Old news - Linux local root vulnerability

Date August 18, 2009

If you keep up with news on the net, you've probably heard about the "new" Linux root exploit...and by new, I mean it's been in every kernel since 2.4 came out.

Essentially, the problem is that in many cases, userland programs can map page zero, which is where null pointers go to die...or really, where they point to. Anyway, Chris Siebenmann has an excellent explanation of the problem that you should check out.

Incidentally, lots of distributions "fix" this by setting the minimum address that userland programs can grab. To find out what yours is, just cat /proc/sys/vm/mmap_min_addr:

    /proc/sys/vm# cat mmap_min_addr 
    65536

No problem here. If it says "0", you're vulnerable to this exploit.

  • anonymouscoward

    ..and if it says
    cat: /proc/sys/vm/mmap_min_addr: No such file or directory
    ?:)

  • http://www.standalone-sysadmin.com Matt Simmons

    Hrm....then your kernel doesn't support procfs? ;-)

    You should upgrade when the patch comes out!

  • anonymouscoward

    Actually it does :)
    # cat /proc/sys/vm/swappiness
    60

    2.6.28 x86_64

  • http://www.standalone-sysadmin.com Matt Simmons

    Weird. I don't know, then. From everything I've read, you should be able to create it by echoing a number to the file.

    Do you have SELinux enabled? I've also read that it prevents the altering of that setting, which may have the side-effect of removing the file from proc.

    ~$ /usr/sbin/sestatus
    SELinux status: disabled

    on mine, anyway.

  • anonymouscoward

    Nope, not activated at all in kernel.

  • mike

    mmap_min_addr can be simple to bypass in many circumstances. Brad Spengler's full disclosure of this is here: http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/69537

  • http://www.standalone-sysadmin.com Matt Simmons

    @Mike

    Good link, thanks!