Bug 432283

Summary: [SECURITY] CVE-2008-0600 local escalation of privilege
Product: [Fedora] Fedora Reporter: Dave Airlie <airlied>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: low    
Version: 7CC: bojan, helge.deller, james, jonstanley, pavel, richzendy, russell, security-response-team
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.6.23.15-80.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-02-11 22:38:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 432229    
Bug Blocks: 432251    

Description Dave Airlie 2008-02-10 21:39:33 UTC 
+++ This bug was initially created as a clone of Bug #432229 +++

Description of problem:

Local user can obtain root access (as described below).

This bug is being actively exploited in the wild -- our server was just broken
in to by an attacker using it. (They got a user's password by previously
compromising a machine somewhere else where that user had an account, and
installed a modified ssh binary on it to record user names and passwords. Then
they logged in to our site as that user, exploited CVE-2008-0010, and became root).

It is EXTREMELY urgent that a fixed kernel be provided ASAP given that this bug
is being actively exploited in the wild.

There is a fix listed upstream in 2.6.23.15 and 2.6.24.1. However, even after
applying that patch and recompiling the kernel, the escalation-of-privilege
exploit still worked so I am wondering if 2.6.23.15 does not completely fix it.

Version-Release number of selected component (if applicable):

All 2.6.23.x kernels

How reproducible: 100%

Steps to Reproduce:
1. Download http://downloads.securityfocus.com/vulnerabilities/exploits/27704.c
2. cc -o exploit 27704.c
3. [as non-privileged user] ./exploit
  
Actual results:

Root shell

Expected results:

No root shell.

Additional info:

When I altered the kernel spec file for 2.6.23.14-115.fc8 to pull 2.6.23.15
instead of 2.6.23.14 (and altered linux-2.6-highres-timers.patch to apply
cleanly, and removed the already-included-in-2.6.23.15 patches
linux-2.6-net-silence-noisy-printks.patch and
linux-2.6-freezer-fix-apm-emulation-breakage.patch), rebuilt a new kernel RPM,
installed it, and rebooted, the above exploit still worked. So it is possible an
additional patch is needed against 2.6.23, unless I just goofed somehow in my
kernel rebuild. (I did check and the file fs/splice.c was correctly patched and
included the lines that were suppose to fix this problem...)

-- Additional comment from bojan on 2008-02-10 01:47 EST --
I see 2.6.23.15 has been built in Koji. When is this going to get pushed into
stable updates?

-- Additional comment from ps on 2008-02-10 07:10 EST --
*** Bug 432244 has been marked as a duplicate of this bug. ***

-- Additional comment from ps on 2008-02-10 09:14 EST --
Relevant information about patch: http://lkml.org/lkml/2008/2/10/118

-- Additional comment from ps on 2008-02-10 09:19 EST --
Relevant discussion at gmane.linux.kernel mailing list:
http://thread.gmane.org/gmane.linux.kernel/637339

-- Additional comment from jonstanley on 2008-02-10 10:21 EST --
Bringing in RH Security Response team.

-- Additional comment from pspencer.ca on 2008-02-10 14:38 EST --
I can confirm that applying the patch at the bottom of
http://lkml.org/lkml/2008/2/10/118 (thanks, Pavel!), as well as applying the
patch in 2.6.23.15/2.6.24.1, does indeed prevent the published exploit from
working on our system.

Whether or not it closes all attack vectors, it is probably worth pushing out at
least as an interim update since it prevents the published exploit from working
and that published exploit is being actively exploited in the wild.

Note that I believe a new CVE identifier has been assigned for the vulnerability
that 2.6.23.15/2.6.24.1 does not fix: CVE-2008-0600

Also note that, unlike CVE-2008-0009/0010, this is not specific to the
2.6.23/2.6.24 kernels. Older kernels are vulnerable too (including, for example, 
2.6.18-53.1.4.el5 -- on that kernel, it is necessary to add
#define PAGE_SIZE getpagesize() to the published exploit, but with that addition
it works to get an instant root shell.)

I am *extremely* thankful this is only a local escalation-of-privilege and not a
remote root. It's bad enough as it is given what seems to be a significant
number of machines out there with hacked-up ssh/sshd binaries that record user
names and passwords, but a remote root being exploited in the wild like this
well before a working patch would be a nightmare!


-- Additional comment from mjc on 2008-02-10 15:15 EST --
Fixing CVE name, the exploit "jessica_biel" is for CVE-2008-0600

-- Additional comment from mjc on 2008-02-10 15:16 EST --
*** Bug 432263 has been marked as a duplicate of this bug. ***

-- Additional comment from mjc on 2008-02-10 16:05 EST --
So to fix this you need 2.6.24.1 + 
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44

or if backporting, an earlier kernel plus both
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8811930dc74a503415b35c4a79d14fb0b408a361
and
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44
Comment 1 Chuck Ebbert 2008-02-11 03:14:44 UTC 
Fixed in:

kernel-2.6.24.1-28.fc9
kernel-2.6.23.15-137.fc8
kernel-2.6.24.1-28.fc9
Comment 2 Chuck Ebbert 2008-02-11 03:15:51 UTC 
Fixed in:

kernel-2.6.24.1-28.fc9
kernel-2.6.23.15-137.fc8
kernel-2.6.23.15-80.fc7
Comment 3 Fedora Update System 2008-02-11 03:33:30 UTC 
kernel-2.6.23.15-80.fc7 has been submitted as an update for Fedora 7
Comment 4 Mark J. Cox 2008-02-11 09:57:20 UTC 
*** Bug 432320 has been marked as a duplicate of this bug. ***
Comment 5 Fedora Update System 2008-02-11 22:38:17 UTC 
kernel-2.6.23.15-80.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.