urgent, kernel + grsec vulnerability

Discuss and suggest new grsecurity features

urgent, kernel + grsec vulnerability

Postby btnet » Tue Feb 12, 2008 4:17 am

hey, it seems like all versions of grsec, the stable one and testing one with it's kernel versions it's vulnerable to the vmsplice exploit: http://www.milw0rm.com/exploits/5092

a dumb user from my system tried to gain root, gained root but lucky me, the system crashed after ( ran out of memory, responded to pings only, no daemon working )
currently the only fix I could find was to upgrade to this latest kernel 2.6.24.2, with no grsec. I previously had grsecurity-2.1.11-2.6.23.14-200801231800 but I had to give up on it to prevent any more attempts or chases.

do you have any test patches or something that ... skips this ugly vulnerability ?
btnet
 
Posts: 21
Joined: Tue Jan 29, 2008 12:59 pm

Re: urgent, kernel + grsec vulnerability

Postby tjh » Tue Feb 12, 2008 4:22 am

There's a PAX patch here: http://www.grsecurity.net/~paxguy1/pax- ... st14.patch

It's not the full GrSec, but it's a lot better than just a vanilla kernel.
tjh
 
Posts: 102
Joined: Sat Oct 16, 2004 8:19 pm

Re: urgent, kernel + grsec vulnerability

Postby btnet » Tue Feb 12, 2008 4:34 am

I never used PAX and im not familiar with it therefore I would like not to do any mistakes using pax since the server is 600 km away and I have limited support for reboots and so, im still waiting for grsec in only intersted in thata uditing tools and proc restrictions.
btnet
 
Posts: 21
Joined: Tue Jan 29, 2008 12:59 pm

Re: urgent, kernel + grsec vulnerability

Postby tjh » Tue Feb 12, 2008 5:36 am

PAX is a fairly major part of GrSecurity, so unless you're leaving those options off when you compile a GrSec enabled Kernel, I suspect you've used PAX before?#

I know what you mean though, my main server is in New Zealand and I'm in the UK. Makes upgrading a bit scary...
tjh
 
Posts: 102
Joined: Sat Oct 16, 2004 8:19 pm

Re: urgent, kernel + grsec vulnerability

Postby forsaken » Tue Feb 12, 2008 7:21 am

Doesn't seem to work on my 64bit machine (no 32bit emulation).

Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x100000000000 .. 0x100000001000
[+] page: 0x100000000000
[+] page: 0x100000000038
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4038
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0x337f758d0000 .. 0x337f75902000
Segmentation fault
forsaken
 
Posts: 74
Joined: Tue May 18, 2004 3:04 am

Re: urgent, kernel + grsec vulnerability

Postby hanno » Tue Feb 12, 2008 7:27 am

forsaken, the other exploit works on amd64, I've tested (milw0rm lists two).

To the original poster: It's possible to patch a 2.6.23-kernel with grsecurity and the fix. I've listed the neccessary patches at

http://www.schokokeks.org/blog/local_ro ... nux_kernel

(it's german, but that shouldn't matter, as you're mainly interested in the patch links)
hanno
 
Posts: 26
Joined: Thu Dec 16, 2004 4:37 am

Re: urgent, kernel + grsec vulnerability

Postby btnet » Tue Feb 12, 2008 8:44 am

hanno thank you your solution worked fine, im grsec back again :P
btnet
 
Posts: 21
Joined: Tue Jan 29, 2008 12:59 pm

Re: urgent, kernel + grsec vulnerability

Postby spender » Wed Feb 13, 2008 6:01 pm

I guess none of you enabled UDEREF? :) It stops both public exploits from causing a compromise, though the system will still be left in an unstable state.

A 2.6.24.2 patch has been uploaded to the server.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: urgent, kernel + grsec vulnerability

Postby Myron » Thu Feb 14, 2008 6:27 pm

I don't know if this will help but on my grsec installations I loaded the ptpatch2008 kernel module which stopped the publicly available vmsplice exploits which I tested.

I tried several fixes but all of the other ones left the grsec kernel in a unstable state.

This one seemed to work. I downloaded it at : http://home.powertech.no/oystein/ptpatch2008/

Hope this helps...
Myron
 
Posts: 2
Joined: Thu Jun 16, 2005 9:08 pm


Return to grsecurity development

cron