Red Hat Bugzilla – Bug 432283
[SECURITY] CVE-2008-0600 local escalation of privilege
Last modified: 2008-02-12 10:03:18 EST
+++ This bug was initially created as a clone of Bug #432229 +++
Description of problem:
Local user can obtain root access (as described below).
This bug is being actively exploited in the wild -- our server was just broken
in to by an attacker using it. (They got a user's password by previously
compromising a machine somewhere else where that user had an account, and
installed a modified ssh binary on it to record user names and passwords. Then
they logged in to our site as that user, exploited CVE-2008-0010, and became root).
It is EXTREMELY urgent that a fixed kernel be provided ASAP given that this bug
is being actively exploited in the wild.
There is a fix listed upstream in 126.96.36.199 and 188.8.131.52. However, even after
applying that patch and recompiling the kernel, the escalation-of-privilege
exploit still worked so I am wondering if 184.108.40.206 does not completely fix it.
Version-Release number of selected component (if applicable):
All 2.6.23.x kernels
How reproducible: 100%
Steps to Reproduce:
1. Download http://downloads.securityfocus.com/vulnerabilities/exploits/27704.c
2. cc -o exploit 27704.c
3. [as non-privileged user] ./exploit
No root shell.
When I altered the kernel spec file for 220.127.116.11-115.fc8 to pull 18.104.22.168
instead of 22.214.171.124 (and altered linux-2.6-highres-timers.patch to apply
cleanly, and removed the already-included-in-126.96.36.199 patches
linux-2.6-freezer-fix-apm-emulation-breakage.patch), rebuilt a new kernel RPM,
installed it, and rebooted, the above exploit still worked. So it is possible an
additional patch is needed against 2.6.23, unless I just goofed somehow in my
kernel rebuild. (I did check and the file fs/splice.c was correctly patched and
included the lines that were suppose to fix this problem...)
-- Additional comment from email@example.com on 2008-02-10 01:47 EST --
I see 188.8.131.52 has been built in Koji. When is this going to get pushed into
-- Additional comment from firstname.lastname@example.org on 2008-02-10 07:10 EST --
*** Bug 432244 has been marked as a duplicate of this bug. ***
-- Additional comment from email@example.com on 2008-02-10 09:14 EST --
Relevant information about patch: http://lkml.org/lkml/2008/2/10/118
-- Additional comment from firstname.lastname@example.org on 2008-02-10 09:19 EST --
Relevant discussion at gmane.linux.kernel mailing list:
-- Additional comment from email@example.com on 2008-02-10 10:21 EST --
Bringing in RH Security Response team.
-- Additional comment from firstname.lastname@example.org on 2008-02-10 14:38 EST --
I can confirm that applying the patch at the bottom of
http://lkml.org/lkml/2008/2/10/118 (thanks, Pavel!), as well as applying the
patch in 184.108.40.206/220.127.116.11, does indeed prevent the published exploit from
working on our system.
Whether or not it closes all attack vectors, it is probably worth pushing out at
least as an interim update since it prevents the published exploit from working
and that published exploit is being actively exploited in the wild.
Note that I believe a new CVE identifier has been assigned for the vulnerability
that 18.104.22.168/22.214.171.124 does not fix: CVE-2008-0600
Also note that, unlike CVE-2008-0009/0010, this is not specific to the
2.6.23/2.6.24 kernels. Older kernels are vulnerable too (including, for example,
2.6.18-53.1.4.el5 -- on that kernel, it is necessary to add
#define PAGE_SIZE getpagesize() to the published exploit, but with that addition
it works to get an instant root shell.)
I am *extremely* thankful this is only a local escalation-of-privilege and not a
remote root. It's bad enough as it is given what seems to be a significant
number of machines out there with hacked-up ssh/sshd binaries that record user
names and passwords, but a remote root being exploited in the wild like this
well before a working patch would be a nightmare!
-- Additional comment from email@example.com on 2008-02-10 15:15 EST --
Fixing CVE name, the exploit "jessica_biel" is for CVE-2008-0600
-- Additional comment from firstname.lastname@example.org on 2008-02-10 15:16 EST --
*** Bug 432263 has been marked as a duplicate of this bug. ***
-- Additional comment from email@example.com on 2008-02-10 16:05 EST --
So to fix this you need 126.96.36.199 +
or if backporting, an earlier kernel plus both
kernel-188.8.131.52-80.fc7 has been submitted as an update for Fedora 7
*** Bug 432320 has been marked as a duplicate of this bug. ***
kernel-184.108.40.206-80.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.