Linux kernel PRCTL local privilege escalation
This vulnerability enables an attacker to get elevated privileges on a local machine. There have been several exploits released and we can confirm that they work. We've tested this on unpatched SuSE and RedHat Enterprise Linux machines:
$ ./a.out
prctl() suidsafe exploit
(C) Julien TINNES
[+] Installed signal handler
[+] We are suidsafe dumpable!
[+] Malicious string forged
[+] Segfaulting child
[+] Waiting for exploit to succeed (~28 seconds)
[+] getting root shell
sh-3.00#
Debian also confirmed that this exploit was used on their recently compromised machine (http://isc.sans.org/diary.php?storyid=1479).
As all kernels 2.6.13 up to version 2.6.17.4 and 2.6.16 before 2.6.16.24 are affected, you should patch as soon as possible, even if you don't allow any local users on your machines. Remember that even a small vulnerability in a PHP script can allow local access, which then can be escalated with this exploit.
CVE for this vulnerability has also been issued: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2451.
Thanks to David Taylor for sending information about this to us.
Update: (2006-07-14 20:13UTC) In a posting over on Bugtraq, Ronald Timmerman suggests the following as a possible work-around for those that can't patch immediately.
# echo /root/core > /proc/sys/kernel/core_pattern
$ ./a.out
prctl() suidsafe exploit
(C) Julien TINNES
[+] Installed signal handler
[+] We are suidsafe dumpable!
[+] Malicious string forged
[+] Segfaulting child
[+] Waiting for exploit to succeed (~28 seconds)
[+] getting root shell
sh-3.00#
Debian also confirmed that this exploit was used on their recently compromised machine (http://isc.sans.org/diary.php?storyid=1479).
As all kernels 2.6.13 up to version 2.6.17.4 and 2.6.16 before 2.6.16.24 are affected, you should patch as soon as possible, even if you don't allow any local users on your machines. Remember that even a small vulnerability in a PHP script can allow local access, which then can be escalated with this exploit.
CVE for this vulnerability has also been issued: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2451.
Thanks to David Taylor for sending information about this to us.
Update: (2006-07-14 20:13UTC) In a posting over on Bugtraq, Ronald Timmerman suggests the following as a possible work-around for those that can't patch immediately.
# echo /root/core > /proc/sys/kernel/core_pattern
Keywords:
0 comment(s)
My next class:
Web App Penetration Testing and Ethical Hacking | Amsterdam | Mar 31st - Apr 5th 2025 |
×
Diary Archives
Comments