The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Linux vmsplice Local Root Exploit (2.6.17 - 2.6.24.1)

Discussion in 'General Discussion' started by gorilla, Feb 12, 2008.

  1. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
  2. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16

    Have about 10 servers that is vurnable!

    If you run:
    grep -ri vmsplice /boot/System.map-$(uname -r)

    and it returns something, then you are vurnable (said on webhostingtalk above).

    Just a question:

    do the hacker need an acocunt with Shell access to be able to run the code/commands ?
     
  3. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    yes , its a local exploit.
    There is a patched kernel out there already , which we have tested and it seems to work fine.
    Lets hope CentOS comes up with a kernel upgrade fix.
    Seems that Fedora and Ubuntu have pushed out their patch 12 hours ago all ready.
     
  4. cPanelBilly

    cPanelBilly Guest

    A hacker just needs to have a local account, it does not need to have shell access.
     
  5. mohit

    mohit Well-Known Member

    Joined:
    Jul 12, 2005
    Messages:
    553
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sticky On Internet
    they can exploit a account to exploit the server.

    if you are vurnable, you should patch.
     
  6. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    can I just run "yum update" when centos release a patch to get it installed ?

    I will let my NOC handle this but I have a few selfmanaged servers and
    wanna try it myself. Never dealt with kernels before really.
     
  7. blkjck

    blkjck Well-Known Member

    Joined:
    Sep 17, 2003
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
  8. idealso

    idealso Active Member

    Joined:
    Mar 1, 2007
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    I have just this very minute received a security notification that new kernel images have been uploaded and are syncing to the mirrors.
     
  9. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    jeroman

    just do the kernel upgrade like this

    yum update \kernel*

    after that check your kernel

    cat /boot/grub/grub.conf

    and reboot your server to take effect

    seems that the new kernel is ready now for CentOS as well ;)
    2.6.18-53.1.13.el5
     
    #9 gorilla, Feb 13, 2008
    Last edited: Feb 13, 2008
  10. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    just updated RHEL5 with the redhat kernel.


    2.6.18-53.1.13.el5PAE #1 SMP Mon Feb 11 13:42:05 EST 2008 i686 i686 i386 GNU/Linux

    when i grep for the vmsplice I still get a return. Does anyone have a fool proof way to test to see if this hole is sealed?
     
  11. CoolMike

    CoolMike Well-Known Member

    Joined:
    Sep 6, 2001
    Messages:
    307
    Likes Received:
    0
    Trophy Points:
    16
    I also get still the following output:

    I use now the Centos5 2.6.18-53.1.13.el5 kernel.

    Michael
     
    #11 CoolMike, Feb 13, 2008
    Last edited: Feb 13, 2008
  12. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    Hi Guys,

    Do you know if 2.6.9 is vulnerable ?
     
  13. jimhermann

    jimhermann Active Member

    Joined:
    Jan 20, 2008
    Messages:
    42
    Likes Received:
    1
    Trophy Points:
    8
  14. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    From my understanding of this, the 2.6.9 kernel is listed here because vmsplice was an available function in the 2.6.9 kernel, but it was not enabled by default. This simply means that if you compiled a 2.6.9 kernel and you enabled vmsplice then you are probably vulnerable to this exploit.

    vmsplice was not enabled by default until the 2.6.17 kernel. So if you are just using a default stock 2.6.9 kernel then you would not be affected by this.

    If you run the command that jeroman8 has given then this should tell whether or not if your kernel is affected by this. If nothing is returned after running this command then you are not affected by this exploit.

    Note, if you have patched your kernel against this exploit then I think the above command will still return a result, but if you have patched against it properly then you won't be affected by the exploit.
     
  15. lefteris

    lefteris Member

    Joined:
    Nov 5, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    I do it and now i have the latest kernel 2.6.18-53.1.13.el5
    i think now is patched!
     
Loading...

Share This Page