Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Linux Keyring Root Privilege Escalation (CVE-2016-0728)
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Linux Keyring Root Privilege Escalation (CVE-2016-0728)

lamronlamron Member
edited January 2016 in General

A Israeli security research company has found a serious issue in Linux kernels existing since 2012 in all Linux and Android kernels since version 3.8.

It basically is an exploit that uses a memory management issue in the Linux kernel keyring. A overflow of it allows to gain root level privilege escalation. Any normal user can run the exploit.

This allows a hacker to use a security issue in Wordpress or whatever you can imagine and take over the user running the web server. Then run the exploit and gain root level privilege escalation to take over the whole system.



The article made by the company: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/

The issue exists since 2012: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3a50597de8635cd05133bd12c95681c82fe7b878

The exploit: https://gist.github.com/PerceptionPointTeam/18b1e86d1c0f8531ff8f

More to read:

Comments

  • jarjar Patron Provider, Top Host, Veteran
    edited January 2016

    (Edit: Confirmed, take action immediately if using kernel >=3.8)

    The way that you describe that sounds like one of the worst Linux vulnerabilities of our time, yet I haven't heard of it at all and that was published several days ago. The CVE they link to doesn't seem to have any information attached. Anyone with more kernel knowledge than myself able to confirm that the description above is accurate?

    Nothing against you @lamron and not that I don't believe your description of the severity, just that the kernel is not my area of expertise and people have historically had a tradition around these parts of over simplifying a vulnerability and making it out to be worse than it is, so I always take the initial description with a grain of salt. I'm not running 3.8+ on any production systems anyway, maybe none of us really are and that's why I hadn't heard of it :)

  • Is this only direct system users, or will this escape container virtualization?

  • perennateperennate Member, Host Rep
    edited January 2016

    @jarland http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0728.html

    It seems to say the same thing there pretty much. I'm not sure why there's the five day delay in the article date and all these patches coming out today.

    Anyone know if this will affect OpenVZ? I don't understand what this "session keyring" is.

    Edit: also this: https://bugzilla.redhat.com/show_bug.cgi?id=1297475

    Thanked by 1jar
  • Please read the article that the Israeli security research company made: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/

    It has a lot more information and it's the direct source while I just summed by some articles I found online.

  • jarjar Patron Provider, Top Host, Veteran

    perennate said: It seems to say the same thing there pretty much. I'm not sure why there's the five day delay in the article date and all these patches coming out today.

    Thanks. That's rough. Are there any LTS distros running 3.8+ that you know of? I'm thinking not, so that's nice at least.

  • perennateperennate Member, Host Rep
    edited January 2016

    jarland said: Are there any LTS distros running 3.8+ that you know of?

    Ubuntu 14.04 is on 3.13 I think. And by default 14.04.3 will install kernel from 15.04, which is 3.19.

    No idea about other distribution.

    Thanked by 1jar
  • I've received kernel updates on my Debian 8 machines already.

  • jarjar Patron Provider, Top Host, Veteran
    edited January 2016

    perennate said: Ubuntu 14.04 is on 3.13 I think.

    Oh yeah good call, my WP honeypots are actually running 3.13. Not quite production, not systems I care about at least. Mostly just monitoring for people who go through the IP ranges that they're on to run xmlrpc attacks. Seems to be a lot more of those lately.

    Thanks for helping me understand better guys, this is definitely something people need to be aware of like...now.

  • exception0x876exception0x876 Member, Host Rep, LIR

    BTW I tested the exploit on Ubuntu 14.04 and it was stuck in Increfing... phase like forever.

  • perennateperennate Member, Host Rep
    edited January 2016

    exception0x876 said: BTW I tested the exploit on Ubuntu 14.04 and it was stuck in Increfing... phase like forever.

    It iterates for 2^32 iterations. I think you can cat /proc/keys to check how far it is (the third column might be the count of number of keyctl calls).

  • babuumbabuum Member
    edited January 2016

    @jarland said:
    (Edit: Confirmed, take action immediately if using kernel >=3.8)

    The way that you describe that sounds like one of the worst Linux vulnerabilities of our time

    lol
    https://www.google.com/search?sclient=psy-ab&site=&source=hp&btnG=Search&q=linux+local+privilege+escalation#q=linux+local+privilege+escalation+exploit

    I saw a talk at the 31c3 (i think) where the guy used local privilege escalation exploits instead of sudo just for fun.

    Thanked by 1jar
  • sinsin Member

    Received updates on my Debian 8 and Ubuntu 14.04 machines today

  • Looks like Debian 7 is safe, on kernel 3.2.0-4-amd64

  • Red Hat Enterprise Linux 7
    CentOS Linux 7
    Scientific Linux 7
    Debian Linux stable 8.x (jessie)
    Debian Linux testing 9.x (stretch)
    SUSE Linux Enterprise Desktop 12
    SUSE Linux Enterprise Desktop 12 SP1
    SUSE Linux Enterprise Server 12
    SUSE Linux Enterprise Server 12 SP1
    SUSE Linux Enterprise Workstation Extension 12
    SUSE Linux Enterprise Workstation Extension 12 SP1
    Ubuntu Linux 14.04 LTS (Trusty Tahr)
    Ubuntu Linux 15.04 (Vivid Vervet)
    Ubuntu Linux 15.10 (Wily Werewolf)
    Opensuse Linux LEAP and version 13.2
    
    Thanked by 2jar lamron
  • Dont panic, but patch as soon as you can

    IvyBridge+ processors come with SMEP enabled by default (grep smep /proc/cpuinfo) that prevents this type of exploit code.

    You need to modify the exploit code with the right kernel addresses to get it to work. Not for all script kiddies.

    Thanked by 2jar doghouch
  • The kernel <-> android version matching is only for Nexus devices afaik
    Other devices may have different combination of kernel and Android versions, especially if the Android version has been upgraded and the kernel often remains as the original version which came with the device. My device has been upgraded from Jellybean to Kit Kat to Lollipop 5.1, and it is still using kernel 3.4

    I seriously doubt the exploit can be used on an Android device. CONFIG_KEYS is not enabled by default on Android kernels. Android 4.4 (Kit Kat) onwards enable SELinux 'enforcing' mode. And not to mention it will take hours for the exploit to complete, assuming OOM killer didn't get to it in that time.

  • @hostnoob said:
    theroyalstudent

    http://android.stackexchange.com/questions/51651/which-android-runs-which-linux-kernel

    what phone do you have? Lollipop should be on 3.16.1

    Xperia Z3

  • @wwabbit said:
    I seriously doubt the exploit can be used on an Android device. CONFIG_KEYS is not enabled by default on Android kernels. Android 4.4 (Kit Kat) onwards enable SELinux 'enforcing' mode. And not to mention it will take hours for the exploit to complete, assuming OOM killer didn't get to it in that time.

    I agree. SELinux for Android can help like SELinux on normal Linux. And probably phones are still way too weak and it would maybe take even longer than hours if you set it up so that it really works and isn't getting killed by OOM on a Android device/phone/tablet.

    However at least Google is still doing something against it and planned to release a fix. If you can believe https://plus.google.com/+AdrianLudwig/posts/KxHcLPgSPoY

Sign In or Register to comment.