+++ This bug was initially created as a clone of Bug #432229 +++ Description of problem: Local user can obtain root access (as described below). This bug is being actively exploited in the wild -- our server was just broken in to by an attacker using it. (They got a user's password by previously compromising a machine somewhere else where that user had an account, and installed a modified ssh binary on it to record user names and passwords. Then they logged in to our site as that user, exploited CVE-2008-0010, and became root). It is EXTREMELY urgent that a fixed kernel be provided ASAP given that this bug is being actively exploited in the wild. There is a fix listed upstream in 2.6.23.15 and 2.6.24.1. However, even after applying that patch and recompiling the kernel, the escalation-of-privilege exploit still worked so I am wondering if 2.6.23.15 does not completely fix it. Version-Release number of selected component (if applicable): All 2.6.23.x kernels How reproducible: 100% Steps to Reproduce: 1. Download http://downloads.securityfocus.com/vulnerabilities/exploits/27704.c 2. cc -o exploit 27704.c 3. [as non-privileged user] ./exploit Actual results: Root shell Expected results: No root shell. Additional info: When I altered the kernel spec file for 2.6.23.14-115.fc8 to pull 2.6.23.15 instead of 2.6.23.14 (and altered linux-2.6-highres-timers.patch to apply cleanly, and removed the already-included-in-2.6.23.15 patches linux-2.6-net-silence-noisy-printks.patch and linux-2.6-freezer-fix-apm-emulation-breakage.patch), rebuilt a new kernel RPM, installed it, and rebooted, the above exploit still worked. So it is possible an additional patch is needed against 2.6.23, unless I just goofed somehow in my kernel rebuild. (I did check and the file fs/splice.c was correctly patched and included the lines that were suppose to fix this problem...) -- Additional comment from bojan on 2008-02-10 01:47 EST -- I see 2.6.23.15 has been built in Koji. When is this going to get pushed into stable updates? -- Additional comment from ps on 2008-02-10 07:10 EST -- *** Bug 432244 has been marked as a duplicate of this bug. *** -- Additional comment from ps on 2008-02-10 09:14 EST -- Relevant information about patch: http://lkml.org/lkml/2008/2/10/118 -- Additional comment from ps on 2008-02-10 09:19 EST -- Relevant discussion at gmane.linux.kernel mailing list: http://thread.gmane.org/gmane.linux.kernel/637339 -- Additional comment from jonstanley on 2008-02-10 10:21 EST -- Bringing in RH Security Response team. -- Additional comment from pspencer.ca on 2008-02-10 14:38 EST -- I can confirm that applying the patch at the bottom of http://lkml.org/lkml/2008/2/10/118 (thanks, Pavel!), as well as applying the patch in 2.6.23.15/2.6.24.1, does indeed prevent the published exploit from working on our system. Whether or not it closes all attack vectors, it is probably worth pushing out at least as an interim update since it prevents the published exploit from working and that published exploit is being actively exploited in the wild. Note that I believe a new CVE identifier has been assigned for the vulnerability that 2.6.23.15/2.6.24.1 does not fix: CVE-2008-0600 Also note that, unlike CVE-2008-0009/0010, this is not specific to the 2.6.23/2.6.24 kernels. Older kernels are vulnerable too (including, for example, 2.6.18-53.1.4.el5 -- on that kernel, it is necessary to add #define PAGE_SIZE getpagesize() to the published exploit, but with that addition it works to get an instant root shell.) I am *extremely* thankful this is only a local escalation-of-privilege and not a remote root. It's bad enough as it is given what seems to be a significant number of machines out there with hacked-up ssh/sshd binaries that record user names and passwords, but a remote root being exploited in the wild like this well before a working patch would be a nightmare! -- Additional comment from mjc on 2008-02-10 15:15 EST -- Fixing CVE name, the exploit "jessica_biel" is for CVE-2008-0600 -- Additional comment from mjc on 2008-02-10 15:16 EST -- *** Bug 432263 has been marked as a duplicate of this bug. *** -- Additional comment from mjc on 2008-02-10 16:05 EST -- So to fix this you need 2.6.24.1 + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44 or if backporting, an earlier kernel plus both http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8811930dc74a503415b35c4a79d14fb0b408a361 and http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edbfb804f49cbc44
Fixed in: kernel-2.6.24.1-28.fc9 kernel-2.6.23.15-137.fc8 kernel-2.6.24.1-28.fc9
Fixed in: kernel-2.6.24.1-28.fc9 kernel-2.6.23.15-137.fc8 kernel-2.6.23.15-80.fc7
kernel-2.6.23.15-80.fc7 has been submitted as an update for Fedora 7
*** Bug 432320 has been marked as a duplicate of this bug. ***
kernel-2.6.23.15-80.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.