The open-source Linux operating system contains a serious security flaw that can be exploited to gain superuser rights on a target system.

The vulnerability, in the Linux implementation of the Reliable Datagram Sockets (RDS) protocol, affects unpatched versions of the Linux kernel, starting from 2.6.30, where the RDS protocol was first included.

According to VSR Security, the research outfit that discovered the security hole, Linux installations are only vulnerable if the CONFIG_RDS kernel configuration option is set, and if there are no restrictions on unprivileged users loading packet family modules, as is the case on most stock distributions.

Because kernel functions responsible for copying data between kernel and user space failed to verify that a user-provided address actually resided in the user segment, a local attacker could issue specially crafted socket function calls to write arbritrary values into kernel memory. By leveraging this capability, it is possible for unprivileged users to escalate privileges to root.

The company has released a proof-of-concept exploit to demonstrate the severity of the vulnerability.  The folks at The H Security tested the exploit on Ubuntu 10.04 (64-bit) and successfully opened a root shell.

A fix for this issue has been committed by Linus Torvalds.  VSR Security recommends that users install updates provided by downstream distributions or apply the committed patch and recompile their kernel.

Categories: Vulnerabilities

Comments (11)

  1. Ron
    1

    I installed my kernel back on 01-Oct, so it should be vulnerable, but it’s not, even when I modprobed the rds modules and ran the code from root.

    $ apt-cache policy linux-image-2.6.32-5-amd64

    linux-image-2.6.32-5-amd64:

      Installed: 2.6.32-24

      Candidate: 2.6.32-26

      Version table:

         2.6.32-26 0

            500 http://mirrors.kernel.org/debian/ sid/main amd64 Packages

     *** 2.6.32-24 0

            100 /var/lib/dpkg/status

    $ uname -r

    2.6.32-5-amd64

    $ cat /etc/debian_version

    squeeze/sid

    $ grep RDS /boot/config-2.6.32-5-amd64

    CONFIG_RDS=m

    CONFIG_RDS_RDMA=m

    CONFIG_RDS_TCP=m

    # CONFIG_RDS_DEBUG is not set

    # modprobe rds

    # modprobe rds_tcp

    # modprobe rds_rdma

    $ lsmod | grep rds

    rds_rdma               56776  0

    rdma_cm                20582  1 rds_rdma

    ib_core                40967  6
    rds_rdma,rdma_cm,ib_cm,iw_cm,ib_sa,ib_mad

    rds_tcp                 8260  0

    rds                    70414  2 rds_rdma,rds_tcp

    $ ls -o /boot/System.map-$(uname -r)
    -rw-r–r– 1 root 1661060 Sep 30 00:56 /boot/System.map-2.6.32-5-amd64

    $ wget http://www.vsecurity.com/download/tools/linux-rds-exploit.c

    –2010-10-21 10:18:35–
    http://www.vsecurity.com/download/tools/linux-rds-exploit.c

    Resolving http://www.vsecurity.com… 209.67.252.12

    Connecting to http://www.vsecurity.com|209.67.252.12|:80… connected.

    HTTP request sent, awaiting response… 200 OK

    Length: 6435 (6.3K) [text/x-c]

    Saving to: “linux-rds-exploit.c”

    100%[=================================================================>]
    6,435       33.4K/s   in 0.2s

    2010-10-21 10:18:36 (33.4 KB/s) – “linux-rds-exploit.c” saved
    [6435/6435]

    $ gcc linux-rds-exploit.c
    $
    $ ls -o a.out
    -rwxr-xr-x 1 me 12900 Oct 21 10:21 a.out

    $ ./a.out

    [*] Linux kernel >= 2.6.30 RDS socket exploit

    [*] by Dan Rosenberg

    [*] Resolving kernel addresses…

     [+] Resolved rds_ioctl to 0xffffffffa1009000

     [+] Resolved commit_creds to 0xffffffff81069235

     [+] Resolved prepare_kernel_cred to 0xffffffff81069138

    [*] Failed to resolve kernel symbols.

    $ sudo ~me/a.out

    [sudo] password for me:

    [*] Linux kernel >= 2.6.30 RDS socket exploit

    [*] by Dan Rosenberg

    [*] Resolving kernel addresses…

     [+] Resolved rds_ioctl to 0xffffffffa1009000

     [+] Resolved commit_creds to 0xffffffff81069235

     [+] Resolved prepare_kernel_cred to 0xffffffff81069138

    [*] Failed to resolve kernel symbols.

    # ~me/a.out
    [*] Linux kernel >= 2.6.30 RDS socket exploit
    [*] by Dan Rosenberg
    [*] Resolving kernel addresses…
     [+] Resolved rds_ioctl to 0xffffffffa1009000
     [+] Resolved commit_creds to 0xffffffff81069235
     [+] Resolved prepare_kernel_cred to 0xffffffff81069138
    [*] Failed to resolve kernel symbols.

  2. bla
    2

    yeah i had that too, it’s failing to find the address of the rds_proto_ops.

    for some reason the kernel doesn’t export that address everywhere.

    the exploit is easily modified though. you could do cat /proc/kallsyms | grep “_ops” find something you have the address of that you can invoke, from user space.

    or since you have read/write in kernel memory there are ample opportunities to get rewt.

    cheers

  3. love.linux.at.home
    3

    What is the bottom line for the average distro user – example: Debian, Ubuntu or Mint?  Does this affect 32 and 64 bit or just one?  Is thes RDS something you have to choose to turn on, or is it configured out the box?  This was not all that clear from the article.  Even for me, with 25 years of IT under the belt, slow down on the technobabble and please either re-assure the general user or show them a way to get patched quickly.  After all, we don’t need any more zombied machines out there.

  4. Anonymous
    4

    In a corporate environment and talking about servers only:

    Am I correct that this exploit requires the attacker to have local access to the server?  In other words, you couldn’t use the exploit to compromise a system behind a firewall with only port 80 and 443 open.

    Is this correct?

  5. Anonymous
    5

    I’m new to linux, so please excuse my ignorance, but do I type /boot/config-[current kernel revision] into the terminal? If so, I get ‘permission denied’?

    FWIW, using uname -r comes up with 2.6.35-22-generic.

  6. Anonymous
    6

    ~# egrep RDS /boot/config-2.6.32-24-server
    CONFIG_RDS=m
    CONFIG_RDS_RDMA=m
    CONFIG_RDS_TCP=m
    # CONFIG_RDS_DEBUG is not set
    CONFIG_HISAX_MAX_CARDS=8

    root@bread:~# uname -a
    Linux bread 2.6.32-24-server #39-Ubuntu SMP Wed Jul 28 06:21:40 UTC 2010 x86_64 GNU/Linux

    root@bread:~# ./a.out
    [*] Linux kernel >= 2.6.30 RDS socket exploit
    [*] by Dan Rosenberg
    [*] Resolving kernel addresses…
     [+] Resolved rds_proto_ops to 0xffffffffa0296780
     [+] Resolved rds_ioctl to 0xffffffffa028f000
     [+] Resolved commit_creds to 0xffffffff8108b9e0
     [+] Resolved prepare_kernel_cred to 0xffffffff8108bdc0
    [*] Overwriting function pointer…
    [*] Triggering payload…
    [*] Restoring function pointer…
    [*] Got root!
    #

    I am going to update the kernel right now !! :D

  7. Anonymous
    7

    $ ./linux-rds-exploit
    [*] Linux kernel >= 2.6.30 RDS socket exploit
    [*] by Dan Rosenberg
    [*] Resolving kernel addresses…
     [+] Resolved rds_proto_ops to 0xf87ae9e0
     [+] Resolved rds_ioctl to 0xf87a8090
     [+] Resolved commit_creds to 0xc016e080
     [+] Resolved prepare_kernel_cred to 0xc016e3c0
    [*] Overwriting function pointer…
    [*] Triggering payload…
    [*] Restoring function pointer…
    [*] Exploit failed to get root.

    $ uname -r
    2.6.32-26-generic
    $

    why did mine fail?

     

  8. t4c
    8

    No this is not correct, cause often you can get php files to download stuff and execute it locally, this is a lil bit more work, but php flaws and phpshells are easy to find in most cases.

  9. Anonymous
    9

    Except that nobody should ever be using a server as a platform for web browsing. Also, many server editions use older kernel versions which aren’t vulnerable. RHEL 5.5/Centos ships with 2.6.18, and my Ubuntu servers are running 2.6.28-19.

  10. Anonymous
    10

    It affects all systems with kernels later than 2.6.29 that have RDS enabled by default. 32 or 64 bit doesn’t matter. But you don’t need to wait for a patch, a single line config change fixes it.

    If you’re vulnerable, in /boot/config-[current kernel revision] you’ll find: CONFIG_RDS=m

    Change that to CONFIG_RDS=n

    When your distro comes up with a patched kernel, you might want to change that back, RDS can make for faster & more efficient interprocess communication. I’ve heard that some distros had fixed this 3 days ago, but haven’t verified that personally.

    If you’re unsure what kernel revision you’re using, try ‘uname -r’

  11. Anonymous
    11

    config- is the compilation configuration file.  It does not affect runtime.  You need to blacklist the module in the modprobe configuration.

Comments are closed.