Back again with yet another linux exploit. For time purposes I’m only demonstrating it on RHEL 5.4, but if you look on my twitter you can see screenshots of it working on every distro mentioned in the video. It’ll work on everything else too, I just don’t have the VMs installed. Every version of Linux I can get my hands on is vulnerable.

Initially the title of this video stated the exploit was SMP-only. That’s not the case — some single-processor systems with PREEMPT enabled are also capable of winning the race, leading to compromise.

Mitigation:
Make sure you have mmap_min_addr enabled on your machines and that it can’t be bypassed. To test if mmap_min_addr can be bypassed or is disabled or not present on your machine, download enlightenment and run ./run_null_exploits.sh You don’t have to choose any particular exploit — it will attempt to mmap at NULL by any means possible and report the success or failure. Unlike with sock_ops there is no workaround for this vulnerability — so it’s time to bite the bullet and upgrade to a kernel that protects against this specific class of bugs in general. Workarounds have never been a long-term solution.

This exploit was written within an hour on October 22nd 2009.

Duration : 0:7:28

Technorati Tags: 0day, linux, redhat, root exploit, selinux

Ah I forgot to show in the video after I got root that SELinux was still reporting being in enforcing mode, since the same code that faked that information for 2.6.30 worked fine with the 2.6.18.

I had to remove some part of me typing near the very end so that the video could fit in the 10min restriction, nothing before that was edited.

Duration : 0:9:59

Technorati Tags: 0day, enterprise, exploit, kernel, linux, redhat, rhel, selinux