Old news – Linux local root vulnerability
August 18, 2009
If you keep up with news on the net, you’ve probably heard about the “new” Linux root exploit…and by new, I mean it’s been in every kernel since 2.4 came out.
Essentially, the problem is that in many cases, userland programs can map page zero, which is where null pointers go to die…or really, where they point to. Anyway, Chris Siebenmann has an excellent explanation of the problem that you should check out.
Incidentally, lots of distributions “fix” this by setting the minimum address that userland programs can grab. To find out what yours is, just cat /proc/sys/vm/mmap_min_addr:
/proc/sys/vm# cat mmap_min_addr
65536
No problem here. If it says “0″, you’re vulnerable to this exploit.
Posted in General
Email me
content rss
August 18th, 2009 at 10:21 am
..and if it says
cat: /proc/sys/vm/mmap_min_addr: No such file or directory
?:)
August 18th, 2009 at 10:31 am
Hrm….then your kernel doesn’t support procfs?
You should upgrade when the patch comes out!
August 18th, 2009 at 11:21 am
Actually it does
# cat /proc/sys/vm/swappiness
60
2.6.28 x86_64
August 18th, 2009 at 11:29 am
Weird. I don’t know, then. From everything I’ve read, you should be able to create it by echoing a number to the file.
Do you have SELinux enabled? I’ve also read that it prevents the altering of that setting, which may have the side-effect of removing the file from proc.
~$ /usr/sbin/sestatus
SELinux status: disabled
on mine, anyway.
August 18th, 2009 at 1:31 pm
Nope, not activated at all in kernel.
August 19th, 2009 at 11:00 am
mmap_min_addr can be simple to bypass in many circumstances. Brad Spengler’s full disclosure of this is here: http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/69537
August 19th, 2009 at 11:07 am
@Mike
Good link, thanks!