| gerasimos_h Site Admin
 
 
 Joined: 09 Aug 2007
 Posts: 1757
 Location: Greece
 
 | 
			
				|  Posted: Thu Feb 14, 2008 1:18 pm    Post subject: Local root exploit |   |  
				| 
 |  
				| The local root exploit  affect kernels 2.6.17-2.6.24.1 despite distribution, and it's not a Slackware issue... It's a local root and not remote exploit, and don't give full root privileges, can't reboot, halt, add or remove packages for instance but can delete and stop services amongst things and that's a problem.
 Of course that all can be done by a user and not someone that has not access to the server, but I believe that an well written web script can do bad things.
 
 An example of the script before the patch (SMS 1.3.5)
 
  	  | Code: |  	  | angel@sms:/var/smb/samba$ ./exploit -----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
 -----------------------------------
 [+] mmap: 0x0 .. 0x1000
 [+] page: 0x0
 [+] page: 0x20
 [+] mmap: 0x4000 .. 0x5000
 [+] page: 0x4000
 [+] page: 0x4020
 [+] mmap: 0x1000 .. 0x2000
 [+] page: 0x1000
 [+] mmap: 0xb7e12000 .. 0xb7e44000
 [+] root
 root@sms:/var/smb/samba$
 | 
 
 And after the splice patch (SMS 1.3.6)
 
  	  | Code: |  	  | angel@sms:/var/smb/samba$ ./exploit
 -----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
 -----------------------------------
 [+] mmap: 0x0 .. 0x1000
 [+] page: 0x0
 [+] page: 0x20
 [+] mmap: 0x4000 .. 0x5000
 [+] page: 0x4000
 [+] page: 0x4020
 [+] mmap: 0x1000 .. 0x2000
 [+] page: 0x1000
 [+] mmap: 0xb7d9e000 .. 0xb7dd0000
 [-] vmsplice: Bad address
 angel@sms:/var/smb/samba$
 
 | 
 
 The above all tested between SMS 1.3.5 and 1.3.6 native installations.
 
 note: If you boot from SMS.Live.CD-1.3.6 the script will gain root access, but that's because I patched the kernel and not the initrd.gz that boots the liveCD.
 If you install it on disk through sms-text-installer you will not have any problems.
 I've create although an initrd.gz from the patched kernel too and there will be on SMS.Live.CD-1.3.7
 
 Kernel Patches are available here
 If you installed SMS.Live.CD just use livecd.s
 Don't forget to run lilo after the installation of the kernel.
 
 For more info about the script look at:
 http://lwn.net/SubscriberLink/268783/c6a3f3433044e10b/
 
 gerasimos_h
 _________________
 Superb! Mini Server Project Manager
 http://sms.it-ccs.com
 |  |