Linux Kernel Bashing

This summer may have caused a few burden’s on linux administrators. By all the patching necessary to keep their systems out of the hands of those who would choose to exploit it, unless your using something like Ksplice, you’ve more than likely rebooted many times already. Well, here is one more reason to wake this early this morning…

New exploits for the “Linux NULL pointer dereference due to incorrect proto_ops initializations” vulnerability have been released, here and here. I just tried the second one out myself on a (currently) fully updated Ubuntu Jaunty workstation, with (_default_) successful results.

linux@ubuntu:~/2009-proto_ops$ sh run.sh
run.c: In function ‘main’:
run.c:13: warning: missing sentinel in function call
padlina z lublina!
# id
uid=0(root) gid=0(root) groups=4(adm),20(dialout),24(cdrom),46(plugdev)
# exit
linux@ubuntu:~/2009-proto_ops$

A reliable local root exploit for that affects all linux kernels 2.x. Feels like 2003 all over again :X

Share
  • Tester

    I just ran this this morning and it did not work. Here are some details.

    Linux@ubuntu:~/Desktop$ sh run.sh
    run.c: In function ‘main’:
    run.c:13: warning: missing sentinel in function call
    padlina z lublina!
    mprotect: Cannot allocate memory
    Linux@ubuntu:~/Desktop$ id
    uid=1000(Linux) gid=1000(Linux) groups=4(adm),20(dialout),24(cdrom),46(plugdev),108(lpadmin),123(admin),124(sambashare),1000(Linux)
    Linux@ubuntu:~/Desktop$ cat /etc/lsb-release
    DISTRIB_ID=Ubuntu
    DISTRIB_RELEASE=9.04
    DISTRIB_CODENAME=jaunty
    DISTRIB_DESCRIPTION=”Ubuntu 9.04″
    Linux@ubuntu::~/Desktop$ uname -r
    2.6.28-14-generic