Old news – Linux local root vulnerability

If you keep up with news on the net, you’ve probably heard about the “new” Linux root exploit…and by new, I mean it’s been in every kernel since 2.4 came out.

Essentially, the problem is that in many cases, userland programs can map page zero, which is where null pointers go to die…or really, where they point to. Anyway, Chris Siebenmann has an excellent explanation of the problem that you should check out.

Incidentally, lots of distributions “fix” this by setting the minimum address that userland programs can grab. To find out what yours is, just cat /proc/sys/vm/mmap_min_addr:

    /proc/sys/vm# cat mmap_min_addr 

No problem here. If it says “0”, you’re vulnerable to this exploit.

  • anonymouscoward

    ..and if it says
    cat: /proc/sys/vm/mmap_min_addr: No such file or directory

  • Hrm….then your kernel doesn’t support procfs? ;-)

    You should upgrade when the patch comes out!

  • anonymouscoward

    Actually it does :)
    # cat /proc/sys/vm/swappiness

    2.6.28 x86_64

  • Weird. I don’t know, then. From everything I’ve read, you should be able to create it by echoing a number to the file.

    Do you have SELinux enabled? I’ve also read that it prevents the altering of that setting, which may have the side-effect of removing the file from proc.

    ~$ /usr/sbin/sestatus
    SELinux status: disabled

    on mine, anyway.

  • anonymouscoward

    Nope, not activated at all in kernel.

  • mike

    mmap_min_addr can be simple to bypass in many circumstances. Brad Spengler’s full disclosure of this is here: http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/69537

  • @Mike

    Good link, thanks!