SEO

Hello All;

I'm running a custom made kernel 2.6.24.

<P4>dmitton:$ uname -a
Linux 2.6.24 #1 SMP PREEMPT Fri Jan 25 13:15:55 EST 2008 i686 GNU/Linux

When I run the exploit (proof of concept code) I get this:

<P4>dmitton:~/exploit080212$ ./exploit
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f02000 .. 0xb7f34000
[-] vmsplice: No such file or directory
<P4>dmitton:~/exploit080212$

It apparently should look (something) like this if I have the exploit:

$ whoami
heikki
$ ./exploit
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7d90000 .. 0xb7dc2000
[+] root
$ whoami
root

Can anyone explain this? I am looking for information but everyone is so busy fighting the fire I haven't seen anyone post who has not got the exploit.

Thanks in advance.

On Tue, 12 Feb 2008 23:38:13 +0000 (UTC), Doug Mitton <doug_mitton@hotmail.x.com> wrote:

>I'm running a custom made kernel 2.6.24.

Update to 2.6.24.2 for the fix.

....
>[-] vmsplice: No such file or directory
><P4>dmitton:~/exploit080212$

Yeah, the exploit failed here too, I updated the kernel to be on
the safe side.

Grant.
--
http://bugsplatter.mine.nu/

Grant <g_r_a_n_t_@dodo.com.au> wrote:

>On Tue, 12 Feb 2008 23:38:13 +0000 (UTC), Doug Mitton <doug_mitton@hotmail.x.com> wrote:
>
>>I'm running a custom made kernel 2.6.24.
>
>Update to 2.6.24.2 for the fix.
>
>...
>>[-] vmsplice: No such file or directory
>><P4>dmitton:~/exploit080212$
>
>Yeah, the exploit failed here too, I updated the kernel to be on
>the safe side.
>
>Grant.

Thanks! I installed kernel 2.6.24.2 and have the same response to the
`exploit` command. I'll have to keep looking for an explaination of
the issue from a "technical" perspective. Maybe I'm not even using
the feature.

PS. This group has been "Banned" by my usual NNTP server due to SPAM
complaints. I'm trying an alternative server to do this post.
--
------------------------------------------------
http://www3.sympatico.ca/dmitton
SPAM Reduction: Remove "x." from my domain.
------------------------------------------------

On Feb 14, 2:23 pm, Doug Mitton <doug_mit...@hotmail.x.com> wrote:
> Grant <g_r_a_n...@dodo.com.au> wrote:
> >On Tue, 12 Feb 2008 23:38:13 +0000 (UTC), Doug Mitton <doug_mit...@hotmail.x.com> wrote:
>
> >>I'm running a custom made kernel 2.6.24.
>
> >Update to 2.6.24.2 for the fix.
>
> >...
> >>[-] vmsplice: No such file or directory
> >><P4>dmitton:~/exploit080212$
>
> >Yeah, the exploit failed here too, I updated the kernel to be on
> >the safe side.
>
> >Grant.
>
> Thanks! I installed kernel 2.6.24.2 and have the same response to the
> `exploit` command. I'll have to keep looking for an explaination of
> the issue from a "technical" perspective. Maybe I'm not even using
> the feature.

As I understand it, the vmsplice() syscall is only available if you've
enabled virtualization support in the kernel. If you haven't compiled
your kernel with KVM enabled, you are safe from this exploit.

lpitcher@teksavvy.com wrote:
> On Feb 14, 2:23 pm, Doug Mitton <doug_mit...@hotmail.x.com> wrote:
>> Grant <g_r_a_n...@dodo.com.au> wrote:
>> >On Tue, 12 Feb 2008 23:38:13 +0000 (UTC), Doug Mitton <doug_mit...@hotmail.x.com> wrote:
>>
>> >>I'm running a custom made kernel 2.6.24.
>>
>> >Update to 2.6.24.2 for the fix.
>>
>> >...
>> >>[-] vmsplice: No such file or directory
>> >><P4>dmitton:~/exploit080212$
>>
>> >Yeah, the exploit failed here too, I updated the kernel to be on
>> >the safe side.
>>
>> >Grant.
>>
>> Thanks! I installed kernel 2.6.24.2 and have the same response to the
>> `exploit` command. I'll have to keep looking for an explaination of
>> the issue from a "technical" perspective. Maybe I'm not even using
>> the feature.
>
> As I understand it, the vmsplice() syscall is only available if you've
> enabled virtualization support in the kernel. If you haven't compiled
> your kernel with KVM enabled, you are safe from this exploit.

I'm not aware that this is true. The exploit worked for me on all
pre-patched systems I tried it on, all custom-built kernels with no
virtualization. The vmsplice() code (in the kernel source fs/splice.c)
seems to me to be unconditionally included.

When I ran the exploit on a patched system, it fails with: Bad address.