Gerald Turner Email: gtur...@unzane.com JID: gtur...@unzane.com GPG: 0xFA8CD6D5 21D9 B2E8 7FE7 F19E 5F7D 4D0C 3FA0 810F FA8C D6D5 pgpsMeqMOsy3d.pgp Description: PGP signature
Re: Wheezy is vulnerable to CVE-2013-2094
On 14 May 2013 19:41, Gerald Turner gtur...@unzane.com wrote: Gavin netmatt...@gmail.com writes: On 14 May 2013 18:36, John Andreasson andreassonj...@gmail.com wrote: Was just alerted of a kernel bug in RHEL [1], but when testing the sample code on Wheezy as an unprivileged user it successfully gives me a root prompt. Kind of suboptimal. :-( Any idea when this is fixed? [1] https://bugzilla.redhat.com/show_bug.cgi?id=962792 Hi John, I'm unable to replicate this 'issue' on my up to date Wheezy laptop. gavin@caelyn:~$ uname -a Linux caelyn 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux When I run the compiled binary of this exploit as my unprivileged user I get the following error:- gavin@caelyn:~$ ./getroot 2.6.37-3.x x86_64 sd@f***sheep.org 2010 getroot: getroot.c:81: main: Assertion `p = memmem(code, 1024, needle, 8)' failed. Aborted What kernel are you able to replicate this bug with ? At first I thought the same thing, however compile with -O2: $ gcc -O2 semtex.c ./a.out 2.6.37-3.x x86_64 s...@fucksheep.org 2010 root@xo-laptop:/tmp# uname -a Linux xo-laptop 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux Ok, if I compile with the -O2 then I don't get a root shell, however my kernel panics with:- BUG: unable to handle kernel paging request at x. Still not ideal. Thanks for the heads-up! -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN=hbljp+ngqx4d6mjeeppoeh_f7zw8efqvpmu1sc+ichg9...@mail.gmail.com
Re: [SECURITY] [DSA 2668-1] linux-2.6 security update
Saw this earlier, apparently there is a serious issue that affects all of the kernels up to 3.8 Will do a security thing tomorrow, if I get a chance, but it has been a while since we've had a look at it, my fault. Will update once I've reviewed. On Tue, May 14, 2013 at 01:14:29PM -0600, dann frazier wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-2668-1secur...@debian.org http://www.debian.org/security/ Dann Frazier May 14, 2013http://www.debian.org/security/faq - -- Package: linux-2.6 Vulnerability : privilege escalation/denial of service/information leak Problem type : local/remote Debian-specific: no CVE Id(s) : CVE-2012-2121 CVE-2012-3552 CVE-2012-4461 CVE-2012-4508 CVE-2012-6537 CVE-2012-6539 CVE-2012-6540 CVE-2012-6542 CVE-2012-6544 CVE-2012-6545 CVE-2012-6546 CVE-2012-6548 CVE-2012-6549 CVE-2013-0349 CVE-2013-0914 CVE-2013-1767 CVE-2013-1773 CVE-2013-1774 CVE-2013-1792 CVE-2013-1796 CVE-2013-1798 CVE-2013-1826 CVE-2013-1860 CVE-2013-1928 CVE-2013-1929 CVE-2013-2015 CVE-2013-2634 CVE-2013-3222 CVE-2013-3223 CVE-2013-3224 CVE-2013-3225 CVE-2013-3228 CVE-2013-3229 CVE-2013-3231 CVE-2013-3234 CVE-2013-3235 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2012-2121 Benjamin Herrenschmidt and Jason Baron discovered issues with the IOMMU mapping of memory slots used in KVM device assignment. Local users with the ability to assign devices could cause a denial of service due to a memory page leak. CVE-2012-3552 Hafid Lin reported an issue in the IP networking subsystem. A remote user can cause a denial of service (system crash) on servers running applications that set options on sockets which are actively being processed. CVE-2012-4461 Jon Howell reported a denial of service issue in the KVM subsystem. On systems that do not support the XSAVE feature, local users with access to the /dev/kvm interface can cause a system crash. CVE-2012-4508 Dmitry Monakhov and Theodore Ts'o reported a race condition in the ext4 filesystem. Local users could gain access to sensitive kernel memory. CVE-2012-6537 Mathias Krause discovered information leak issues in the Transformation user configuration interface. Local users with the CAP_NET_ADMIN capability can gain access to sensitive kernel memory. CVE-2012-6539 Mathias Krause discovered an issue in the networking subsystem. Local users on 64-bit systems can gain access to sensitive kernel memory. CVE-2012-6540 Mathias Krause discovered an issue in the Linux virtual server subsystem. Local users can gain access to sensitive kernel memory. Note: this issue does not affect Debian provided kernels, but may affect custom kernels built from Debian's linux-source-2.6.32 package. CVE-2012-6542 Mathias Krause discovered an issue in the LLC protocol support code. Local users can gain access to sensitive kernel memory. CVE-2012-6544 Mathias Krause discovered issues in the Bluetooth subsystem. Local users can gain access to sensitive kernel memory. CVE-2012-6545 Mathias Krause discovered issues in the Bluetooth RFCOMM protocol support. Local users can gain access to sensitive kernel memory. CVE-2012-6546 Mathias Krause discovered issues in the ATM networking support. Local users can gain access to sensitive kernel memory. CVE-2012-6548 Mathias Krause discovered an issue in the UDF file system support. Local users can obtain access to sensitive kernel memory. CVE-2012-6549 Mathias Krause discovered an issue in the isofs file system support. Local users can obtain access to sensitive kernel memory. CVE-2013-0349 Anderson Lizardo discovered an issue in the Bluetooth Human Interface Device Protocol (HIDP) stack. Local users can obtain access to sensitive kernel memory. CVE-2013-0914 Emese Revfy discovered an issue in the signal implementation. Local users maybe able to bypass the address space layout randomization (ASLR) facility due to a leaking of information to child processes. CVE-2013-1767 Greg Thelen reported an issue in the tmpfs virtual memory filesystem. Local users with sufficient privilege to mount filesystems can cause a denial of service or possibly elevated privileges due to a use-after-
Re: [SECURITY] [DSA 2668-1] linux-2.6 security update
Apologies, hit the wrong reply to! Please ignore and thanks for all the good work. On Tue, May 14, 2013 at 09:15:48PM +0100, Jon Marshall wrote: Saw this earlier, apparently there is a serious issue that affects all of the kernels up to 3.8 Will do a security thing tomorrow, if I get a chance, but it has been a while since we've had a look at it, my fault. Will update once I've reviewed. On Tue, May 14, 2013 at 01:14:29PM -0600, dann frazier wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-2668-1secur...@debian.org http://www.debian.org/security/ Dann Frazier May 14, 2013http://www.debian.org/security/faq - -- Package: linux-2.6 Vulnerability : privilege escalation/denial of service/information leak Problem type : local/remote Debian-specific: no CVE Id(s) : CVE-2012-2121 CVE-2012-3552 CVE-2012-4461 CVE-2012-4508 CVE-2012-6537 CVE-2012-6539 CVE-2012-6540 CVE-2012-6542 CVE-2012-6544 CVE-2012-6545 CVE-2012-6546 CVE-2012-6548 CVE-2012-6549 CVE-2013-0349 CVE-2013-0914 CVE-2013-1767 CVE-2013-1773 CVE-2013-1774 CVE-2013-1792 CVE-2013-1796 CVE-2013-1798 CVE-2013-1826 CVE-2013-1860 CVE-2013-1928 CVE-2013-1929 CVE-2013-2015 CVE-2013-2634 CVE-2013-3222 CVE-2013-3223 CVE-2013-3224 CVE-2013-3225 CVE-2013-3228 CVE-2013-3229 CVE-2013-3231 CVE-2013-3234 CVE-2013-3235 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2012-2121 Benjamin Herrenschmidt and Jason Baron discovered issues with the IOMMU mapping of memory slots used in KVM device assignment. Local users with the ability to assign devices could cause a denial of service due to a memory page leak. CVE-2012-3552 Hafid Lin reported an issue in the IP networking subsystem. A remote user can cause a denial of service (system crash) on servers running applications that set options on sockets which are actively being processed. CVE-2012-4461 Jon Howell reported a denial of service issue in the KVM subsystem. On systems that do not support the XSAVE feature, local users with access to the /dev/kvm interface can cause a system crash. CVE-2012-4508 Dmitry Monakhov and Theodore Ts'o reported a race condition in the ext4 filesystem. Local users could gain access to sensitive kernel memory. CVE-2012-6537 Mathias Krause discovered information leak issues in the Transformation user configuration interface. Local users with the CAP_NET_ADMIN capability can gain access to sensitive kernel memory. CVE-2012-6539 Mathias Krause discovered an issue in the networking subsystem. Local users on 64-bit systems can gain access to sensitive kernel memory. CVE-2012-6540 Mathias Krause discovered an issue in the Linux virtual server subsystem. Local users can gain access to sensitive kernel memory. Note: this issue does not affect Debian provided kernels, but may affect custom kernels built from Debian's linux-source-2.6.32 package. CVE-2012-6542 Mathias Krause discovered an issue in the LLC protocol support code. Local users can gain access to sensitive kernel memory. CVE-2012-6544 Mathias Krause discovered issues in the Bluetooth subsystem. Local users can gain access to sensitive kernel memory. CVE-2012-6545 Mathias Krause discovered issues in the Bluetooth RFCOMM protocol support. Local users can gain access to sensitive kernel memory. CVE-2012-6546 Mathias Krause discovered issues in the ATM networking support. Local users can gain access to sensitive kernel memory. CVE-2012-6548 Mathias Krause discovered an issue in the UDF file system support. Local users can obtain access to sensitive kernel memory. CVE-2012-6549 Mathias Krause discovered an issue in the isofs file system support. Local users can obtain access to sensitive kernel memory. CVE-2013-0349 Anderson Lizardo discovered an issue in the Bluetooth Human Interface Device Protocol (HIDP) stack. Local users can obtain access to sensitive kernel memory. CVE-2013-0914 Emese Revfy discovered an issue in the signal implementation. Local users maybe able to bypass the address space layout randomization (ASLR) facility due to a leaking of
Re: Wheezy is vulnerable to CVE-2013-2094
Hi all. I'm confirm exploit is working on Debian wheezy with kernel 3.2.0-4-rt-amd64 with gcc -O2 options On 05/15/2013 12:20 AM, Gavin wrote: On 14 May 2013 19:41, Gerald Turnergtur...@unzane.com wrote: Gavinnetmatt...@gmail.com writes: On 14 May 2013 18:36, John Andreassonandreassonj...@gmail.com wrote: Was just alerted of a kernel bug in RHEL [1], but when testing the sample code on Wheezy as an unprivileged user it successfully gives me a root prompt. Kind of suboptimal. :-( Any idea when this is fixed? [1] https://bugzilla.redhat.com/show_bug.cgi?id=962792 Hi John, I'm unable to replicate this 'issue' on my up to date Wheezy laptop. gavin@caelyn:~$ uname -a Linux caelyn 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux When I run the compiled binary of this exploit as my unprivileged user I get the following error:- gavin@caelyn:~$ ./getroot 2.6.37-3.x x86_64 sd@f***sheep.org 2010 getroot: getroot.c:81: main: Assertion `p = memmem(code, 1024, needle, 8)' failed. Aborted What kernel are you able to replicate this bug with ? At first I thought the same thing, however compile with -O2: $ gcc -O2 semtex.c ./a.out 2.6.37-3.x x86_64 s...@fucksheep.org 2010 root@xo-laptop:/tmp# uname -a Linux xo-laptop 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux Ok, if I compile with the -O2 then I don't get a root shell, however my kernel panics with:- BUG: unable to handle kernel paging request at x. Still not ideal. Thanks for the heads-up! -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/519307de.9050...@mail.ru
External check
CVE-2013-2035: RESERVED -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run. -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5191dd31.ngyl3gynsxemhd9x%atomo64+st...@gmail.com
Re: Post-release changes on soler
* Florian Weimer: FYI, I'm trying to implement the post-release changes on soler, the host for security-tracker.debian.org. The NVD feed is gone (all the XML files are empty), so I'm disabling that temporarily. The web site should follow the Subversion repository again. -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/871u99cnsy@mid.deneb.enyo.de