This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 432517 - Vulnerability to CVE-2008-0600 (vmsplice)
Vulnerability to CVE-2008-0600 (vmsplice)
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: kernel-xen-2.6 (Show other bugs)
8
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Eduardo Habkost
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-12 10:44 EST by Jan ONDREJ
Modified: 2008-02-13 12:42 EST (History)
5 users (show)

See Also:
Fixed In Version: 2.6.21-2957.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-12 23:48:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan ONDREJ 2008-02-12 10:44:07 EST
Description of problem:
kernel-xen is still vulnerable to this vulnerability. Hack tested on my machine.

Version-Release number of selected component (if applicable):
kernel-xen-2.6.21-2952.fc8
may be the .fc7 version too

How reproducible:
always

Steps to Reproduce:
1. use the exploit
  
Actual results:
User root.

Expected results:
non hacked system :)

Additional info:
For more information see these bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=432229
https://bugzilla.redhat.com/show_bug.cgi?id=432283

I have a try to patch latest stable fedora kernel with patch from stable kernel.
You can see my package here:
http://www.salstar.sk/pub/fedora/testing/8/kernel-xen-2.6-2.6.21-2952.fc8.1.src.rpm

If you need patch and spec only, just tell me.
Comment 1 Eduardo Habkost 2008-02-12 12:14:10 EST
F-8 update building: http://koji.fedoraproject.org/koji/taskinfo?taskID=419352
Comment 2 Eduardo Habkost 2008-02-12 12:18:04 EST
F-7 update building: http://koji.fedoraproject.org/koji/taskinfo?taskID=419363
Comment 3 Eduardo Habkost 2008-02-12 12:51:07 EST
(In reply to comment #1)
> F-8 update building: 
http://koji.fedoraproject.org/koji/taskinfo?taskID=419352

Oops, that was the URL for the Rawhide build.

F-8 update is being built here: 
http://koji.fedoraproject.org/koji/taskinfo?taskID=419415
Comment 5 Daniel Berrange 2008-02-12 13:45:32 EST
No, the xen kernels follow the style of the regular kernel spec files. The EVR
are not entered manually. They are automatically computed based on the CVS
revision number. We're not going to second guess the CVS revision in changelogs
Comment 6 Jan ONDREJ 2008-02-12 14:41:21 EST
May be for start it's enough to add version (without epoch and release). It can
be helpful to see, which changes have been made in which release.

Kernel 2.6.21-2957.fc8xen works well for me. Exploit is not usable. Thanks for
quick response.

 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f1d000 .. 0xb7f4f000
[-] vmsplice: Bad address
Comment 7 Fedora Update System 2008-02-12 14:44:36 EST
kernel-xen-2.6-2.6.21-7.fc7 has been submitted as an update for Fedora 7
Comment 8 Fedora Update System 2008-02-12 14:45:43 EST
kernel-xen-2.6-2.6.21-2957.fc8 has been submitted as an update for Fedora 8
Comment 9 Fedora Update System 2008-02-12 23:48:33 EST
kernel-xen-2.6-2.6.21-2957.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2008-02-13 00:16:55 EST
kernel-xen-2.6-2.6.21-7.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Jan Lieskovsky 2008-02-13 09:54:01 EST
Attaching 2.6.21-7.fc7xen testing results:

[testuser@hp-xw8600-01 tmp]$ ./2008-0600
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f7f000 .. 0xb7fb1000
[-] vmsplice: Bad address
[testuser@

Exploit no more present in this kernel.
Comment 12 Jan Lieskovsky 2008-02-13 10:30:48 EST
Attaching 2.6.21-2957.fc8xen testing results:

[testuser@nec-em7 tmp]$ ./2008-0600
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f30000 .. 0xb7f62000
[-] vmsplice: Bad address
[testuser@nec-em7 tmp]$

Issue no more present in this kernel -> this one can be closed.
Comment 13 Jan ONDREJ 2008-02-13 12:42:55 EST
This bug is already closed. Please do not put more result until you find another
hack. Thank you.

Note You need to log in before you can comment on or make changes to this bug.