OOPS - Root privileges under Linux
On the Full Disclosure security mailing list, Dan Rosenberg presents a small demo program which craftily combines several security holes to obtain root privileges on Linux systems.
The starting point is a problem Nelson Elhage discovered in connection with the kernel's thread management and troubleshooting routines (CVE-2010-4258), where a user can potentially exploit an OOPS to write a null byte into the kernel's memory area. Rosenberg combined this with a number of vulnerabilities also recently discovered by Nelson Elhage in the Econet protocol implementation.
Two of them (CVE-2010-3848, CVE-2010-3849) can only be exploited if an administrator has already configured Econet interfaces in the system. However, CVE-2010-3850 allows local users without root privileges to do just that. The astonishing aspect is that although Econet is an ancient protocol Acorn computers used for communicating with file and print servers via special network cards, many current kernels support its emulation by default and without any user interaction. For instance, when tested by The H's associates at heise Security, Ubuntu 10.04 LTS "Lucid Lynx" readily loaded the Econet driver and presented a root shell after executing the demo exploit.
[*] Resolving kernel addresses...
[+] Resolved econet_ioctl to 0xffffffffa0b76510
[+] Resolved econet_ops to 0xffffffffa0b76600
[+] Resolved commit_creds to 0xffffffff8108aee0
[+] Resolved prepare_kernel_cred to 0xffffffff8108b2c0
[*] Calculating target...
[*] Triggering payload...
[*] Got root!
In his comments, Rosenberg points out that he deliberately designed the exploit in such a way that it won't affect most standard systems. For instance, Red Hat does not support Econet by default, and Ubuntu and Debian have already patched the exploited Econet holes. However, the developer writes that it would be easy to find other vulnerabilities which can take over the task of creating a kernel OOPS, and that all Linux users are, therefore, ultimately affected. Red Hat has already stated that Red Hat Enterprise Linux 4, 5, 6, and Red Hat Enterprise MRG are not vulnerable to CVE-2010-4258.