Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in /www/htdocs/w0072ee3/blog/include/functions_smarty.inc.php on line 541

Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 1007


Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in /www/htdocs/w0072ee3/blog/include/functions_smarty.inc.php on line 541

Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 1007

Root-Exploit in Kernel 2.6.17-2.6.24.1

11 02 2008 Operating Systems

Der ein oder andere wird es schon auf heise.de oder auf milw0rm.com selbst gelesen haben. Es sind zwei lokale Root-Exploits aufgetaucht, die es einem eingeschränkten Benutzer ermöglichen nach Ausführung des Exploits sich mit Root-Privilegien zu bewegen.

Die Lücke soll wohl in der aktuellen Kernel-Version (Kernel 2.6.24.2) behoben sein:

    splice: fix user pointer access in get_iovec_page_array()

patch 712a30e63c8066ed84385b12edbfb804f49cbc44 in mainline.

Commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
pointer access verification") added the proper access_ok() calls to
copy_from_user_mmap_sem() which ensures we can copy the struct iovecs
from userspace to the kernel.

But we also must check whether we can access the actual memory region
pointed to by the struct iovec to fix the access checks properly.
Die Lücke beruht auf einen Fehler mit der erst in Kernel 2.6.17
eingeführten Funktion vmsplice. Mehr dazu ist dem Heise Security Eintrag zu entnehmen. Somit sind erst Kernel-Versionen größer 2.6.17 von dieser Lücke betroffen.

  

Wie gefährlich das Exploit ist, sieht man wenn man es selber ausprobiert hat. Es ist so einfach in der Handhabung, das es wahrscheinlich in nächster Zeit nur so von "Script-Kiddies" wimmeln wird, die sich selber profilieren wollen:



duddits@duddits ~/exploits/linux $ gcc -o expl kexp.c
kexp.c:12:22: Fehler: asm/page.h: Datei oder Verzeichnis nicht gefunden
kexp.c: In Funktion »main«:
kexp.c:193: Fehler: »PAGE_SIZE« nicht deklariert (erste Benutzung in dieser Funktion)
kexp.c:193: Fehler: (Jeder nicht deklarierte Bezeichner wird nur einmal aufgeführt
kexp.c:193: Fehler: für jede Funktion in der er auftritt.)

Beheben des Fehlers ;-) .....
duddits@duddits ~/exploits/linux $ gcc -o expl kexp.c
duddits@duddits ~/exploits/linux $
duddits@duddits ~/duddits@duddits ~/exploits/linux $ ./expl
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7d83000 .. 0xb7db5000
[+] root
duddits linux # id
uid=0(root) gid=0(root) Gruppen=10(wheel),18(audio),19(cdrom),85(usb),1000(duddits)
duddits linux # whoami
root

Dies hatte ich an meinem Desktop-PC ausprobiert, als ich noch Kernel-Version 2.6.22-gentoo-r5 laufen hatte. Erst nach einer Aktualisierung auf die neuste Kernel-Version funktionierte das Exploit nicht mehr:



duddits linux # echo  sys-kernel/gentoo-sources ~x86>>/etc/portage/package.keywords 
duddits linux # emerge -av sys-kernel/gentoo-sources

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild NS ] sys-kernel/gentoo-sources-2.6.24-r2 USE="-build -symlink" 45,708 kB

Total: 1 package (1 in new slot), Size of downloads: 45,708 kB

Would you like to merge these packages? [Yes/No] Yes
...
nach der Konfiguration und einem reboot
...
~/duddits@duddits ~/exploits/linux $ ./expl
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7d83000 .. 0xb7db5000
[-] vmsplice: Bad address

Daher sollte jeder, sofern er die Möglichkeit hat, auf die neuste Kernel-Version updaten/patchen. Falls einem diese Möglichkeit verwehrt bleibt, sollte man die Benutzer auf dem System so einschränken, das diese keine Möglichkeit zum Kompilieren haben. Weiterhin sollte auch das Laden des vorkompilierten Exploits nicht möglich sein, auch wenn das in der Praxis nur schwer zu realisieren ist.




Trackbacks



Strict Standards: Only variables should be assigned by reference in /www/htdocs/w0072ee3/blog/include/functions_smarty.inc.php on line 73
Keine Trackbacks

Kommentare

Ansicht der Kommentare: (Linear | Verschachtelt)

Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in /www/htdocs/w0072ee3/blog/include/functions_comments.inc.php on line 292

Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 1007

Strict Standards: Only variables should be assigned by reference in /www/htdocs/w0072ee3/blog/include/functions_smarty.inc.php on line 73
Noch keine Kommentare

Kommentar schreiben



Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in /www/htdocs/w0072ee3/blog/include/functions_smarty.inc.php on line 541

Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 1007
Umschließende Sterne heben ein Wort hervor (*wort*), per _wort_ kann ein Wort unterstrichen werden.
Standard-Text Smilies wie :-) und ;-) werden zu Bildern konvertiert.
Die angegebene E-Mail-Adresse wird nicht dargestellt, sondern nur für eventuelle Benachrichtigungen verwendet.



Kommentare werden erst nach redaktioneller Prüfung freigeschaltet!


Deprecated: Assigning the return value of new by reference is deprecated in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 560

Deprecated: mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in /www/htdocs/w0072ee3/blog/include/db/mysql.inc.php on line 270

Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in /www/htdocs/w0072ee3/blog/include/functions_config.inc.php on line 506

Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 1007

Strict Standards: Non-static method serendipity_plugin_api::enum_plugins() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 951

Strict Standards: Non-static method serendipity_plugin_api::load_plugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 958

Strict Standards: Non-static method serendipity_plugin_api::probePlugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 542

Strict Standards: Non-static method serendipity_plugin_api::getClassByInstanceID() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 492

Strict Standards: Non-static method serendipity_plugin_api::includePlugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 497

Strict Standards: Declaration of serendipity_event_s9ymarkup::event_hook() should be compatible with serendipity_event::event_hook($event, &$bag, &$eventData, $addData = NULL) in /www/htdocs/w0072ee3/blog/plugins/serendipity_event_s9ymarkup/serendipity_event_s9ymarkup.php on line 146

Strict Standards: Declaration of serendipity_event_s9ymarkup::uninstall() should be compatible with serendipity_plugin::uninstall(&$propbag) in /www/htdocs/w0072ee3/blog/plugins/serendipity_event_s9ymarkup/serendipity_event_s9ymarkup.php on line 146

Strict Standards: Non-static method serendipity_plugin_api::get_plugin_title() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 962

Strict Standards: Non-static method serendipity_plugin_api::load_plugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 958

Strict Standards: Non-static method serendipity_plugin_api::probePlugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 542

Strict Standards: Non-static method serendipity_plugin_api::getClassByInstanceID() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 492

Strict Standards: Non-static method serendipity_plugin_api::includePlugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 497

Strict Standards: Declaration of serendipity_event_emoticate::event_hook() should be compatible with serendipity_event::event_hook($event, &$bag, &$eventData, $addData = NULL) in /www/htdocs/w0072ee3/blog/plugins/serendipity_event_emoticate/serendipity_event_emoticate.php on line 204

Strict Standards: Declaration of serendipity_event_emoticate::uninstall() should be compatible with serendipity_plugin::uninstall(&$propbag) in /www/htdocs/w0072ee3/blog/plugins/serendipity_event_emoticate/serendipity_event_emoticate.php on line 204

Strict Standards: Non-static method serendipity_plugin_api::get_plugin_title() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 962

Strict Standards: Non-static method serendipity_plugin_api::load_plugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 958

Strict Standards: Non-static method serendipity_plugin_api::probePlugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 542

Strict Standards: Non-static method serendipity_plugin_api::getClassByInstanceID() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 492

Strict Standards: Non-static method serendipity_plugin_api::includePlugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 497

Strict Standards: Declaration of serendipity_event_nl2br::event_hook() should be compatible with serendipity_event::event_hook($event, &$bag, &$eventData, $addData = NULL) in /www/htdocs/w0072ee3/blog/plugins/serendipity_event_nl2br/serendipity_event_nl2br.php on line 162

Strict Standards: Declaration of serendipity_event_nl2br::uninstall() should be compatible with serendipity_plugin::uninstall(&$propbag) in /www/htdocs/w0072ee3/blog/plugins/serendipity_event_nl2br/serendipity_event_nl2br.php on line 162

Strict Standards: Non-static method serendipity_plugin_api::get_plugin_title() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 962

Strict Standards: Non-static method serendipity_plugin_api::load_plugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 958

Strict Standards: Non-static method serendipity_plugin_api::probePlugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 542

Strict Standards: Non-static method serendipity_plugin_api::getClassByInstanceID() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 492

Strict Standards: Non-static method serendipity_plugin_api::includePlugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 497

Strict Standards: Declaration of serendipity_event_browsercompatibility::event_hook() should be compatible with serendipity_event::event_hook($event, &$bag, &$eventData, $addData = NULL) in /www/htdocs/w0072ee3/blog/plugins/serendipity_event_browsercompatibility/serendipity_event_browsercompatibility.php on line 80

Strict Standards: Non-static method serendipity_plugin_api::get_plugin_title() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 962

Strict Standards: Non-static method serendipity_plugin_api::load_plugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 958

Strict Standards: Non-static method serendipity_plugin_api::probePlugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 542

Strict Standards: Non-static method serendipity_plugin_api::getClassByInstanceID() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 492

Strict Standards: Non-static method serendipity_plugin_api::includePlugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 497

Deprecated: Assigning the return value of new by reference is deprecated in /www/htdocs/w0072ee3/blog/plugins/serendipity_event_spamblock/serendipity_event_spamblock.php on line 469

Deprecated: Assigning the return value of new by reference is deprecated in /www/htdocs/w0072ee3/blog/plugins/serendipity_event_spamblock/serendipity_event_spamblock.php on line 494

Deprecated: Assigning the return value of new by reference is deprecated in /www/htdocs/w0072ee3/blog/plugins/serendipity_event_spamblock/serendipity_event_spamblock.php on line 538

Deprecated: Assigning the return value of new by reference is deprecated in /www/htdocs/w0072ee3/blog/plugins/serendipity_event_spamblock/serendipity_event_spamblock.php on line 902

Strict Standards: Non-static method serendipity_plugin_api::get_plugin_title() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 962

Strict Standards: Non-static method serendipity_plugin_api::load_plugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 958

Strict Standards: Non-static method serendipity_plugin_api::probePlugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 542

Strict Standards: Non-static method serendipity_plugin_api::getClassByInstanceID() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 492

Strict Standards: Non-static method serendipity_plugin_api::includePlugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 497

Strict Standards: Declaration of serendipity_event_statistics::event_hook() should be compatible with serendipity_event::event_hook($event, &$bag, &$eventData, $addData = NULL) in /www/htdocs/w0072ee3/blog/plugins/serendipity_event_statistics/serendipity_event_statistics.php on line 1015

Strict Standards: Declaration of serendipity_event_statistics::uninstall() should be compatible with serendipity_plugin::uninstall(&$propbag) in /www/htdocs/w0072ee3/blog/plugins/serendipity_event_statistics/serendipity_event_statistics.php on line 1015

Strict Standards: Non-static method serendipity_plugin_api::get_plugin_title() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 962

Strict Standards: Non-static method serendipity_plugin_api::load_plugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 958

Strict Standards: Non-static method serendipity_plugin_api::probePlugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 542

Strict Standards: Non-static method serendipity_plugin_api::getClassByInstanceID() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 492

Strict Standards: Non-static method serendipity_plugin_api::includePlugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 497

Deprecated: Assigning the return value of new by reference is deprecated in /www/htdocs/w0072ee3/blog/plugins/serendipity_event_spartacus/serendipity_event_spartacus.php on line 400

Deprecated: Assigning the return value of new by reference is deprecated in /www/htdocs/w0072ee3/blog/plugins/serendipity_event_spartacus/serendipity_event_spartacus.php on line 444

Strict Standards: Declaration of serendipity_event_spartacus::event_hook() should be compatible with serendipity_event::event_hook($event, &$bag, &$eventData, $addData = NULL) in /www/htdocs/w0072ee3/blog/plugins/serendipity_event_spartacus/serendipity_event_spartacus.php on line 1183

Strict Standards: Non-static method serendipity_plugin_api::get_plugin_title() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 962

Strict Standards: Non-static method serendipity_plugin_api::load_plugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 958

Strict Standards: Non-static method serendipity_plugin_api::probePlugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 542

Strict Standards: Non-static method serendipity_plugin_api::getClassByInstanceID() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 492

Strict Standards: Non-static method serendipity_plugin_api::includePlugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 497

Strict Standards: Non-static method serendipity_plugin_api::get_plugin_title() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 962

Strict Standards: Non-static method serendipity_plugin_api::load_plugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 958

Strict Standards: Non-static method serendipity_plugin_api::probePlugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 542

Strict Standards: Non-static method serendipity_plugin_api::getClassByInstanceID() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 492

Strict Standards: Non-static method serendipity_plugin_api::includePlugin() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 497

Strict Standards: Non-static method serendipity_plugin_api::get_plugin_title() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 962

Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in /www/htdocs/w0072ee3/blog/include/functions_config.inc.php on line 506

Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 1007

Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in /www/htdocs/w0072ee3/blog/serendipity_config.inc.php on line 399

Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 1007

Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in /www/htdocs/w0072ee3/blog/include/genpage.inc.php on line 31

Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 1007

Strict Standards: Non-static method serendipity_plugin_api::count_plugins() should not be called statically in /www/htdocs/w0072ee3/blog/include/genpage.inc.php on line 34

Strict Standards: Non-static method serendipity_plugin_api::count_plugins() should not be called statically in /www/htdocs/w0072ee3/blog/include/genpage.inc.php on line 35

Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in /www/htdocs/w0072ee3/blog/include/functions_entries.inc.php on line 514

Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 1007

Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in /www/htdocs/w0072ee3/blog/include/functions_entries.inc.php on line 572

Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 1007

Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in /www/htdocs/w0072ee3/blog/include/functions_entries.inc.php on line 555

Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 1007

Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in /www/htdocs/w0072ee3/blog/include/functions_entries.inc.php on line 943

Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 1007

Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in /www/htdocs/w0072ee3/blog/include/functions_entries.inc.php on line 1026

Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 1007

Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in /www/htdocs/w0072ee3/blog/include/functions_entries.inc.php on line 1094

Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 1007

Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in /www/htdocs/w0072ee3/blog/include/functions_comments.inc.php on line 292

Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 1007

Strict Standards: Only variables should be assigned by reference in /www/htdocs/w0072ee3/blog/include/functions_smarty.inc.php on line 73

Strict Standards: Only variables should be assigned by reference in /www/htdocs/w0072ee3/blog/include/functions_smarty.inc.php on line 73

Strict Standards: Only variables should be assigned by reference in /www/htdocs/w0072ee3/blog/include/functions_smarty.inc.php on line 73

Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in /www/htdocs/w0072ee3/blog/include/functions_smarty.inc.php on line 541

Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in /www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line 1007