[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
I can confirm this in Gutsy: $ gcc exploit.c -o exploit $ whoami heikki $ ./exploit --- Linux vmsplice Local Root Exploit By qaaz --- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7d9 .. 0xb7dc2000 [+] root $ whoami root Kernel 2.6.22-14-generic ** Changed in: ubuntu Status: New => Confirmed ** Bug watch added: Gentoo Bugzilla #209460 http://bugs.gentoo.org/show_bug.cgi?id=209460 ** Also affects: gentoo via http://bugs.gentoo.org/show_bug.cgi?id=209460 Importance: Unknown Status: Unknown -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
I confirm this in Hardy Heron kernel 2.6.24-7-generic -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
http://bugzilla.kernel.org/show_bug.cgi?id=9924 Also able to confirm on Hardy. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-0009 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-0010 -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
Confirm on Gutsy: [EMAIL PROTECTED]:~$ gcc exploit2.c -o exploit2 [EMAIL PROTECTED]:~$ ./exploit2 --- Linux vmsplice Local Root Exploit By qaaz --- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7e04000 .. 0xb7e36000 [+] root [EMAIL PROTECTED]:~# uname -a Linux rubert 2.6.22-14-generic #1 SMP Fri Feb 1 04:59:50 UTC 2008 i686 GNU/Linux [EMAIL PROTECTED]:~# -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Bug watch added: Debian Bug tracker #464953 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953 ** Also affects: debian via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953 Importance: Unknown Status: Unknown -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Changed in: ubuntu Importance: Undecided => Critical -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
actually the bug exploitable from 2.6.17-2.6.24 is CVE-2008-0600. CVE-2008-0009/10 only affect .23 and .24 (so only hardy is affected) see http://lkml.org/lkml/2008/2/10/177 for details (btw this bug is pretty scary, it works almost anywhere you can have a shell...) ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-0600 -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Changed in: linux-source-2.6.22 (Ubuntu) Sourcepackagename: None => linux-source-2.6.22 ** Also affects: linux-source-2.6.24 (Ubuntu) Importance: Undecided Status: New -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
Confirmed in Hardy - 2.6.24 ** Changed in: linux (Ubuntu) Sourcepackagename: linux-source-2.6.24 => linux Importance: Undecided => Critical Status: New => Confirmed -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
I confirm that on hardy and gutsy. I also confirm that the hotfix referenced in debian bugreport http://bugs.debian.org/cgi- bin/bugreport.cgi?bug=464953 which sets the first byte of sys_vmsplice to RET in /dev/mem ( http://www.ping.uio.no/~mortehu/disable-vmsplice- if-exploitable.c ) works and prevents the exploit from functioning. I don't know if having that function returning can otherwise adversely affect the system, though. -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Bug watch added: Red Hat Bugzilla #432229 https://bugzilla.redhat.com/show_bug.cgi?id=432229 ** Also affects: linux (Fedora) via https://bugzilla.redhat.com/show_bug.cgi?id=432229 Importance: Unknown Status: Unknown -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
RHEL tracker is at: https://bugzilla.redhat.com/show_bug.cgi?id=432251 but LP won't allow adding a second entry (in addition to the one for Fedora). ** Summary changed: - Local root exploit in kernel 2.6.17 - 2.6.24 + Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
I can confirm this in Gutsy: $ gcc exploit.c -o exploit $ whoami heikki $ ./exploit --- Linux vmsplice Local Root Exploit By qaaz --- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7d9 .. 0xb7dc2000 [+] root $ whoami root Kernel 2.6.22-14-generic ** Changed in: ubuntu Status: New => Confirmed ** Bug watch added: Gentoo Bugzilla #209460 http://bugs.gentoo.org/show_bug.cgi?id=209460 ** Also affects: gentoo via http://bugs.gentoo.org/show_bug.cgi?id=209460 Importance: Unknown Status: Unknown -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
I confirm this in Hardy Heron kernel 2.6.24-7-generic -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
http://bugzilla.kernel.org/show_bug.cgi?id=9924 Also able to confirm on Hardy. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-0009 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-0010 -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
Confirm on Gutsy: [EMAIL PROTECTED]:~$ gcc exploit2.c -o exploit2 [EMAIL PROTECTED]:~$ ./exploit2 --- Linux vmsplice Local Root Exploit By qaaz --- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7e04000 .. 0xb7e36000 [+] root [EMAIL PROTECTED]:~# uname -a Linux rubert 2.6.22-14-generic #1 SMP Fri Feb 1 04:59:50 UTC 2008 i686 GNU/Linux [EMAIL PROTECTED]:~# -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Bug watch added: Debian Bug tracker #464953 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953 ** Also affects: debian via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953 Importance: Unknown Status: Unknown -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Changed in: ubuntu Importance: Undecided => Critical -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
actually the bug exploitable from 2.6.17-2.6.24 is CVE-2008-0600. CVE-2008-0009/10 only affect .23 and .24 (so only hardy is affected) see http://lkml.org/lkml/2008/2/10/177 for details (btw this bug is pretty scary, it works almost anywhere you can have a shell...) ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-0600 -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Changed in: linux-source-2.6.22 (Ubuntu) Sourcepackagename: None => linux-source-2.6.22 ** Also affects: linux-source-2.6.24 (Ubuntu) Importance: Undecided Status: New -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
Confirmed in Hardy - 2.6.24 ** Changed in: linux (Ubuntu) Sourcepackagename: linux-source-2.6.24 => linux Importance: Undecided => Critical Status: New => Confirmed -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
I confirm that on hardy and gutsy. I also confirm that the hotfix referenced in debian bugreport http://bugs.debian.org/cgi- bin/bugreport.cgi?bug=464953 which sets the first byte of sys_vmsplice to RET in /dev/mem ( http://www.ping.uio.no/~mortehu/disable-vmsplice- if-exploitable.c ) works and prevents the exploit from functioning. I don't know if having that function returning can otherwise adversely affect the system, though. -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Bug watch added: Red Hat Bugzilla #432229 https://bugzilla.redhat.com/show_bug.cgi?id=432229 ** Also affects: linux (Fedora) via https://bugzilla.redhat.com/show_bug.cgi?id=432229 Importance: Unknown Status: Unknown -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
RHEL tracker is at: https://bugzilla.redhat.com/show_bug.cgi?id=432251 but LP won't allow adding a second entry (in addition to the one for Fedora). ** Summary changed: - Local root exploit in kernel 2.6.17 - 2.6.24 + Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
I can confirm this in Gutsy: $ gcc exploit.c -o exploit $ whoami heikki $ ./exploit --- Linux vmsplice Local Root Exploit By qaaz --- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7d9 .. 0xb7dc2000 [+] root $ whoami root Kernel 2.6.22-14-generic ** Changed in: ubuntu Status: New => Confirmed ** Bug watch added: Gentoo Bugzilla #209460 http://bugs.gentoo.org/show_bug.cgi?id=209460 ** Also affects: gentoo via http://bugs.gentoo.org/show_bug.cgi?id=209460 Importance: Unknown Status: Unknown -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
I confirm this in Hardy Heron kernel 2.6.24-7-generic -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
http://bugzilla.kernel.org/show_bug.cgi?id=9924 Also able to confirm on Hardy. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-0009 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-0010 -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
Confirm on Gutsy: [EMAIL PROTECTED]:~$ gcc exploit2.c -o exploit2 [EMAIL PROTECTED]:~$ ./exploit2 --- Linux vmsplice Local Root Exploit By qaaz --- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7e04000 .. 0xb7e36000 [+] root [EMAIL PROTECTED]:~# uname -a Linux rubert 2.6.22-14-generic #1 SMP Fri Feb 1 04:59:50 UTC 2008 i686 GNU/Linux [EMAIL PROTECTED]:~# -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Bug watch added: Debian Bug tracker #464953 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953 ** Also affects: debian via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953 Importance: Unknown Status: Unknown -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Changed in: ubuntu Importance: Undecided => Critical -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
actually the bug exploitable from 2.6.17-2.6.24 is CVE-2008-0600. CVE-2008-0009/10 only affect .23 and .24 (so only hardy is affected) see http://lkml.org/lkml/2008/2/10/177 for details (btw this bug is pretty scary, it works almost anywhere you can have a shell...) ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-0600 -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Changed in: linux-source-2.6.22 (Ubuntu) Sourcepackagename: None => linux-source-2.6.22 ** Also affects: linux-source-2.6.24 (Ubuntu) Importance: Undecided Status: New -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
Confirmed in Hardy - 2.6.24 ** Changed in: linux (Ubuntu) Sourcepackagename: linux-source-2.6.24 => linux Importance: Undecided => Critical Status: New => Confirmed -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
I confirm that on hardy and gutsy. I also confirm that the hotfix referenced in debian bugreport http://bugs.debian.org/cgi- bin/bugreport.cgi?bug=464953 which sets the first byte of sys_vmsplice to RET in /dev/mem ( http://www.ping.uio.no/~mortehu/disable-vmsplice- if-exploitable.c ) works and prevents the exploit from functioning. I don't know if having that function returning can otherwise adversely affect the system, though. -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Bug watch added: Red Hat Bugzilla #432229 https://bugzilla.redhat.com/show_bug.cgi?id=432229 ** Also affects: linux (Fedora) via https://bugzilla.redhat.com/show_bug.cgi?id=432229 Importance: Unknown Status: Unknown -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
RHEL tracker is at: https://bugzilla.redhat.com/show_bug.cgi?id=432251 but LP won't allow adding a second entry (in addition to the one for Fedora). ** Summary changed: - Local root exploit in kernel 2.6.17 - 2.6.24 + Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
I can confirm this in Gutsy: $ gcc exploit.c -o exploit $ whoami heikki $ ./exploit --- Linux vmsplice Local Root Exploit By qaaz --- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7d9 .. 0xb7dc2000 [+] root $ whoami root Kernel 2.6.22-14-generic ** Changed in: ubuntu Status: New => Confirmed ** Bug watch added: Gentoo Bugzilla #209460 http://bugs.gentoo.org/show_bug.cgi?id=209460 ** Also affects: gentoo via http://bugs.gentoo.org/show_bug.cgi?id=209460 Importance: Unknown Status: Unknown -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
I confirm this in Hardy Heron kernel 2.6.24-7-generic -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
http://bugzilla.kernel.org/show_bug.cgi?id=9924 Also able to confirm on Hardy. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-0009 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-0010 -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
Confirm on Gutsy: [EMAIL PROTECTED]:~$ gcc exploit2.c -o exploit2 [EMAIL PROTECTED]:~$ ./exploit2 --- Linux vmsplice Local Root Exploit By qaaz --- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7e04000 .. 0xb7e36000 [+] root [EMAIL PROTECTED]:~# uname -a Linux rubert 2.6.22-14-generic #1 SMP Fri Feb 1 04:59:50 UTC 2008 i686 GNU/Linux [EMAIL PROTECTED]:~# -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Bug watch added: Debian Bug tracker #464953 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953 ** Also affects: debian via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953 Importance: Unknown Status: Unknown -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Changed in: ubuntu Importance: Undecided => Critical -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
actually the bug exploitable from 2.6.17-2.6.24 is CVE-2008-0600. CVE-2008-0009/10 only affect .23 and .24 (so only hardy is affected) see http://lkml.org/lkml/2008/2/10/177 for details (btw this bug is pretty scary, it works almost anywhere you can have a shell...) ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-0600 -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Changed in: linux-source-2.6.22 (Ubuntu) Sourcepackagename: None => linux-source-2.6.22 ** Also affects: linux-source-2.6.24 (Ubuntu) Importance: Undecided Status: New -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
Confirmed in Hardy - 2.6.24 ** Changed in: linux (Ubuntu) Sourcepackagename: linux-source-2.6.24 => linux Importance: Undecided => Critical Status: New => Confirmed -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
I confirm that on hardy and gutsy. I also confirm that the hotfix referenced in debian bugreport http://bugs.debian.org/cgi- bin/bugreport.cgi?bug=464953 which sets the first byte of sys_vmsplice to RET in /dev/mem ( http://www.ping.uio.no/~mortehu/disable-vmsplice- if-exploitable.c ) works and prevents the exploit from functioning. I don't know if having that function returning can otherwise adversely affect the system, though. -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Bug watch added: Red Hat Bugzilla #432229 https://bugzilla.redhat.com/show_bug.cgi?id=432229 ** Also affects: linux (Fedora) via https://bugzilla.redhat.com/show_bug.cgi?id=432229 Importance: Unknown Status: Unknown -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
RHEL tracker is at: https://bugzilla.redhat.com/show_bug.cgi?id=432251 but LP won't allow adding a second entry (in addition to the one for Fedora). ** Summary changed: - Local root exploit in kernel 2.6.17 - 2.6.24 + Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
I can confirm this in Gutsy: $ gcc exploit.c -o exploit $ whoami heikki $ ./exploit --- Linux vmsplice Local Root Exploit By qaaz --- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7d9 .. 0xb7dc2000 [+] root $ whoami root Kernel 2.6.22-14-generic ** Changed in: ubuntu Status: New => Confirmed ** Bug watch added: Gentoo Bugzilla #209460 http://bugs.gentoo.org/show_bug.cgi?id=209460 ** Also affects: gentoo via http://bugs.gentoo.org/show_bug.cgi?id=209460 Importance: Unknown Status: Unknown -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
I confirm this in Hardy Heron kernel 2.6.24-7-generic -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
http://bugzilla.kernel.org/show_bug.cgi?id=9924 Also able to confirm on Hardy. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-0009 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-0010 -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
Confirm on Gutsy: [EMAIL PROTECTED]:~$ gcc exploit2.c -o exploit2 [EMAIL PROTECTED]:~$ ./exploit2 --- Linux vmsplice Local Root Exploit By qaaz --- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7e04000 .. 0xb7e36000 [+] root [EMAIL PROTECTED]:~# uname -a Linux rubert 2.6.22-14-generic #1 SMP Fri Feb 1 04:59:50 UTC 2008 i686 GNU/Linux [EMAIL PROTECTED]:~# -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Bug watch added: Debian Bug tracker #464953 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953 ** Also affects: debian via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953 Importance: Unknown Status: Unknown -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Changed in: ubuntu Importance: Undecided => Critical -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
actually the bug exploitable from 2.6.17-2.6.24 is CVE-2008-0600. CVE-2008-0009/10 only affect .23 and .24 (so only hardy is affected) see http://lkml.org/lkml/2008/2/10/177 for details (btw this bug is pretty scary, it works almost anywhere you can have a shell...) ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-0600 -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Changed in: linux-source-2.6.22 (Ubuntu) Sourcepackagename: None => linux-source-2.6.22 ** Also affects: linux-source-2.6.24 (Ubuntu) Importance: Undecided Status: New -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
Confirmed in Hardy - 2.6.24 ** Changed in: linux (Ubuntu) Sourcepackagename: linux-source-2.6.24 => linux Importance: Undecided => Critical Status: New => Confirmed -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
I confirm that on hardy and gutsy. I also confirm that the hotfix referenced in debian bugreport http://bugs.debian.org/cgi- bin/bugreport.cgi?bug=464953 which sets the first byte of sys_vmsplice to RET in /dev/mem ( http://www.ping.uio.no/~mortehu/disable-vmsplice- if-exploitable.c ) works and prevents the exploit from functioning. I don't know if having that function returning can otherwise adversely affect the system, though. -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Bug watch added: Red Hat Bugzilla #432229 https://bugzilla.redhat.com/show_bug.cgi?id=432229 ** Also affects: linux (Fedora) via https://bugzilla.redhat.com/show_bug.cgi?id=432229 Importance: Unknown Status: Unknown -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
RHEL tracker is at: https://bugzilla.redhat.com/show_bug.cgi?id=432251 but LP won't allow adding a second entry (in addition to the one for Fedora). ** Summary changed: - Local root exploit in kernel 2.6.17 - 2.6.24 + Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
I can confirm this in Gutsy: $ gcc exploit.c -o exploit $ whoami heikki $ ./exploit --- Linux vmsplice Local Root Exploit By qaaz --- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7d9 .. 0xb7dc2000 [+] root $ whoami root Kernel 2.6.22-14-generic ** Changed in: ubuntu Status: New => Confirmed ** Bug watch added: Gentoo Bugzilla #209460 http://bugs.gentoo.org/show_bug.cgi?id=209460 ** Also affects: gentoo via http://bugs.gentoo.org/show_bug.cgi?id=209460 Importance: Unknown Status: Unknown -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
I confirm this in Hardy Heron kernel 2.6.24-7-generic -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
http://bugzilla.kernel.org/show_bug.cgi?id=9924 Also able to confirm on Hardy. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-0009 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-0010 -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
Confirm on Gutsy: [EMAIL PROTECTED]:~$ gcc exploit2.c -o exploit2 [EMAIL PROTECTED]:~$ ./exploit2 --- Linux vmsplice Local Root Exploit By qaaz --- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7e04000 .. 0xb7e36000 [+] root [EMAIL PROTECTED]:~# uname -a Linux rubert 2.6.22-14-generic #1 SMP Fri Feb 1 04:59:50 UTC 2008 i686 GNU/Linux [EMAIL PROTECTED]:~# -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Bug watch added: Debian Bug tracker #464953 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953 ** Also affects: debian via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953 Importance: Unknown Status: Unknown -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Changed in: ubuntu Importance: Undecided => Critical -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
actually the bug exploitable from 2.6.17-2.6.24 is CVE-2008-0600. CVE-2008-0009/10 only affect .23 and .24 (so only hardy is affected) see http://lkml.org/lkml/2008/2/10/177 for details (btw this bug is pretty scary, it works almost anywhere you can have a shell...) ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-0600 -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Changed in: linux-source-2.6.22 (Ubuntu) Sourcepackagename: None => linux-source-2.6.22 ** Also affects: linux-source-2.6.24 (Ubuntu) Importance: Undecided Status: New -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
Confirmed in Hardy - 2.6.24 ** Changed in: linux (Ubuntu) Sourcepackagename: linux-source-2.6.24 => linux Importance: Undecided => Critical Status: New => Confirmed -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
I confirm that on hardy and gutsy. I also confirm that the hotfix referenced in debian bugreport http://bugs.debian.org/cgi- bin/bugreport.cgi?bug=464953 which sets the first byte of sys_vmsplice to RET in /dev/mem ( http://www.ping.uio.no/~mortehu/disable-vmsplice- if-exploitable.c ) works and prevents the exploit from functioning. I don't know if having that function returning can otherwise adversely affect the system, though. -- Local root exploit in kernel 2.6.17 - 2.6.24 https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
** Bug watch added: Red Hat Bugzilla #432229 https://bugzilla.redhat.com/show_bug.cgi?id=432229 ** Also affects: linux (Fedora) via https://bugzilla.redhat.com/show_bug.cgi?id=432229 Importance: Unknown Status: Unknown -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24
RHEL tracker is at: https://bugzilla.redhat.com/show_bug.cgi?id=432251 but LP won't allow adding a second entry (in addition to the one for Fedora). ** Summary changed: - Local root exploit in kernel 2.6.17 - 2.6.24 + Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
Per Gentoo, it's now fixed in all releases. ** Changed in: gentoo Importance: Unknown => Undecided Bugwatch: Gentoo Bugzilla #209460 => None Status: Confirmed => New ** Changed in: gentoo Status: New => Fix Released -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
** Changed in: linux (Fedora) Status: Fix Committed => Fix Released ** Changed in: centos Status: Unknown => Confirmed -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
Running Hardy Heron, Latest updates: [EMAIL PROTECTED]:~$ uname -a Linux ubuntu 2.6.24-7-generic #1 SMP Thu Feb 7 01:29:58 UTC 2008 i686 GNU/Linux [EMAIL PROTECTED]:~$ whoami kyle [EMAIL PROTECTED]:~$ ./local --- Linux vmsplice Local Root Exploit By qaaz --- [+] addr: 0xc011d7e0 [+] root [EMAIL PROTECTED]:~# whoami root [EMAIL PROTECTED]:~# ** Also affects: linux-source-2.6.24 (Ubuntu) Importance: Undecided Status: New -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
** Changed in: debian Status: Fix Committed => Fix Released -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
** Changed in: mandriva Status: In Progress => Fix Released -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
** Changed in: centos Status: Confirmed => Fix Released -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
** Also affects: gplcver (Ubuntu) Importance: Undecided Status: New -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
linux (2.6.24-8.13) hardy; urgency=low [Soren Hansen] * Add missing iscsi modules to kernel udebs [Stefan Bader] * Lower message level for PCI memory and I/O allocation. [Tim Gardner] * Enabled IP_ADVANCED_ROUTER and IP_MULTIPLE_TABLES in sparc, hppa - LP: #189560 * Compile RealTek 8139 using PIO method. - LP: #90271 * Add WD WD800ADFS NCQ horkage quirk support. - LP: #147858 [Upstream Kernel Changes] * Introduce WEXT scan capabilities * DVB: cx23885: add missing subsystem ID for Hauppauge HVR1800 Retail * slab: fix bootstrap on memoryless node * vm audit: add VM_DONTEXPAND to mmap for drivers that need it (CVE-2008-0007) * USB: keyspan: Fix oops * usb gadget: fix fsl_usb2_udc potential OOPS * USB: CP2101 New Device IDs * USB: add support for 4348:5523 WinChipHead USB->RS 232 adapter * USB: Sierra - Add support for Aircard 881U * USB: Adding YC Cable USB Serial device to pl2303 * USB: sierra driver - add devices * USB: ftdi_sio - enabling multiple ELV devices, adding EM1010PC * USB: ftdi-sio: Patch to add vendor/device id for ATK_16IC CCD * USB: sierra: add support for Onda H600/Zte MF330 datacard to USB Driver for Sierra Wireless * USB: remove duplicate entry in Option driver and Pl2303 driver for Huawei modem * USB: pl2303: add support for RATOC REX-USB60F * USB: ftdi driver - add support for optical probe device * USB: use GFP_NOIO in reset path * USB: Variant of the Dell Wireless 5520 driver * USB: storage: Add unusual_dev for HP r707 * USB: fix usbtest halt check on big endian systems * USB: handle idVendor of 0x * forcedeth: mac address mcp77/79 * lockdep: annotate epoll * sys_remap_file_pages: fix ->vm_file accounting * PCI: Fix fakephp deadlock * ACPI: update ACPI blacklist * x86: restore correct module name for apm * sky2: restore multicast addresses after recovery * sky2: fix for WOL on some devices * b43: Fix suspend/resume * b43: Drop packets we are not able to encrypt * b43: Fix dma-slot resource leakage * b43legacy: fix PIO crash * b43legacy: fix suspend/resume * b43legacy: drop packets we are not able to encrypt * b43legacy: fix DMA slot resource leakage * selinux: fix labeling of /proc/net inodes * b43: Reject new firmware early * sched: let +nice tasks have smaller impact * sched: fix high wake up latencies with FAIR_USER_SCHED * fix writev regression: pan hanging unkillable and un-straceable * Driver core: Revert "Fix Firmware class name collision" * drm: the drm really should call pci_set_master.. * splice: missing user pointer access verification (CVE-2008-0009/10) * Linux 2.6.24.1 * splice: fix user pointer access in get_iovec_page_array() * Linux 2.6.24.2 -- Tim Gardner < [EMAIL PROTECTED]> Thu, 07 Feb 2008 06:50:13 -0700 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-0007 ** Changed in: linux (Ubuntu) Status: Fix Committed => Fix Released -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
Upstream fix: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44 -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
Confirmed in Gutsy. Kernel 2.6.22-14-generic -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
Gutsy/amd64 is affected too. -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
Confirmed on feisty AMD64 (i386 isn't affected, AMD64 is). ** Also affects: linux-source-2.6.20 (Ubuntu) Importance: Undecided Status: New -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
I also confirm that suggested hotfix fixes the problem until next reboot, of course. -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
[EMAIL PROTECTED]:~/bin$ gcc exploitsrv.c -o exploitsrv [EMAIL PROTECTED]:~/bin$ whoami steve [EMAIL PROTECTED]:~/bin$ ./exploitsrv --- Linux vmsplice Local Root Exploit By qaaz --- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7e44000 .. 0xb7e76000 [+] root [EMAIL PROTECTED]:~/bin# uname -a Linux genesis 2.6.22-14-server #1 SMP Fri Feb 1 05:28:54 UTC 2008 i686 GNU/Linux [EMAIL PROTECTED]:~/bin# -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
Luis Alcaraz (Mexico) Confirmed on Ubuntu 7.10 2.6.22-14-generic --- [EMAIL PROTECTED]:~$ vim exploit.c [EMAIL PROTECTED]:~$ gcc exploit.c -o exploit [EMAIL PROTECTED]:~$ whoami lalcaraz [EMAIL PROTECTED]:~$ ./exploit --- Linux vmsplice Local Root Exploit By qaaz --- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7e29000 .. 0xb7e5b000 [+] root [EMAIL PROTECTED]:~# whoami root [EMAIL PROTECTED]:~# uname -a Linux lalcaraz-laptop 2.6.22-14-generic #1 SMP Fri Feb 1 04:59:50 UTC 2008 i686 GNU/Linux [EMAIL PROTECTED]:~# -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
The Security Team is working on getting the fix built up. We should have updated kernels available shortly. ** Also affects: linux-source-2.6.17 (Ubuntu) Importance: Undecided Status: New ** Changed in: linux-source-2.6.17 (Ubuntu) Importance: Undecided => Critical Assignee: (unassigned) => Kees Cook (keescook) Status: New => In Progress ** Changed in: linux-source-2.6.20 (Ubuntu) Importance: Undecided => High Assignee: (unassigned) => Kees Cook (keescook) Status: New => In Progress ** Changed in: linux (Ubuntu) Importance: Critical => High Status: Confirmed => In Progress Target: None => hardy-alpha-5 ** Changed in: linux-source-2.6.17 (Ubuntu) Importance: Critical => High ** Changed in: linux-source-2.6.22 (Ubuntu) Importance: Critical => High Assignee: (unassigned) => Kees Cook (keescook) Status: Confirmed => In Progress -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
Hi guys, Just got a question in regards to the above theory, you have mentioned that kernel 2.6.17-2.6.24 is affected whereas a normal user have the ability to login as root with no password and sudo command,so my question here is that I have two version of Kernel on two separate machines 2.6.15-26 and 2.6.16 are these kernel affected as well. If they are what patch should we follow to stop this from happening It will be please of some expert answer my query as I am new to Linux and security topics Thanks in advanced Fadi -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
Tom, the present hotfix is dangerous. See http://lists.debian.org /debian-kernel/2008/02/msg00387.html -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
@Boglizk: Not run it as root. -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
Hi, I was wondering how others are dealing with this, beyond the runtime patch on bootup. It seems like a tossup between grabbing/patching kernel source and waiting for the security update, does anyone know a rough eta on a safe gutsy kernel package? Thanks for the help, this is new territory for me. -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
Yes, a remote root exploit. -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
Kees - from what I can tell CVE-2008-0009 and CVE-2008-0010 affect only 2.6.23 through 2.6.24.1. CVE-2008-0600 affects 2.6.17 through 2.6.24.1. Greg k-h: "It has been given CVE-2008-0600 to address this issue (09 and 10 only affect .23 and .24 kernels, and have been fixed.)" We'll get all 3 CVEs fixed in the 2.6.24.2 stable tree, upon which Hardy 2.6.24-7.13 will be based. I am packaging fixes for Edgy/Feisty/Gusty . -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
Duh. What about using the patch from the upstream? https://bugs.launchpad.net/ubuntu/+source/linux- source-2.6.22/+bug/190587/comments/26 -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
Contrary to what I've been reading, I can confirm this on feisty, at least with AMD processor: [EMAIL PROTECTED]:~$ grep "model name" /proc/cpuinfo model name : Dual-Core AMD Opteron(tm) Processor 2218 model name : Dual-Core AMD Opteron(tm) Processor 2218 model name : Dual-Core AMD Opteron(tm) Processor 2218 model name : Dual-Core AMD Opteron(tm) Processor 2218 [EMAIL PROTECTED]:~$ uname -a Linux pie 2.6.20-16-generic #2 SMP Thu Jan 31 22:39:18 UTC 2008 x86_64 GNU/Linux [EMAIL PROTECTED]:~$ ./exploit --- Linux vmsplice Local Root Exploit By qaaz --- [+] mmap: 0x1000 .. 0x10001000 [+] page: 0x1000 [+] page: 0x1038 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4038 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0x2ac0a9f0d000 .. 0x2ac0a9f3f000 [+] root [EMAIL PROTECTED]:~# whoami root [EMAIL PROTECTED]:~# I also confirm the suggested hotfix (disable-vmsplice-if-exploitable.c) works: [EMAIL PROTECTED]:~$ cc disable-vmsplice-if-exploitable.c [EMAIL PROTECTED]:~$ ./a.out --- Linux vmsplice Local Root Exploit By qaaz --- [+] mmap: 0x1000 .. 0x10001000 [+] page: 0x1000 [+] page: 0x1038 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4038 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0x2acad5163000 .. 0x2acad5195000 [+] root Exploit gone! [EMAIL PROTECTED]:~$ ./exploit --- Linux vmsplice Local Root Exploit By qaaz --- [+] mmap: 0x1000 .. 0x10001000 [+] page: 0x1000 [+] page: 0x1038 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4038 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0x2b010025b000 .. 0x2b010028d000 [-] vmsplice [EMAIL PROTECTED]:~$ whoami ycsapo -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
What about Gutsy, any update when the fix will be released? -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
The fix for this vulnerability is in the 2.6.24.2 tree against which Hardy was recently updated and is in the process of being packaged for upload. ** Changed in: linux-source-2.6.17 (Ubuntu) Status: In Progress => Fix Committed ** Changed in: linux-source-2.6.20 (Ubuntu) Status: In Progress => Fix Committed ** Changed in: linux-source-2.6.22 (Ubuntu) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu) Status: In Progress => Fix Committed -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
confirmed in gutsy 2.6.22-14-generic -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
** Also affects: centos via https://bugzilla.redhat.com/show_bug.cgi?id=432251 Importance: Unknown Status: Unknown -- Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice) https://bugs.launchpad.net/bugs/190587 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs