Nasty Kernel Exploit in the Wild

Rate this post

I love waking up in on a nice Saturday morning to find out that one of my servers was rooted.

A two-year-old kernel issue in Redhat distributions has surfaced in the form of a nasty exploit byAc1db1tch3z. Basically, a 32-bit binary is compiled and loaded to the server, and when run by any users (even non-root users), it uses a bug in the 32/64-bit compatibility layer to open a root shell. Here’s a copy and paste of one that I ran on a test server:

user1@server [~]# ./badscript
Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y
$$$ Kallsyms +r
$$$ K3rn3l r3l3as3: 2.6.18-194.11.3.el5
??? Trying the F0PPPPPPPPPPPPPPPPpppppppppp_____ m3th34d
$$$ L00k1ng f0r kn0wn t4rg3tz..
$$$ c0mput3r 1z aqu1r1ng n3w t4rg3t...
$$$ selinux_ops->ffffffff80327ac0
$$$ dummy_security_ops->ffffffff804b9540
$$$ capability_ops->ffffffff80329380
$$$ selinux_enforcing->ffffffff804bc2a0
$$$ audit_enabled->ffffffff804a7124
$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - F0PZzzZzZZ/LSD(M) m3th34d
$$$ Prepare: m0rn1ng w0rk0ut b1tch3z
$$$ Us1ng st4nd4rd s3ash3llz
$$$ 0p3n1ng th3 m4giq p0rt4l
$$$ bl1ng bl1ng n1gg4 :PppPpPPpPPPpP
# whoami
root

Scary, eh? And to think, Redhat has still not released a fix for this, and it’s been two days. Therefore, if you’re running a 64-bit CentOS or RHEL 5 server, you may be a sitting duck. All it takes is one site on your server to be prone to remote file injection, and the hack is in.

No reason to fret, though, you have a couple options.

  1. Download a working patch from here, and install the kernel, kernel-devel, and kernel-headers RPMs, then reboot
  2. Ksplice really came through on this one, and by nature, provided an update that does not require a reboot. Take a look at their post here, and download their diagnostic tool to any of your 64-bit servers running CentOS or RHEL 5, to make sure they haven’t been compromised. They are also offering a 30-day trial so you can secure your servers. $4/mo is a worthy investment, and I’m 100% sure that you’ll be happy with your results.

Update: on 9/12, Redhat released a patch for 64-bit RHEL systems: https://rhn.redhat.com/errata/RHSA-2010-0704.html, and a similar one exists now for CentOS: http://bugs.centos.org/view.php?id=4518

4 Comments

  1. Pingback: x86_64 Kernel Exploit - cPanel Forums

Leave a Reply

Your email address will not be published. Required fields are marked *

Log in