Root exploit for Linux kernel in circulation

Two exploits have been published for a security vulnerability in the Linux kernel. They allow restricted users to escalate their privileges to that of the superuser. Systems on which multiple users work in parallel are particularly at risk of an attacker exploiting the vulnerability to manipulate or gain control of a system. In tests by the heise Security editorial team, one of the exploits opened a shell with root privileges on an Ubuntu system.

The vulnerability arises from a bug in the way in which user programs deal with pointers relating to the vmsplice function, introduced in kernel version 2.6.17. Failure to check pointers when calling the vmsplice_to_user function allows read and write access to arbitrary memory areas. The kernel developers have not released a detailed description of the bug - the changelog for the first attempt at a fix in kernel 2.6.24.1 merely states "splice: missing user pointer access verification (CVE-2008-0009/10)". The CVE entry is currently empty. Shortly after the kernel update it was still possible to exploit the vulnerability despite the patch, for which reason the developers took a second stab at it with version 2.6.24.2.

This solution also seems to be still subject to some uncertainty, as the comments accompanying the patch indicate that there is still some testing to be done to ensure that it really works as it should. There are also unconfirmed scattered reports that the patch in version 2.6.24.2 reopens the original vulnerability. Operators of multi-user systems should nevertheless switch to the latest version of the kernel or install packages from their Linux distributor as soon as they are made available.

See also:

• ChangeLog 2.6.24.2, changes in Kernel 2.6.24.2
• ChangeLog 2.6.24.1, changes in Kernel 2.6.24.1
• Linux vmsplice Local Root Exploit (2.6.17 - 2.6.24.1), exploit on Milw0rm
• Linux vmsplice Local Root Exploit (2.6.23 - 2.6.24), exploit on Milw0rm

(jbe)