Page 1 of 1

urgent, kernel + grsec vulnerability

PostPosted: Tue Feb 12, 2008 4:17 am
by btnet
hey, it seems like all versions of grsec, the stable one and testing one with it's kernel versions it's vulnerable to the vmsplice exploit: http://www.milw0rm.com/exploits/5092

a dumb user from my system tried to gain root, gained root but lucky me, the system crashed after ( ran out of memory, responded to pings only, no daemon working )
currently the only fix I could find was to upgrade to this latest kernel 2.6.24.2, with no grsec. I previously had grsecurity-2.1.11-2.6.23.14-200801231800 but I had to give up on it to prevent any more attempts or chases.

do you have any test patches or something that ... skips this ugly vulnerability ?

Re: urgent, kernel + grsec vulnerability

PostPosted: Tue Feb 12, 2008 4:22 am
by tjh
There's a PAX patch here: http://www.grsecurity.net/~paxguy1/pax- ... st14.patch

It's not the full GrSec, but it's a lot better than just a vanilla kernel.

Re: urgent, kernel + grsec vulnerability

PostPosted: Tue Feb 12, 2008 4:34 am
by btnet
I never used PAX and im not familiar with it therefore I would like not to do any mistakes using pax since the server is 600 km away and I have limited support for reboots and so, im still waiting for grsec in only intersted in thata uditing tools and proc restrictions.

Re: urgent, kernel + grsec vulnerability

PostPosted: Tue Feb 12, 2008 5:36 am
by tjh
PAX is a fairly major part of GrSecurity, so unless you're leaving those options off when you compile a GrSec enabled Kernel, I suspect you've used PAX before?#

I know what you mean though, my main server is in New Zealand and I'm in the UK. Makes upgrading a bit scary...

Re: urgent, kernel + grsec vulnerability

PostPosted: Tue Feb 12, 2008 7:21 am
by forsaken
Doesn't seem to work on my 64bit machine (no 32bit emulation).

Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x100000000000 .. 0x100000001000
[+] page: 0x100000000000
[+] page: 0x100000000038
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4038
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0x337f758d0000 .. 0x337f75902000
Segmentation fault

Re: urgent, kernel + grsec vulnerability

PostPosted: Tue Feb 12, 2008 7:27 am
by hanno
forsaken, the other exploit works on amd64, I've tested (milw0rm lists two).

To the original poster: It's possible to patch a 2.6.23-kernel with grsecurity and the fix. I've listed the neccessary patches at

http://www.schokokeks.org/blog/local_ro ... nux_kernel

(it's german, but that shouldn't matter, as you're mainly interested in the patch links)

Re: urgent, kernel + grsec vulnerability

PostPosted: Tue Feb 12, 2008 8:44 am
by btnet
hanno thank you your solution worked fine, im grsec back again :P

Re: urgent, kernel + grsec vulnerability

PostPosted: Wed Feb 13, 2008 6:01 pm
by spender
I guess none of you enabled UDEREF? :) It stops both public exploits from causing a compromise, though the system will still be left in an unstable state.

A 2.6.24.2 patch has been uploaded to the server.

-Brad

Re: urgent, kernel + grsec vulnerability

PostPosted: Thu Feb 14, 2008 6:27 pm
by Myron
I don't know if this will help but on my grsec installations I loaded the ptpatch2008 kernel module which stopped the publicly available vmsplice exploits which I tested.

I tried several fixes but all of the other ones left the grsec kernel in a unstable state.

This one seemed to work. I downloaded it at : http://home.powertech.no/oystein/ptpatch2008/

Hope this helps...