Platon Technologies
neprihlásený Prihlásiť Registrácia
SlovakEnglish
open source software development oslavujeme 10 rokov vývoja otvoreného softvéru! Piatok, 29. marec 2024
O nás
Magazín
Otvorený softvér
CVS
Služby
Index  »  Administration  »  Fast fix of local vmsplice() vulnerability

Fast fix of local vmsplice() vulnerability

Autor: Ondrej Jombík | Sekcia: Administration | Dátum: 2008-02-12

Basic information

On February 8, 2008 a local Linux system vulnerability was published for kernels from 2.6.1 to kernel 2.6.24. Error in system call vmsplice() enables a local user (possible attacker) to get the administrator's rights and superuser access for the system using available exploit.

Our community Platon Group has prepared for you a fast fix of this serious vulnerability. Correction means that system call vmsplice() will be fully disabled by module, which can be compiled against current kernel sources. No kernel recompilation nor system restart is required!

Module, except blocking of vmsplice() calls, logs every call into the kernel log and thus detect if some application is using this system call, or if a local user has tried to run an exploit and get the administrator's rights.

This is an example of module installation and logging of vmsplice() activity:

vmsplice-EPERM.c Linux Kernel 2.6 module by Ondrej Jombik <nepto@platon.sk>
vmsplice-EPERM.c disables vmsplice() syscall for preventing local root vulnearbility
vmsplice-EPERM.c: searching for syscall table
vmsplice-EPERM.c: syscall table found at c03fc540
vmsplice-EPERM.c module installed
vmsplice-EPERM.c call attempt: fd=4, iov=bff720b8, nr_segs=1, flags=0; forcing -EPERM

Download & Installation

Module source codes are available on this address:

http://platon.sk/projects/release_view_page.php?release_id=68

After unpacking, you need to run compilation with make command. If compilation is successful, you can insert module into the kernel with this command:

insmod vmsplice-EPERM.ko

In log files available through dmesg command you can see whether your activity was successful, or not.

Notes

  • This correction is good only for systems, which components and applications are not using vmsplice() call during its full operation.

  • If autodetection of sys_call_table has failed, it is possible to get this address with command:

    grep sys_call_table /boot/System.map

    Write the acquired address into vmsplice-EPERM.c file on line 62 instead of the NULL value.

  • This solution is not a complete fix. System upgrade to the latest stable kernel version is recommended.

Source Code

Full module source code follows:

/*
 * vmsplice-EPERM.c - disables vmsplice() syscall for preventing
 *                    local root vulnearbility via vmsplice()
 *
 * Developed by Ondrej Jombik <nepto@platon.sk>
 * Copyright (c) 2008 Platon Group, http://platon.sk/
 * Licensed under terms of GNU General Public License.
 * All rights reserved.
 *
 * Changelog:
 * 2008-02-11 - created
 * 2008-02-12 - released
 *
 */

/* $Platon$ */

#include <linux/init.h>
#include <linux/module.h>

#include <linux/kernel.h>
#include <linux/file.h>
#include <linux/fs.h>
#include <linux/sched.h>
#include <linux/syscalls.h>
#include <linux/time.h>

#include <asm/unistd.h>

#define BUFSIZE 100 /* we'll read first 100 bytes of int $0x80*/

struct {
    unsigned short limit;
    unsigned int base;
} __attribute__ ((packed)) idtr;

struct {
    unsigned short off1;
    unsigned short sel;
    unsigned char none,flags;
    unsigned short off2;
} __attribute__ ((packed)) idt;

long (*real_sys_vmsplice)(
    int fd,
    const struct iovec *iov,
    unsigned long nr_segs,
    unsigned int flags
);
asmlinkage long new_sys_vmsplice(
    int fd,
    const struct iovec *iov,
    unsigned long nr_segs,
    unsigned int flags
);

/* This is the place, where you can write fixed address of sys_call_table.
 * You can get this address from:
 *   $ grep sys_call_table /boot/System.map
 * Leave this NULL for autodetect.
 */
unsigned long **sys_call_table = NULL;

/* Stolen from scprint.c
 * http://downloads.securityfocus.com/downloads/scprint.tar.gz
 */
unsigned long **find_sys_call_table_old(void) /* {{{ */
{
    unsigned long **sctable;
    unsigned long ptr;
    extern unsigned long loops_per_jiffy;
    sctable = NULL;
    for (ptr = (unsigned long) &loops_per_jiffy;
            ptr < (unsigned long) &boot_cpu_data;
            ptr += sizeof(void *))
    {
        unsigned long *p;
        p = (unsigned long *)ptr;
        if (p[__NR_close] == (unsigned long) sys_close){
            sctable = (unsigned long **)p;
            return &sctable[0];
        }
    }
    return NULL;
} /* }}} */

static void *memmem(const void* haystack, size_t hl, /* {{{ */
        const void* needle, size_t nl)
{
    register int i;
    if (nl > hl) {
        return 0;
    }
    for (i = hl - nl + 1; i; --i) {
        if (! memcmp(haystack, needle, nl)) {
            return (char*) haystack;
        }
        ++haystack;
    }
    return 0;
} /* }}} */

/* Function will return address of the syscall table.
 * Based on
 * http://www.epanastasi.com/docs/syscall_talk/example1-sct/example1.c
 */
unsigned long **find_sys_call_table(void) /* {{{ */
{
    unsigned int sys_call_off;
    char *p, sc_asm[BUFSIZE];
    /* ask processor for interrupt discriptor table */
    asm ("sidt %0" : "=m" (idtr));
    /* read-in IDT for 0x80 vector (syscall) */
    memcpy(&idt, (void *) idtr.base+8*0x80,sizeof(idt));
    sys_call_off = (idt.off2 << 16) | idt.off1;
    memcpy(sc_asm, (void *) sys_call_off, BUFSIZE);
    /* we have syscall routine address now, look for syscall table
       dispatch (indirect call) */
    p = (char*) memmem(sc_asm, BUFSIZE, "\xff\x14\x85", 3);
    if (p != NULL) {
        return (void *)*(unsigned*)(p+3);
    }
    return NULL;
} /* }}} */

static int __init vmsplice_EPERM_init(void) /* {{{ */
{
    printk(KERN_INFO "vmsplice-EPERM.c Linux Kernel 2.6 module"
            " by Ondrej Jombik <nepto@platon.sk>\n");
    printk(KERN_INFO "vmsplice-EPERM.c disables vmsplice() syscall"
            " for preventing local root vulnearbility via vmsplice()\n");

    if (sys_call_table == NULL) {
        printk(KERN_INFO "vmsplice-EPERM.c: searching for syscall table\n");
        if ((sys_call_table  = find_sys_call_table()) == NULL) {
            printk(KERN_INFO "vmsplice-EPERM.c: syscall table NOT found");
            printk(KERN_INFO "vmsplice-EPERM.c module NOT installed\n");
            return -1;
        } else {
            printk(KERN_INFO "vmsplice-EPERM.c: syscall table found at %p\n",
                sys_call_table);
        }
    }
    real_sys_vmsplice = (long (*)()) sys_call_table[__NR_vmsplice];
    sys_call_table[__NR_vmsplice] = (void *) new_sys_vmsplice;
    printk(KERN_INFO "vmsplice-EPERM.c module installed\n");
    return 0;
} /* }}} */

static void __exit vmsplice_EPERM_exit(void) /* {{{ */
{
    sys_call_table[__NR_vmsplice] = (void *) real_sys_vmsplice;
    printk(KERN_INFO "vmsplice-EPERM.c module removed\n");
} /* }}} */

asmlinkage long new_sys_vmsplice( /* {{{ */
        int fd,
        const struct iovec *iov,
        unsigned long nr_segs,
        unsigned int flags
        )
{
    printk(KERN_INFO "vmsplice-EPERM.c call attempt:"
            " fd=%d, iov=%p, nr_segs=%lu, flags=%u;"
            " forcing -EPERM\n",
            fd, iov, nr_segs, flags);
    return -EPERM; /* always return -EPERM */
} /* }}} */

module_init(vmsplice_EPERM_init);
module_exit(vmsplice_EPERM_exit);

MODULE_AUTHOR("Ondrej Jombik");
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Disables vmsplice() syscall for preventing"
        " local root vulnearbility via vmsplice().");

/* Modeline for ViM {{{
 * vim: set ts=4:
 * vim600: fdm=marker fdl=0 fdc=3:
 * }}} */

Credits: rajo, jojo, ivan, hlava, roleta

Čo je Platón?
Platón bol veľmi doležitý filozof starovekého Grécka, študent Sokratesa a učiteľ Aristotela. viac info...

Platon Group zastrešuje slovenskú skupinu vývojárov otvoreného softvéru. Vyvíja, spravuje, dokumentuje niekoľko úspešných open-source projektov.

Platon Technologies, s.r.o. je mladá a dynamicky rozvíjajúca sa spoločnosť, ktorá má za cieľ prinášať otvorené technológie do komerčnej a verejnej sféry.

Podporte nás

Výkonný webhosting
a multihosting

Platon Webhosting

Super rýchle servery
a profesionálna administrácia

Virtuálne, dedikované a manažované servery

Vývoj
Diskusia k článku
rajo modification of /proc/kallsyms 2008-02-13 22:43
Ursula Good job! 2011-11-14 10:05
ulyssegosselin     RE: Good job! 2022-08-28 22:55
hudsoniden7111         RE: Good job! 2022-10-21 19:51
jennrani0804 geek squad 2019-11-19 06:42
jennrani0804     RE: geek squad 2019-11-19 06:44
4ocean bracelet uk Kuchi Jewels WholeSale 2021-01-11 08:57
balderabner9597     RE: Kuchi Jewels WholeSale 2022-06-13 23:04
WIKI MOB WIKI MOB 2021-01-19 19:38
ahmed eissa     RE: WIKI MOB 2022-09-09 15:16
ahmed eissa     RE: WIKI MOB 2022-09-09 15:17
arabpure Eg Aa 2021-02-12 00:25
tabi teb 2021-06-06 00:13
tabi     RE: teb 2021-06-06 00:20
kuegvkeb wzzaif 2022-03-17 04:23
shadymjd wikicar 2022-04-18 16:32
shadymjde wikicare 2022-04-18 16:32
Scott Rawland Bike lover 2022-05-28 23:54
Scott Rawland Herbal Incense 2022-05-28 23:56
Scott Rawland K2 Spice 2022-05-28 23:57
mohamed ali challenge 2022-06-11 20:47
mohamed ali quran barakah 2022-06-14 12:36
mohamed ali airbeex 2022-07-27 08:57
kareem mamdouh fcnsc 2022-07-29 07:53
jygvjsd elsuper 2022-08-29 12:11
jygvjsd Midea 2022-09-07 10:44
jygvjsd AirConditioning Midea 2022-09-07 10:45
jygvjsd carboook 2022-10-06 06:33
eletqan &#1578;&#1585;&#1603;&#1610;&#1576; &#1575;&#1579;&#1575;&#1579; 2022-10-06 19:48
jygvjsd group 2022-10-10 09:39
vrebyne Running Shoe 2022-10-11 02:05
vrebyne EARN MONEY FROM BITCOIN MINING 2022-11-06 18:16
vrebyne translator 2022-11-10 17:20
vrebyne translator documents 2022-11-10 17:21
vrebyne azkar 2022-11-16 23:33
vrebyne malomat 2022-11-28 21:18
vrebyne Christmas A Pagan Holiday 2022-12-05 03:23
services services 2022-12-05 08:51
marble Egyptian marble 2022-12-20 15:04
sunstone egypt sunstone 2022-12-20 15:39
explore islam What is Islam and its meaning 2022-12-21 21:17
sahlah academy Learn Islamic Jurisprudence online 2022-12-25 10:20
islam How can I find the best Quran 2023-01-04 10:26
islam Auto Taxi Lugano 2023-01-10 15:09
islam How can 2023-01-10 15:10
islam Can Muslims Celebrate Halloween 2023-01-31 17:30
islam Marriage in Islam 2023-02-05 18:29
islam Groups of furniture producers 2023-02-25 10:04
islam cleanco 2023-02-27 21:33
islam How to create a daily homeschool schedule 2023-03-12 11:59
islam Learn Quran Online 2023-03-14 18:11
mohamed Fishing Trip Hurghada 2023-05-12 14:17
mohamed &#1606;&#1589;&#1575;&#1574;&#1581; &#1593;&#1575;&#1605;&#1577; &#1604;&#1604;&#1576;&#1575;&#1581;&#1579;&#1610;&#1606; &#1593;&#1606; &#1593;&#1605;&#1604; 2023-05-19 00:11
Gondola Gondola Granite 2023-06-11 12:14
galala cream galala cream 2023-07-22 06:45
Granite gray elsherka granite/ 2023-07-30 10:04
Red Aswan Red Aswan Granite 2023-07-31 01:26
Red Aswan &#1605;&#1603;&#1610;&#1601; &#1610;&#1608;&#1606;&#1610;&#1608;&#1606; &#1575;&#1610;&#1585; 2023-08-07 11:34
KO JINE KO JINE 2023-08-12 17:27
&#1605;&#1608;&#1575;&#1589;&#1601;&#1575;&#1578; &#1601;&#1604;&#1578;&#1585; &#1605;&#1610;&#1575;&#1607; &#1593;&#1605;&#1608;&#1605;&#1609; &#1605;&#1608;&#1575;&#1589;&#1601;&#1575;&#1578; &#1601;&#1604;&#1578;&#1585; &#1605;&#1610;&#1575;&#1607; &#1593;&#1605;&#1608;&#1605;&#1609; 2023-08-13 15:08
Fluxtek Fluxtek 2023-08-14 09:10
elrayan elrayan 2023-09-08 11:14
Triesta Marble Triesta Marble 2023-09-10 02:34
Silvia Menia Marble Silvia Menia Marble 2023-09-10 13:28
Guest &#1601;&#1585;&#1589; &#1593;&#1605;&#1604; &#1601;&#1610; &#1575;&#1604;&#1582;&#1604;&#1610;&#1580; 2023-10-02 15:06
wqfqwewvq &#1588;&#1585;&#1603;&#1577; &#1593;&#1586;&#1604; &#1575;&#1587;&#1591;&#1581; 2023-10-26 10:16
&#1588;&#1585;&#1603;&#1577; &#1575;&#1579;&#1575;&#1579; &#1605;&#1603;&#1578;&#1576;&#1610; &#1588;&#1585;&#1603;&#1577; &#1575;&#1579;&#1575;&#1579; &#1605;&#1603;&#1578;&#1576;&#1610; 2023-11-22 12:55
&#1605;&#1615;&#1593;&#1604;&#1614;&#1606; &#1608;&#1592;&#1610;&#1601;&#1577; 2023-11-29 14:16
&#1605;&#1615;&#1593;&#1604;&#1614;&#1606; &#1601;&#1604;&#1578;&#1585; &#1605;&#1610;&#1575;&#1607; &#1603;&#1608;&#1580;&#1610;&#1606; 2023-12-02 11:30
&#1605;&#1615;&#1593;&#1604;&#1614;&#1606; &#1601;&#1604;&#1575;&#1578;&#1585; &#1575;&#1604;&#1605;&#1610;&#1575;&#1607; 2023-12-05 13:10
&#1605;&#1615;&#1593;&#1604;&#1614;&#1606; &#1578;&#1603;&#1610;&#1610;&#1601; &#1603;&#1575;&#1585;&#1610;&#1610;&#1585; 2024 2023-12-05 19:34
&#1605;&#1615;&#1593;&#1604;&#1614;&#1606; &#1578;&#1603;&#1610;&#1610;&#1601; &#1605;&#1610;&#1583;&#1610;&#1575; 4 &#1581;&#1589;&#1575;&#1606; 2023-12-05 21:34
degwe Homey Design Furniture 2024-01-18 17:52
&#1588;&#1585;&#1603;&#1577; &#1578;&#1606;&#1592;&#1610;&#1601; &#1605;&#1606;&#1575;&#1586;&#1604; &#1576;&#1575;&#1604;&#1585;&#1610;&#1575;&#1590;     RE: Homey Design Furniture 2024-02-12 08:50
degwe Beechwood dining chair 2024-01-18 20:05
degwe Dresden Furniture Collection 2024-02-26 16:30
degwe Vendome Sofa by ACME 2024-02-26 18:02
Furniture Latisha Furniture Collection 2024-02-27 05:59

   

 
Copyright © 2002-2006 Platon Group
Stránka používa redakčný systém Metafox
Na začiatok · Odkazový formulár · Prihláška
Upozorniť na chybu na PLATON.SK webstránke · Podmienky použitia · Ochrana osobných údajov