[CentOS] Root exploit in the wild

Ralph Angenendt ra+centos at br-online.de
Sun Feb 10 23:22:28 UTC 2008


Frank Cox schrieb:
> https://bugzilla.redhat.com/show_bug.cgi?id=432251

Just to clarify it a little bit: These are *local* root exploits, so the 
enemy has to find a way to get a shell account on your box to escalate 
his privileges.

I don't want to say that these exploits are harmless (well, there seems 
to be "only" one with an exploit which affects CentOS 5), but if your 
boxes are secured from the outside, there's no need to completely panic. 
  Administrators of boxes with shell accounts where not all users are 
completely trusted or administrators of boxes with rather lose security 
(you know your cgi scripts - or probably don't) may panic now.

As only Kernel 2.6.17 and above have the vmsplice() system call, CentOS 
4 and CentOS 3 (and 2.1) are *not* affected.

And: There seems to be a fix in the making. See the above bugzilla URL.

Warning: There's a "dexploit"-exploit out there (an exploit which looks 
if the kernel is exploitable and then disables vmsplice() - or at least 
tries to) - don't use that. It doesn't work on CentOS 5. The original 
exploit seems to crash xen-DomUs - the deexploit succeeds in *not* 
crashing the kernel so that the exploit now also works on DomUs.

Take care (of your systems),

Ralph



More information about the CentOS mailing list