[CentOS] local root exploit

Wed Feb 13 03:40:09 UTC 2008
Matthew Miller <mattdm at mattdm.org>

On Mon, Feb 11, 2008 at 10:56:28PM -0500, Ross S. W. Walker wrote:
> > > Yes, but conceivable an application can make use of such a system
> > > call since it is exploitable from user land and hence the concern.
> > Well, the point is there's nothing wrong with the system call
> > *inherently*. There's just a flaw in its implementation which a
> > carefully-crafted program can exploit. A program which just happens to
> > use the system call as it is intended to be used isn't any more
> > dangerous than any other code.
> Sorry this thread keeps getting taken further out of context on each
> reply.
> 
> Yes I understand there is nothing inherently wrong with the concept
> of the vmsplice() system call and it adds a lot of benefit to the
> Linux kernel.
> 
> But if an application uses a system call, and that call to the system
> API depends on user input that isn't properly checking bounds, then said
> application can be used as a vector to system penetration.
> 
> That is all I am saying and was asking if anybody knew if such a
> vector existed in any PHP, Perl or CGI module as it would be the most
> likely method of leveraging the flaw if one did not have a shell account
> on that machine.

And here's what I'm saying. :) The exploit requires a certain amount of
specialized setup before the vmsplice call. And, this stuff isn't likely to
be user-supplied input since we're talking about memory management. To say
that a flaw in an existing program (let alone a script) made to do that
setup is an unlikely vector is an understatement. I'd be a lot more worried
about sloppy PHP, Perl, or CGI code having exploits which let you run
arbitrary user-level code (happens all the time), because that + this =
remote root.



-- 
Matthew Miller           mattdm at mattdm.org          <http://mattdm.org/>
Boston University Linux      ------>              <http://linux.bu.edu/>