Forgot your password?
typodupeerror
Security Linux

RDS Protocol Bug Creates a Linux Kernel Hole, Now Fixed 89

Posted by timothy
from the what-does-the-sky-think-as-it-falls dept.
Trailrunner7 writes "The open-source Linux operating system contains a serious security flaw that can be exploited to gain superuser rights on a target system. The vulnerability, in the Linux implementation of the Reliable Datagram Sockets (RDS) protocol, affects unpatched versions of the Linux kernel, starting from 2.6.30, where the RDS protocol was first included." The article goes on to say, though, that "Linux installations are only vulnerable if the CONFIG_RDS kernel configuration option is set, and if there are no restrictions on unprivileged users loading packet family modules, as is the case on most stock distributions," and that Linus Torvalds has committed a fix.
This discussion has been archived. No new comments can be posted.

RDS Protocol Bug Creates a Linux Kernel Hole, Now Fixed

Comments Filter:
  • by AlphaZeta (1356887) on Thursday October 21, 2010 @03:57PM (#33978602) Homepage

    Just tried on my home machine (Ubuntu 10.04 64 bit) and it couldn't get the root shell. It's running 2.6.32-25-generic.
    [*] Linux kernel >= 2.6.30 RDS socket exploit
    [*] by Dan Rosenberg
    [*] Resolving kernel addresses...
      [+] Resolved rds_proto_ops to 0xffffffffa0bc4860
      [+] Resolved rds_ioctl to 0xffffffffa0bbd000
      [+] Resolved commit_creds to 0xffffffff8108aee0
      [+] Resolved prepare_kernel_cred to 0xffffffff8108b2c0
    [*] Overwriting function pointer...
    [*] Triggering payload...
    [*] Restoring function pointer...
    [*] Exploit failed to get root.

  • by man_of_mr_e (217855) on Thursday October 21, 2010 @03:59PM (#33978638)

    Of course what you don't know is that this issue has been known by the kernel team and unreported for at least 9 days.

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3904 [mitre.org]

    Notice the "Assigned" date, 10/12/2010, that's the date the CVE was created for this flaw and it was likely known and reported several days before that.

    What this means is that the kernel team knew of the flaw, it was reported in secret, and they kept it a secret while they researched a fix. So people were vulnerabile for almsot 2 weeks, even though there was a known workaround that would have prevented them from being vulnerable if they had known.

  • by Oceanplexian (807998) on Thursday October 21, 2010 @04:26PM (#33979084) Homepage
    Only? Only a local root exploit?

    That kind of attitude makes me upset because I endure a lot of it where I work. A local root exploit is the hard part of owning a server. Getting
    unprivileged access through some vulnerability is comparatively a piece of cake.

Only God can make random selections.

Working...