Ubuntu vulnerable against "h00lyshit" exploit?

Sat Jul 15 22:31:47 UTC 2006

On 7/15/06, Alexander Skwar <listen at alexander.skwar.name> wrote:
> Hi!
>
> Is the current Dapper kernel vulnerable against the kernel exploit
> posted yesterday on full-disclosure "Linux kernel 0day - dynamite
> inside, don't burn your fingers", see
> <http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047907.html>?

When I run this exploit against my own machine, the software
segfaults.  I'm going to surmise that Ubuntu 6.06 is not vulnerable
assuming the system is up to date with patches.  I am testing this
under Ubuntu kernel 2.6.15-26-686.

Here is the strace output of the running exploit:

cbell at circe:~/Desktop$ strace ./h00lyshit
execve("./h00lyshit", ["./h00lyshit"], [/* 30 vars */]) = 0
uname({sys="Linux", node="circe.inetdb.com", ...}) = 0
brk(0)                                  = 0x804a000
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0xb7f7d000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
old_mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0xb7f7b000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=41304, ...}) = 0
old_mmap(NULL, 41304, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f70000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220O\1"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1232784, ...}) = 0
old_mmap(NULL, 1238972, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e41000
old_mmap(0xb7f66000, 28672, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x125000) = 0xb7f66000
old_mmap(0xb7f6d000, 10172, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7f6d000
close(3)                                = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0xb7e40000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e408e0,
limit:1048575, seg_32bit:1, contents:0, read_exec_only:0,
limit_in_pages:1, seg_not_present:0, useable:1}) = 0
munmap(0xb7f70000, 41304)               = 0
brk(0)                                  = 0x804a000
brk(0x806b000)                          = 0x806b000
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
cbell at circe:~/Desktop$

> If so, when can we expect a patched kernel? Ie. a kernel 2.6.17.5
> or 2.6.16.25 or a backport of those fixes?

You won't get a 2.6.17 kernel on Ubuntu 6.06 from an offical update.

-- 
Chris

"I trust the Democrats to take away my money, which I can afford.  I
trust the Republicans to take away my freedom, which I cannot."