Linux kernel vmsplice root exploit

Two strings walk into a bar. The first says, “Hello, I’d like a ciderO’y?kI’U`,E’*@???’?? ?!>A~Xx?(y’n?.” The second says, “Please excuse my friend, he’s not null-terminated.”

If you are running Linux kernel newer than 2.6.17 but older than 2.6.24.2 or 2.6.23.16 then any local user can easily become root or at least crash your system.

There are actually two different security issues related to vmsplice() system call and both of them could lead to local privileges escalation. This is especially bad for people who don’t fully control content on and access to their servers – e.g. web hosting companies. The other bad news is that vmsplice() is part of the core kernel and there is no configuration option to exclude it.

Two separate exploits have been publicly released which exploit each of the two issues respectively.

The first issue was classified as CVE-2008-0009 and CVE-2008-0010 and was fixed by linux kernels 2.6.23.15 and 2.6.24.1.

The situation with the second issue, classified as CVE-2008-0600 was much worse. It was introduced with the initial implementation of vmsplice() and affects all kernels after 2.6.17 inclusively. There was an exploit in the wild for more than 24 hours without proper fix for the problem. I’m sure that even though there are patched versions now – linux 2.6.24.2 and 2.6.23.16 – at least 2-3 more days will pass before the number of vulnerable systems is reduced enough.

IMHO this is one of the worst 0-day Linux kernel exploits in years. I hope it won’t happen again soon. But you should be careful because all this has happened before and will definitely happen again someday.

This entry was posted in Misc and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This blog is kept spam free by WP-SpamFree.