Linux Kernel Exploit – From a Nobody to a Somebody “Root”
The security community has recently learned of the new security exploit that will allow any normal, non-privileged, user to become the most powerful user on a Linux system – “root”. This elevation of privileges means that you can no longer trust any user on your Linux box if it is running a version of the Linux kernel from 2.6.17 all the way to 220.127.116.11. Any low privileged shell account can now become an attack vector. Just imagine a system where every user is potentially an administrator!
What is affected? Basically all new Linux kernels built from kernel source from June 17, 2006 when the Linux kernel version 2.6.17 was released, until today. Surely, a fix will be in an upcoming kernel update, but as of today, February 10, 2008, it is not in the production kernel source distribution. It’s possible that up to a million copies of Linux containing this attack vector are in production today.
The proof of concept code is shown at http://www.milw0rm.com/exploits/5092 . This short little chunk of code makes all of this mayhem possible, and is simple enough to be compiled and executed by anyone.
I have seen the potential fix to this problem in Linux. The kernel is missing a simple privilege check. The kernel code is lacking a call to the function “access_ok()” to prevent unauthorized data from being copied from userspace to kernel memory. You can see the potential fix here –> http://git.kernel.org/…
What Now? Well, there are two challenges: A) How do we get ALL of these vulnerable machines to a new version of the kernel. B) What will be the impact on existing applications on critical servers.
Are our servers OK?
We don’t know how long this particular exploit has been in the wild and available to the underground community. That leaves us with the daunting question question, “Has this type of exploit already been executed on our systems? And if so, what did they do?!?” It is becoming increasing important to understand exactly what is changing on our servers and why.
What’s in the future? Right now, everyone is considering the impact of this exploit from a shell prompt. However, I believe the REAL threat will come in the future. Expect new exploits to be developed using this proof of concept code. Security professionals should be prepared for code that will use a buffer overflow techniques to inject code into servers that will elevate to ‘root’ user/privilege, and perform whatever task the hacker may have in mind. In plain English, it means, that web servers that commonly run under the low privileged account of “nobody”, will be COMPLETELY exploitable by simple buffer overflow techniques.
Hackers will literally go from a “nobody” to a somebody…”root”. Without a doubt, addressing this particular exploit will be a high priority for administrators for the weeks to come.