New Local Linux Kernel Root Exploit Published

An interesting exploit for the Linux kernel that enables an attacker to escalate his privileges on a local machine has popped up on the Full Disclosure mailing list. The exploit chains together three separate bugs to get root on a vulnerable machine.

The exploit was posted Tuesday by Dan Rosenberg on Full Disclosure and he explains in his post that the exploit is specifically designed to be somewhat limited so that it’s not easily usable by low-level attackers. The exploit affects Linux kernel version 2.6.37, however two of the bugs that Rosenberg uses in the exploit have been patched by two of the major Linux distributions.

“In the interest of public safety, this exploit was specifically designed to be limited:

• The particular symbols I resolve are not exported on Slackware or Debian
• Red Hat does not support Econet by default
• CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and Debian
  However, the important issue, CVE-2010-4258, affects everyone, and it would be trivial to find an unpatched DoS under KERNEL_DS and write a slightly more sophisticated version of this that doesn’t have the roadblocks I put in to prevent abuse by script kiddies,” Rosenberg wrote.

The most interesting of the three vulnerabilities, however, is a recent one that is still unpatched in the Linux kernel. The bug is a local address limit override vulnerability.

“This is the interesting one, and the reason I wrote this exploit. If a thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL word will be written to a user-specified pointer when that thread exits. This write is done using put_user(), which ensures the provided destination resides in valid userspace by invoking access_ok(). However, Nelson discovered that when the kernel performs an address limit override via set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault, etc.), this override is not reverted before calling put_user() in the exit path, allowing a user to write a NULL word to an arbitrary kernel address. Note that this issue requires an additional vulnerability to trigger,” Rosenberg wrote in his advisory.