Platon Technologies
not logged in Login Registration
EnglishSlovak
open source software development celebrating 10 years of open source development! Wednesday, December 11, 2024
About Us
Magazine
Open Source
CVS
Services
Index  »  Administration  »  Fast fix of local vmsplice() vulnerability

Fast fix of local vmsplice() vulnerability

Author: Ondrej Jombík | Section: Administration | Date: 2008-02-12

Basic information

On February 8, 2008 a local Linux system vulnerability was published for kernels from 2.6.1 to kernel 2.6.24. Error in system call vmsplice() enables a local user (possible attacker) to get the administrator's rights and superuser access for the system using available exploit.

Our community Platon Group has prepared for you a fast fix of this serious vulnerability. Correction means that system call vmsplice() will be fully disabled by module, which can be compiled against current kernel sources. No kernel recompilation nor system restart is required!

Module, except blocking of vmsplice() calls, logs every call into the kernel log and thus detect if some application is using this system call, or if a local user has tried to run an exploit and get the administrator's rights.

This is an example of module installation and logging of vmsplice() activity:

vmsplice-EPERM.c Linux Kernel 2.6 module by Ondrej Jombik <nepto@platon.sk>
vmsplice-EPERM.c disables vmsplice() syscall for preventing local root vulnearbility
vmsplice-EPERM.c: searching for syscall table
vmsplice-EPERM.c: syscall table found at c03fc540
vmsplice-EPERM.c module installed
vmsplice-EPERM.c call attempt: fd=4, iov=bff720b8, nr_segs=1, flags=0; forcing -EPERM

Download & Installation

Module source codes are available on this address:

http://platon.sk/projects/release_view_page.php?release_id=68

After unpacking, you need to run compilation with make command. If compilation is successful, you can insert module into the kernel with this command:

insmod vmsplice-EPERM.ko

In log files available through dmesg command you can see whether your activity was successful, or not.

Notes

  • This correction is good only for systems, which components and applications are not using vmsplice() call during its full operation.

  • If autodetection of sys_call_table has failed, it is possible to get this address with command:

    grep sys_call_table /boot/System.map

    Write the acquired address into vmsplice-EPERM.c file on line 62 instead of the NULL value.

  • This solution is not a complete fix. System upgrade to the latest stable kernel version is recommended.

Source Code

Full module source code follows:

/*
 * vmsplice-EPERM.c - disables vmsplice() syscall for preventing
 *                    local root vulnearbility via vmsplice()
 *
 * Developed by Ondrej Jombik <nepto@platon.sk>
 * Copyright (c) 2008 Platon Group, http://platon.sk/
 * Licensed under terms of GNU General Public License.
 * All rights reserved.
 *
 * Changelog:
 * 2008-02-11 - created
 * 2008-02-12 - released
 *
 */

/* $Platon$ */

#include <linux/init.h>
#include <linux/module.h>

#include <linux/kernel.h>
#include <linux/file.h>
#include <linux/fs.h>
#include <linux/sched.h>
#include <linux/syscalls.h>
#include <linux/time.h>

#include <asm/unistd.h>

#define BUFSIZE 100 /* we'll read first 100 bytes of int $0x80*/

struct {
    unsigned short limit;
    unsigned int base;
} __attribute__ ((packed)) idtr;

struct {
    unsigned short off1;
    unsigned short sel;
    unsigned char none,flags;
    unsigned short off2;
} __attribute__ ((packed)) idt;

long (*real_sys_vmsplice)(
    int fd,
    const struct iovec *iov,
    unsigned long nr_segs,
    unsigned int flags
);
asmlinkage long new_sys_vmsplice(
    int fd,
    const struct iovec *iov,
    unsigned long nr_segs,
    unsigned int flags
);

/* This is the place, where you can write fixed address of sys_call_table.
 * You can get this address from:
 *   $ grep sys_call_table /boot/System.map
 * Leave this NULL for autodetect.
 */
unsigned long **sys_call_table = NULL;

/* Stolen from scprint.c
 * http://downloads.securityfocus.com/downloads/scprint.tar.gz
 */
unsigned long **find_sys_call_table_old(void) /* {{{ */
{
    unsigned long **sctable;
    unsigned long ptr;
    extern unsigned long loops_per_jiffy;
    sctable = NULL;
    for (ptr = (unsigned long) &loops_per_jiffy;
            ptr < (unsigned long) &boot_cpu_data;
            ptr += sizeof(void *))
    {
        unsigned long *p;
        p = (unsigned long *)ptr;
        if (p[__NR_close] == (unsigned long) sys_close){
            sctable = (unsigned long **)p;
            return &sctable[0];
        }
    }
    return NULL;
} /* }}} */

static void *memmem(const void* haystack, size_t hl, /* {{{ */
        const void* needle, size_t nl)
{
    register int i;
    if (nl > hl) {
        return 0;
    }
    for (i = hl - nl + 1; i; --i) {
        if (! memcmp(haystack, needle, nl)) {
            return (char*) haystack;
        }
        ++haystack;
    }
    return 0;
} /* }}} */

/* Function will return address of the syscall table.
 * Based on
 * http://www.epanastasi.com/docs/syscall_talk/example1-sct/example1.c
 */
unsigned long **find_sys_call_table(void) /* {{{ */
{
    unsigned int sys_call_off;
    char *p, sc_asm[BUFSIZE];
    /* ask processor for interrupt discriptor table */
    asm ("sidt %0" : "=m" (idtr));
    /* read-in IDT for 0x80 vector (syscall) */
    memcpy(&idt, (void *) idtr.base+8*0x80,sizeof(idt));
    sys_call_off = (idt.off2 << 16) | idt.off1;
    memcpy(sc_asm, (void *) sys_call_off, BUFSIZE);
    /* we have syscall routine address now, look for syscall table
       dispatch (indirect call) */
    p = (char*) memmem(sc_asm, BUFSIZE, "\xff\x14\x85", 3);
    if (p != NULL) {
        return (void *)*(unsigned*)(p+3);
    }
    return NULL;
} /* }}} */

static int __init vmsplice_EPERM_init(void) /* {{{ */
{
    printk(KERN_INFO "vmsplice-EPERM.c Linux Kernel 2.6 module"
            " by Ondrej Jombik <nepto@platon.sk>\n");
    printk(KERN_INFO "vmsplice-EPERM.c disables vmsplice() syscall"
            " for preventing local root vulnearbility via vmsplice()\n");

    if (sys_call_table == NULL) {
        printk(KERN_INFO "vmsplice-EPERM.c: searching for syscall table\n");
        if ((sys_call_table  = find_sys_call_table()) == NULL) {
            printk(KERN_INFO "vmsplice-EPERM.c: syscall table NOT found");
            printk(KERN_INFO "vmsplice-EPERM.c module NOT installed\n");
            return -1;
        } else {
            printk(KERN_INFO "vmsplice-EPERM.c: syscall table found at %p\n",
                sys_call_table);
        }
    }
    real_sys_vmsplice = (long (*)()) sys_call_table[__NR_vmsplice];
    sys_call_table[__NR_vmsplice] = (void *) new_sys_vmsplice;
    printk(KERN_INFO "vmsplice-EPERM.c module installed\n");
    return 0;
} /* }}} */

static void __exit vmsplice_EPERM_exit(void) /* {{{ */
{
    sys_call_table[__NR_vmsplice] = (void *) real_sys_vmsplice;
    printk(KERN_INFO "vmsplice-EPERM.c module removed\n");
} /* }}} */

asmlinkage long new_sys_vmsplice( /* {{{ */
        int fd,
        const struct iovec *iov,
        unsigned long nr_segs,
        unsigned int flags
        )
{
    printk(KERN_INFO "vmsplice-EPERM.c call attempt:"
            " fd=%d, iov=%p, nr_segs=%lu, flags=%u;"
            " forcing -EPERM\n",
            fd, iov, nr_segs, flags);
    return -EPERM; /* always return -EPERM */
} /* }}} */

module_init(vmsplice_EPERM_init);
module_exit(vmsplice_EPERM_exit);

MODULE_AUTHOR("Ondrej Jombik");
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Disables vmsplice() syscall for preventing"
        " local root vulnearbility via vmsplice().");

/* Modeline for ViM {{{
 * vim: set ts=4:
 * vim600: fdm=marker fdl=0 fdc=3:
 * }}} */

Credits: rajo, jojo, ivan, hlava, roleta

What is Platon?
Plato was a very important classical Greek philosopher, student of Socrates and teacher of Aristotle. learn more...

Platon Group is Slovak open source software development group. We are developing, maintaining, documenting some successful open-source projects.

Platon Technologies, Ltd. is young dynamically developed enterprise, which goal is to bring open technologies into the commercial sphere.

Support Us

Powerful Web-Hosting
and Multihosting

Platon Webhosting

Super Fast Servers
& Professional Administration

Virtual, Dedicated and Managed Servers

Development
Article discussion
rajo modification of /proc/kallsyms 2008-02-13 22:43
Ursula Good job! 2011-11-14 10:05
ulyssegosselin     RE: Good job! 2022-08-28 22:55
hudsoniden7111         RE: Good job! 2022-10-21 19:51
jennrani0804 geek squad 2019-11-19 06:42
jennrani0804     RE: geek squad 2019-11-19 06:44
4ocean bracelet uk Kuchi Jewels WholeSale 2021-01-11 08:57
balderabner9597     RE: Kuchi Jewels WholeSale 2022-06-13 23:04
WIKI MOB WIKI MOB 2021-01-19 19:38
ahmed eissa     RE: WIKI MOB 2022-09-09 15:16
ahmed eissa     RE: WIKI MOB 2022-09-09 15:17
arabpure Eg Aa 2021-02-12 00:25
tabi teb 2021-06-06 00:13
tabi     RE: teb 2021-06-06 00:20
kuegvkeb wzzaif 2022-03-17 04:23
shadymjd wikicar 2022-04-18 16:32
shadymjde wikicare 2022-04-18 16:32
Scott Rawland Bike lover 2022-05-28 23:54
Scott Rawland Herbal Incense 2022-05-28 23:56
Scott Rawland K2 Spice 2022-05-28 23:57
mohamed ali challenge 2022-06-11 20:47
mohamed ali quran barakah 2022-06-14 12:36
mohamed ali airbeex 2022-07-27 08:57
kareem mamdouh fcnsc 2022-07-29 07:53
jygvjsd elsuper 2022-08-29 12:11
jygvjsd Midea 2022-09-07 10:44
jygvjsd AirConditioning Midea 2022-09-07 10:45
jygvjsd carboook 2022-10-06 06:33
eletqan &#1578;&#1585;&#1603;&#1610;&#1576; &#1575;&#1579;&#1575;&#1579; 2022-10-06 19:48
jygvjsd group 2022-10-10 09:39
vrebyne Running Shoe 2022-10-11 02:05
vrebyne EARN MONEY FROM BITCOIN MINING 2022-11-06 18:16
vrebyne translator 2022-11-10 17:20
vrebyne translator documents 2022-11-10 17:21
vrebyne azkar 2022-11-16 23:33
vrebyne malomat 2022-11-28 21:18
vrebyne Christmas A Pagan Holiday 2022-12-05 03:23
services services 2022-12-05 08:51
marble Egyptian marble 2022-12-20 15:04
sunstone egypt sunstone 2022-12-20 15:39
explore islam What is Islam and its meaning 2022-12-21 21:17
sahlah academy Learn Islamic Jurisprudence online 2022-12-25 10:20
islam How can I find the best Quran 2023-01-04 10:26
islam Auto Taxi Lugano 2023-01-10 15:09
islam How can 2023-01-10 15:10
islam Can Muslims Celebrate Halloween 2023-01-31 17:30
islam Marriage in Islam 2023-02-05 18:29
islam Groups of furniture producers 2023-02-25 10:04
islam cleanco 2023-02-27 21:33
islam How to create a daily homeschool schedule 2023-03-12 11:59
islam Learn Quran Online 2023-03-14 18:11
mohamed Fishing Trip Hurghada 2023-05-12 14:17
mohamed &#1606;&#1589;&#1575;&#1574;&#1581; &#1593;&#1575;&#1605;&#1577; &#1604;&#1604;&#1576;&#1575;&#1581;&#1579;&#1610;&#1606; &#1593;&#1606; &#1593;&#1605;&#1604; 2023-05-19 00:11
Gondola Gondola Granite 2023-06-11 12:14
galala cream galala cream 2023-07-22 06:45
Granite gray elsherka granite/ 2023-07-30 10:04
Red Aswan Red Aswan Granite 2023-07-31 01:26
Red Aswan &#1605;&#1603;&#1610;&#1601; &#1610;&#1608;&#1606;&#1610;&#1608;&#1606; &#1575;&#1610;&#1585; 2023-08-07 11:34
KO JINE KO JINE 2023-08-12 17:27
&#1605;&#1608;&#1575;&#1589;&#1601;&#1575;&#1578; &#1601;&#1604;&#1578;&#1585; &#1605;&#1610;&#1575;&#1607; &#1593;&#1605;&#1608;&#1605;&#1609; &#1605;&#1608;&#1575;&#1589;&#1601;&#1575;&#1578; &#1601;&#1604;&#1578;&#1585; &#1605;&#1610;&#1575;&#1607; &#1593;&#1605;&#1608;&#1605;&#1609; 2023-08-13 15:08
Fluxtek Fluxtek 2023-08-14 09:10
elrayan elrayan 2023-09-08 11:14
Triesta Marble Triesta Marble 2023-09-10 02:34
Silvia Menia Marble Silvia Menia Marble 2023-09-10 13:28
Guest &#1601;&#1585;&#1589; &#1593;&#1605;&#1604; &#1601;&#1610; &#1575;&#1604;&#1582;&#1604;&#1610;&#1580; 2023-10-02 15:06
wqfqwewvq &#1588;&#1585;&#1603;&#1577; &#1593;&#1586;&#1604; &#1575;&#1587;&#1591;&#1581; 2023-10-26 10:16
&#1588;&#1585;&#1603;&#1577; &#1575;&#1579;&#1575;&#1579; &#1605;&#1603;&#1578;&#1576;&#1610; &#1588;&#1585;&#1603;&#1577; &#1575;&#1579;&#1575;&#1579; &#1605;&#1603;&#1578;&#1576;&#1610; 2023-11-22 12:55
&#1605;&#1615;&#1593;&#1604;&#1614;&#1606; &#1608;&#1592;&#1610;&#1601;&#1577; 2023-11-29 14:16
&#1605;&#1615;&#1593;&#1604;&#1614;&#1606; &#1601;&#1604;&#1578;&#1585; &#1605;&#1610;&#1575;&#1607; &#1603;&#1608;&#1580;&#1610;&#1606; 2023-12-02 11:30
&#1605;&#1615;&#1593;&#1604;&#1614;&#1606; &#1601;&#1604;&#1575;&#1578;&#1585; &#1575;&#1604;&#1605;&#1610;&#1575;&#1607; 2023-12-05 13:10
&#1605;&#1615;&#1593;&#1604;&#1614;&#1606; &#1578;&#1603;&#1610;&#1610;&#1601; &#1603;&#1575;&#1585;&#1610;&#1610;&#1585; 2024 2023-12-05 19:34
&#1605;&#1615;&#1593;&#1604;&#1614;&#1606; &#1578;&#1603;&#1610;&#1610;&#1601; &#1605;&#1610;&#1583;&#1610;&#1575; 4 &#1581;&#1589;&#1575;&#1606; 2023-12-05 21:34
degwe Homey Design Furniture 2024-01-18 17:52
&#1588;&#1585;&#1603;&#1577; &#1578;&#1606;&#1592;&#1610;&#1601; &#1605;&#1606;&#1575;&#1586;&#1604; &#1576;&#1575;&#1604;&#1585;&#1610;&#1575;&#1590;     RE: Homey Design Furniture 2024-02-12 08:50
degwe Beechwood dining chair 2024-01-18 20:05
degwe Dresden Furniture Collection 2024-02-26 16:30
degwe Vendome Sofa by ACME 2024-02-26 18:02
Furniture Latisha Furniture Collection 2024-02-27 05:59
taha.m &#1589;&#1610;&#1575;&#1606;&#1577; &#1579;&#1604;&#1575;&#1580;&#1575;&#1578; &#1580;&#1583;&#1577;< 2024-11-13 22:57
taha.m &#1589;&#1610;&#1575;&#1606;&#1577; &#1579;&#1604;&#1575;&#1580;&#1575;&#1578; &#1580;&#1583;&#1577;< 2024-11-14 20:06
taha.m &#1589;&#1610;&#1575;&#1606;&#1577; &#1594;&#1587;&#1575;&#1604;&#1575;&#1578; &#1580;&#1583;&#1577; 2024-11-26 10:33
taha.m &#1589;&#1610;&#1575;&#1606;&#1577; &#1594;&#1587;&#1575;&#1604;&#1575;&#1578; &#1580;&#1583;&#1577; 2024-11-26 10:47
Appliance repair Dubai Appliance repair Dubai 2024-11-26 14:01
sohib taha sohib 2024-12-02 15:16
sohib taha sohib 2024-12-02 17:56

   

 
Copyright © 2002-2006 Platon Group
Site powered by Metafox CMS
Go to Top · Feedback form · Application form
Report bug on PLATON.SK website · Terms of use · Privacy policy