grsecurity forums

by **btnet** » Tue Feb 12, 2008 4:17 am

hey, it seems like all versions of grsec, the stable one and testing one with it's kernel versions it's vulnerable to the vmsplice exploit: http://www.milw0rm.com/exploits/5092

a dumb user from my system tried to gain root, gained root but lucky me, the system crashed after ( ran out of memory, responded to pings only, no daemon working )
currently the only fix I could find was to upgrade to this latest kernel 2.6.24.2, with no grsec. I previously had grsecurity-2.1.11-2.6.23.14-200801231800 but I had to give up on it to prevent any more attempts or chases.

do you have any test patches or something that ... skips this ugly vulnerability ?

by **tjh** » Tue Feb 12, 2008 4:22 am

There's a PAX patch here: http://www.grsecurity.net/~paxguy1/pax- ... st14.patch

It's not the full GrSec, but it's a lot better than just a vanilla kernel.

by **btnet** » Tue Feb 12, 2008 4:34 am

I never used PAX and im not familiar with it therefore I would like not to do any mistakes using pax since the server is 600 km away and I have limited support for reboots and so, im still waiting for grsec in only intersted in thata uditing tools and proc restrictions.

by **tjh** » Tue Feb 12, 2008 5:36 am

PAX is a fairly major part of GrSecurity, so unless you're leaving those options off when you compile a GrSec enabled Kernel, I suspect you've used PAX before?#

I know what you mean though, my main server is in New Zealand and I'm in the UK. Makes upgrading a bit scary...

by **forsaken** » Tue Feb 12, 2008 7:21 am

Doesn't seem to work on my 64bit machine (no 32bit emulation).

Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x100000000000 .. 0x100000001000
[+] page: 0x100000000000
[+] page: 0x100000000038
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4038
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0x337f758d0000 .. 0x337f75902000
Segmentation fault

by **hanno** » Tue Feb 12, 2008 7:27 am

forsaken, the other exploit works on amd64, I've tested (milw0rm lists two).

To the original poster: It's possible to patch a 2.6.23-kernel with grsecurity and the fix. I've listed the neccessary patches at

http://www.schokokeks.org/blog/local_ro ... nux_kernel

(it's german, but that shouldn't matter, as you're mainly interested in the patch links)

by **btnet** » Tue Feb 12, 2008 8:44 am

hanno thank you your solution worked fine, im grsec back again

by **spender** » Wed Feb 13, 2008 6:01 pm

I guess none of you enabled UDEREF?

It stops both public exploits from causing a compromise, though the system will still be left in an unstable state.

A 2.6.24.2 patch has been uploaded to the server.

-Brad

by **Myron** » Thu Feb 14, 2008 6:27 pm

I don't know if this will help but on my grsec installations I loaded the ptpatch2008 kernel module which stopped the publicly available vmsplice exploits which I tested.

I tried several fixes but all of the other ones left the grsec kernel in a unstable state.

This one seemed to work. I downloaded it at : http://home.powertech.no/oystein/ptpatch2008/

Hope this helps...

grsecurity forums

urgent, kernel + grsec vulnerability

urgent, kernel + grsec vulnerability

Re: urgent, kernel + grsec vulnerability

Re: urgent, kernel + grsec vulnerability

Re: urgent, kernel + grsec vulnerability

Re: urgent, kernel + grsec vulnerability

Re: urgent, kernel + grsec vulnerability

Re: urgent, kernel + grsec vulnerability

Re: urgent, kernel + grsec vulnerability

Re: urgent, kernel + grsec vulnerability