Linux root exploit due to memory access - Update 2
Linus Torvalds released a Linux kernel update last week which fixes a flaw in the access control to memory. Shortly afterwards, exploits appeared making it possible to gain root privileges using this error.
Since Linux kernel version 2.6.39 the dump of each process can be viewed in
/proc/<pid>/mem and even written to. Before 2.6.39, an
#ifdef in the code had prevented writing, but in 2.6.39, the checks had been deemed adequate, so the
#ifdef was removed. Those checks, to ensure that only processes with the correct permission could write to the memory, instead proved inadequate and could be easily fooled.
Shortly after the publication of an explanatory article on Nerdling Sapple, other coders used the information contained in the article to create exploits and made them available on the net. The exploit works by manipulating the virtual working memory of a setuid root program such as su and can give a regular user of a Linux system root privileges. Jay Freeman – known as Saurik in the iPhone jailbreak community – even has a working version for Android.
The exploit appears to work reliably. In a first test by The H's associates at heise Security, an Ubuntu system with a 3.0 series kernel immediately offered a root shell. When Torvald's update will be incorporated into mainstream kernel distributions is not yet known.
Update - Shortly after publication of this news item, Canonical announced the release an update for Ubuntu 11.10 which can be applied by doing a standard software update and then rebooting the system.
Update 2 - Red Hat has confirmed it is preparing patches for the issue and offers further details and a SystemTap script to mitigate the issue in an article in its knowledge base.