*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Marc Deslauriers (mdeslaur):
Binary package hint: linux-image-2.6.35-22-virtual While regular 2.6.32-based kernel images as well as maverick's 2.6.35 branch already got some bugfixes for econet module (USN-1023-1) there is a newer local exploit by Dan Rosenberg that combines several exploit discovered by Nelson Elhage to get a root shell: http://seclists.org/fulldisclosure/2010/Dec/85 He made the exploit in a way it shouldn't work on most default (patched) distributions so there is no abuse. This exploit seems not to work in the latest Maverick kernel (See: http://seclists.org/fulldisclosure/2010/Dec/115), but the most recent lts-backport-maverick 2.6.35-22.34 which is in the official repositories can be exploited with the code. s...@gemini:~$ uname -a Linux gemini 2.6.35-22-virtual #34~lucid1-Ubuntu SMP Mon Oct 11 15:07:52 UTC 2010 x86_64 GNU/Linux s...@gemini:~$ ./a.out [*] Resolving kernel addresses... [+] Resolved econet_ioctl to 0xffffffffa0376510 [+] Resolved econet_ops to 0xffffffffa0376620 [+] Resolved commit_creds to 0xffffffff81085dc0 [+] Resolved prepare_kernel_cred to 0xffffffff81086290 [*] Calculating target... [*] Triggering payload... [*] Got root! # lsmod Module Size Used by [...] econet 11162 2 -> econet is loaded after exploit was run And yes, you get a working root shell after the exploit run. Update: It's only a local flaw but econet got some fixes in both stock lucid and maverick kernel while lts-backport-maverick didn't get them. That's the point. :-) ** Affects: linux-lts-backport-maverick (Ubuntu) Importance: Undecided Status: New ** Tags: exploit root -- [econet] LTS Maverick backport kernel: Local privilege escalation https://bugs.edge.launchpad.net/bugs/687437 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
