Linode Forum
Linode Community Forums 		 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic

Board index » Linux Community Forums » General Discussion
  Previous topic | Next topic 
Author Message
kenny
PostPosted: Thu Jan 08, 2004 12:08 pm 
Offline
Senior Member

Joined: Sat Jun 28, 2003 12:02 am
Posts: 66
Website: http://kenny.aust.in
caker wrote:
Kernel 2.4.24-linode19-1um brings us up to date with the latest Linux kernel version (2.4.24 changelog) which contains a local root exploit fix (details here and here), and also brings us up to date with the latest UML patch (2.4.23-1um).

disclaimer: this is a question :)

This is how I understand the linode setup..
host->linode kernel (this process on the host)->your linode.
so it wouldn't be safe to allow modules inserted into a linode's kernel as they would basically be executing code on the host machine..

http://isec.pl/vulnerabilities/isec-0013-mremap.txt says:
Quote:
Impact:
=======

Since no special privileges are required to use the mremap(2) system
call any process may misuse its unexpected behavior to disrupt the kernel
memory management subsystem. Proper exploitation of this vulnerability may
lead to local privilege escalation including execution of arbitrary code
with kernel level access. Proof-of-concept exploit code has been created
and successfully tested giving UID 0 shell on vulnerable systems.

If I understand this correctly, this can lead back up to the host machine since it is allows "execution of arbitrary code with kernel level access".. right?

Kenny
Top
   
Reply with quote  
Quik
 Post subject:
PostPosted: Thu Jan 08, 2004 12:49 pm 
Offline
Senior Member

Joined: Wed Sep 17, 2003 7:39 pm
Posts: 124
I asked this in a far more simple way in his original thread, but no reply :(

I guess Chris would have realised and patched for such a major thing if it were exploitable.
Top
   
Reply with quote  
bji
 Post subject:
PostPosted: Thu Jan 08, 2004 7:33 pm 
Offline
Senior Member

Joined: Thu Aug 28, 2003 12:57 am
Posts: 273
Quik wrote:
I asked this in a far more simple way in his original thread, but no reply :(

I guess Chris would have realised and patched for such a major thing if it were exploitable.


I think that you are right. If there was a kernel exploit which allowed the execution of arbitrary code in the kernel, then this exploit could be used by a Linode to run arbitrary code as the user that runs the Linode on the host. Given that the same bug (or other bugs, known or unknown) might allow a local user on the host to get root, then this is potentially a vulnerability for the entire Linode host.
Top
   
Reply with quote  
kenny
 Post subject:
PostPosted: Fri Jan 09, 2004 2:45 pm 
Offline
Senior Member

Joined: Sat Jun 28, 2003 12:02 am
Posts: 66
Website: http://kenny.aust.in
Quik wrote:
I asked this in a far more simple way in his original thread, but no reply :(

I guess Chris would have realised and patched for such a major thing if it were exploitable.

Quik wrote:
Do the host machines need to be upgraded to this too?


I thought you were asking about the host machine's kernel. If it works how I think it does, then just having vulnerable linode kernels available is a risk to the host machine... of course it probably doesn't work how I think it does :)

kenny
Top
   
Reply with quote  
caker
 Post subject:
PostPosted: Fri Jan 09, 2004 8:48 pm 
Offline
Linode Staff
User avatar

Joined: Tue Apr 15, 2003 6:24 pm
Posts: 3090
Website: http://www.linode.com/
Location: Galloway, NJ
I think there is a good chance that if the UML is vulnerable, that the host would be exposed. I don't believe exploits designed for an i386 kernel would have the desired effect if ran from within UML, but it's not that far off that someone could customize an exploit to de-virtualize the addressing of the UML's memory stack, and modify the exact memory location on the host where it needs it...

I'll be putting a box here locally through some tests and should know more by tomorrow.

On a related topic, I've trimmed the list of available kernels down to ones that aren't vulnerable (with the exception of the djc kernel, which I'll be updating shortly). I also keyed config profiles to point to Latest 2.4 if you were pointing to one of the older kernels.

-Chris
Top
   
Reply with quote  
dmuench
 Post subject:
PostPosted: Fri Jan 09, 2004 10:19 pm 
Offline
Senior Member

Joined: Thu Oct 30, 2003 11:27 am
Posts: 52
Website: http://www.wasteland.org/
Location: Rochester, NY
Any chance the updated djc kernel will still have freeswan in it? I still _really_ need ipsec.
Top
   
Reply with quote  
Display posts from previous:  Sort by  
Post new topic  Reply to topic

Board index » Linux Community Forums » General Discussion


Who is online

Users browsing this forum: No registered users and 4 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group