Posted on 10/22/2010 6:09:25 AM PDT by ShadowAce
A flaw in the implementation of the Reliable Datagram Sockets protocol (RDS) in the Linux kernel can be exploited to gain root (also known as superuser) rights or permissions on a victim's system. Attackers can exploit the hole to get complete control remotely once they have broken into the system. Dan Rosenberg, who discovered the vulnerability, has published an exploit for demonstration purposes; in a test conducted by The H's associates at heise Security on Ubuntu 10.04 (64-bit), it opened a root shell.
Kernel versions 2.6.30 to 2.6.36-rc8 are said to be affected. Linux developers have already provided a patch, in the Git repository, that solves the problem. Distributors will probably be publishing new kernel versions soon. As a workaround, Rosenberg recommends preventing the kernel module from loading: echo "alias net-pf-21 off" > /etc/modprobe.d/disable-rds (as root). Most systems will not be affected by the removal of the protocol.
Rosenberg says the problem came about because the kernel functions in the RDS protocol do not correctly check the addresses given when data are copied from kernel memory and user memory. As a result, local users can indicate a basic address within the kernel for a socket structure. Code can then be written into kernel memory and launched with kernel rights when certain sockets are called.
Just a few days ago, a hole in the GNU-C library's loader was made public that also allows attackers to expand their rights on the system.
Sooo... once you break in then you can own it. But you still have to break in first, right?
More reasons why my abacus is still the only virus free computational device I own.
That was what I understand, also. Doesn’t seem quite as dangerous as they’re making it out to be.
I wish I knew more about how Puppy Linux works, I can’t even unzip an RMP file with unrmp.pet
Maybe I should burn another ISO with a different Linux?
Bookmark
If the documentation isn’t helping you, then yeah. I’m much more familiar with the RPM-based distros, like Fedora.
Is that one free too? I’ll google it.
Obviously, it's more of an issue on multi-user systems. Hosting systems with shell access would be particularly vulnerable. Thank God it's not a remote exploit.
Fedora is free. Most stuff works right out of the box, but you'll want to add the rpmfusion repositories to get the best use of it. (for certain codecs and other stuff.)
“Reliable datagram....”?
Isn’t that an oxymoron?
Only in UDP.
$ gcc linux-rds-exploit.c -o linux-rds-exploit
$ file linux-rds-exploit
linux-rds-exploit: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped
$ id
uid=500(zeugma) gid=500(zeugma) groups=500(zeugma),1000(shared)
$ touch /etc/deleteme.txt
touch: cannot touch `/etc/deleteme.txt': Permission denied
$ ./linux-rds-exploit
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved rds_proto_ops to 0xf89c0654
[+] Resolved rds_ioctl to 0xf89bb06a
[+] Resolved commit_creds to 0xc046059f
[+] Resolved prepare_kernel_cred to 0xc0460410
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
[*] Got root!
sh-4.0# touch /etc/deleteme.txt
sh-4.0# rm /etc/deleteme.txt
sh-4.0# exit
~/Download :)
Wow. Quite interesting. I wonder how long it will take to get a large company’s servers all patched, so the employees don’t go wandering....
Youch.
I’m talking in general - ie, in networking for the last, oh, 40 years, the idea is that datagram service isn’t reliable. You flip it out on the wire, and no guarantee is made of delivery; datagram service is “best effort” delivery.
My first reaction upon reading of “reliable datagram service” was to wonder “Isn’t that what a connection-based protocol is?” You have an indication when you sent the datagram that there was sufficient buffering at the receiver to receive the datagram and all that?
Sigh. Computing hasn’t been the same since we allowed the marketing people to start inventing terms...
Companies don't grant shell access to employees that don't need it.
And, using an exploit like this to get unauthorized root access is grounds for termination at every company I've worked for.
If you are talking about UDP, yes. RDP is a different protocol.
What is RDS and why did we build it?
Reliable Datagram Sockets (RDS) provide in order, non-duplicating, highly available, low overhead, reliable delivery of datagrams between hundreds of thousands of non-connected endpoints.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.