New Linux exploit published
At the Full Disclosure mailing list, a demonstration of a new weak point in the Linux kernel has been published. It allows registered users to gain root rights to the system. It uses what is called a "race condition" - the lack of protection against conflicting access to a resource - in the /proc filesystem. According to the Internet Storm Center, the hole affects all versions of the 2.6 kernel. While the demonstration itself requires support for the outdated binary format a.out, the hole can also be exploited even if CONFIG_BINFMT_AOUT is not set. The security extension SELinux used in Red Hat enterprise Linux 4 apparently also stops the exploit.
Such local exploits are often used to gain access to administrator rights on systems used by multiple users. Less than a week ago, unidentified hackers exploited a similar hole in the Linux kernel (which has since been patched) to compromise a server used in the Debian project. Before this 0day exploit was published, heise Security had received indications that a large number of other such local-root exploits that attack previously unknown weak points are also in circulation. The discovery of this 0day exploit is good evidence that these indications were true.
In response to the discovery of this new weak point, the "ugly /proc hole", Linux Torvalds has published updated kernel versions 18.104.22.168 and 22.214.171.124. A following minor update to 126.96.36.199 respectively 188.8.131.52 relaxes the introduced restrictions a bit.
- Linux kernel 0day - dynamite inside, don't burn your fingers, report at Full Disclsore
- ChangeLog on kernel 184.108.40.206
- ChangeLog on Kernel 220.127.116.11