The open-source Linux operating system contains a serious security flaw that can be exploited to gain superuser rights on a target system.

The vulnerability, in the Linux implementation of the Reliable Datagram Sockets (RDS) protocol, affects unpatched versions of the Linux kernel, starting from 2.6.30, where the RDS protocol was first included.

According to VSR Security, the research outfit that discovered the security hole, Linux installations are only vulnerable if the CONFIG_RDS kernel configuration option is set, and if there are no restrictions on unprivileged users loading packet family modules, as is the case on most stock distributions.

Because kernel functions responsible for copying data between kernel and user space failed to verify that a user-provided address actually resided in the user segment, a local attacker could issue specially crafted socket function calls to write arbritrary values into kernel memory. By leveraging this capability, it is possible for unprivileged users to escalate privileges to root.

The company has released a proof-of-concept exploit to demonstrate the severity of the vulnerability.  The folks at The H Security tested the exploit on Ubuntu 10.04 (64-bit) and successfully opened a root shell.

A fix for this issue has been committed by Linus Torvalds.  VSR Security recommends that users install updates provided by downstream distributions or apply the committed patch and recompile their kernel.

Categories: Vulnerabilities

Comments (11)

  1. Ron

    I installed my kernel back on 01-Oct, so it should be vulnerable, but it’s not, even when I modprobed the rds modules and ran the code from root.

    $ apt-cache policy linux-image-2.6.32-5-amd64


      Installed: 2.6.32-24

      Candidate: 2.6.32-26

      Version table:

         2.6.32-26 0

            500 sid/main amd64 Packages

     *** 2.6.32-24 0

            100 /var/lib/dpkg/status

    $ uname -r


    $ cat /etc/debian_version


    $ grep RDS /boot/config-2.6.32-5-amd64




    # CONFIG_RDS_DEBUG is not set

    # modprobe rds

    # modprobe rds_tcp

    # modprobe rds_rdma

    $ lsmod | grep rds

    rds_rdma               56776  0

    rdma_cm                20582  1 rds_rdma

    ib_core                40967  6

    rds_tcp                 8260  0

    rds                    70414  2 rds_rdma,rds_tcp

    $ ls -o /boot/$(uname -r)
    -rw-r–r– 1 root 1661060 Sep 30 00:56 /boot/

    $ wget

    –2010-10-21 10:18:35–


    Connecting to||:80… connected.

    HTTP request sent, awaiting response… 200 OK

    Length: 6435 (6.3K) [text/x-c]

    Saving to: “linux-rds-exploit.c”

    6,435       33.4K/s   in 0.2s

    2010-10-21 10:18:36 (33.4 KB/s) – “linux-rds-exploit.c” saved

    $ gcc linux-rds-exploit.c
    $ ls -o a.out
    -rwxr-xr-x 1 me 12900 Oct 21 10:21 a.out

    $ ./a.out

    [*] Linux kernel >= 2.6.30 RDS socket exploit

    [*] by Dan Rosenberg

    [*] Resolving kernel addresses…

     [+] Resolved rds_ioctl to 0xffffffffa1009000

     [+] Resolved commit_creds to 0xffffffff81069235

     [+] Resolved prepare_kernel_cred to 0xffffffff81069138

    [*] Failed to resolve kernel symbols.

    $ sudo ~me/a.out

    [sudo] password for me:

    [*] Linux kernel >= 2.6.30 RDS socket exploit

    [*] by Dan Rosenberg

    [*] Resolving kernel addresses…

     [+] Resolved rds_ioctl to 0xffffffffa1009000

     [+] Resolved commit_creds to 0xffffffff81069235

     [+] Resolved prepare_kernel_cred to 0xffffffff81069138

    [*] Failed to resolve kernel symbols.

    # ~me/a.out
    [*] Linux kernel >= 2.6.30 RDS socket exploit
    [*] by Dan Rosenberg
    [*] Resolving kernel addresses…
     [+] Resolved rds_ioctl to 0xffffffffa1009000
     [+] Resolved commit_creds to 0xffffffff81069235
     [+] Resolved prepare_kernel_cred to 0xffffffff81069138
    [*] Failed to resolve kernel symbols.

  2. bla

    yeah i had that too, it’s failing to find the address of the rds_proto_ops.

    for some reason the kernel doesn’t export that address everywhere.

    the exploit is easily modified though. you could do cat /proc/kallsyms | grep “_ops” find something you have the address of that you can invoke, from user space.

    or since you have read/write in kernel memory there are ample opportunities to get rewt.



    What is the bottom line for the average distro user – example: Debian, Ubuntu or Mint?  Does this affect 32 and 64 bit or just one?  Is thes RDS something you have to choose to turn on, or is it configured out the box?  This was not all that clear from the article.  Even for me, with 25 years of IT under the belt, slow down on the technobabble and please either re-assure the general user or show them a way to get patched quickly.  After all, we don’t need any more zombied machines out there.

  4. Anonymous

    In a corporate environment and talking about servers only:

    Am I correct that this exploit requires the attacker to have local access to the server?  In other words, you couldn’t use the exploit to compromise a system behind a firewall with only port 80 and 443 open.

    Is this correct?

  5. Anonymous

    I’m new to linux, so please excuse my ignorance, but do I type /boot/config-[current kernel revision] into the terminal? If so, I get ‘permission denied’?

    FWIW, using uname -r comes up with 2.6.35-22-generic.

  6. Anonymous

    ~# egrep RDS /boot/config-2.6.32-24-server
    # CONFIG_RDS_DEBUG is not set

    root@bread:~# uname -a
    Linux bread 2.6.32-24-server #39-Ubuntu SMP Wed Jul 28 06:21:40 UTC 2010 x86_64 GNU/Linux

    root@bread:~# ./a.out
    [*] Linux kernel >= 2.6.30 RDS socket exploit
    [*] by Dan Rosenberg
    [*] Resolving kernel addresses…
     [+] Resolved rds_proto_ops to 0xffffffffa0296780
     [+] Resolved rds_ioctl to 0xffffffffa028f000
     [+] Resolved commit_creds to 0xffffffff8108b9e0
     [+] Resolved prepare_kernel_cred to 0xffffffff8108bdc0
    [*] Overwriting function pointer…
    [*] Triggering payload…
    [*] Restoring function pointer…
    [*] Got root!

    I am going to update the kernel right now !! 😀

  7. Anonymous

    $ ./linux-rds-exploit
    [*] Linux kernel >= 2.6.30 RDS socket exploit
    [*] by Dan Rosenberg
    [*] Resolving kernel addresses…
     [+] Resolved rds_proto_ops to 0xf87ae9e0
     [+] Resolved rds_ioctl to 0xf87a8090
     [+] Resolved commit_creds to 0xc016e080
     [+] Resolved prepare_kernel_cred to 0xc016e3c0
    [*] Overwriting function pointer…
    [*] Triggering payload…
    [*] Restoring function pointer…
    [*] Exploit failed to get root.

    $ uname -r

    why did mine fail?


Comments are closed.