ServerTune Logo Control Panel Licenses Server Management VPS Dedicated Servers Colocation ServerTune.com
 
ServerTune HomeAbout usContact usHelp DeskKnowledgebaseSpecialLIVE Chat ServerTune
DirectAdmin VPS Server Management

Our most popular service:

Dedicated Server Hosting

Dedicated Servers: starting $89 /month

  

Issues, Tips, and Solutions

Click here to tour ServerTune's Data Center and view photos from the conferences we attended.

*** Follow ServerTune on: ServerTune is on Facebook ServerTune is on Twitter
 
 
Browse by category   Search
 
/ServerTune KB / Operating Systems / Security / Linux kernels v2.6.17+ vmsplice()Root Exploit/
Linux kernels v2.6.17+ vmsplice()Root Exploit
Printer Friendly
Printer friendly
email to a friend
Email to friend
Add comment Add comment
Views: 2445
Votes: 1
Comments: 0
Posted: 13 Feb, 2008
by: Customer Service :: S.
* * * * *
Updated: 13 Feb, 2008
by: Customer Service :: S.

Linux vmsplice()Root Exploit
On Saturday February 10th, 2008, a new public exploit was released that utilizeed a similar flaw in vmsplice (vmsplice_to_pipe function) which allows a local user to gain root privileges. This exploit affects Linux kernels v2.6.17 and higher.

vmsplice exploit code is available at: http://www.securityfocus.com/bid/27704/exploit

Once an attacker runs the code and gains root privilages, he/she will then be able to read and write to arbitrary memory locations on affected servers.

How can I discover if my system is vulnerable?
SSH to the server and run the following command:

    /bin/grep -ri vmsplice /boot/System.map-$(uname -r)


If the system returns no results/nothing, that means your system is NOT vulnerable. If the system returns something like:
 

    c048fdf7 T sys_vmsplice

that means your system is vulnerable.

Solution:
Many Linux distributions reported this bug and provided the following patches for their respective systems:

Ubuntu
https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.22/+bug/190587

Debian
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953#14

CentOS
http://bugs.centos.org/view.php?id=2667

RedHat
https://bugzilla.redhat.com/show_bug.cgi?id=432251

Gentoo
https://bugs.gentoo.org/show_bug.cgi?id=209460
Other articles in this Category
document Understanding Attack Techniques
document The Concept of Security
document What Causes High Server Load?
document Security Tips
document Mod Security Rules and SPAM
document Limit the resources for a specific user
document Denial of Services (DoS) Detrimental to Businesses
document Protect Your Company Against DDoS Attacks
document Malecious Random JavaScript Rootkit
document Protect your server against IFRAME JS injection code with "ServerTune Plus Plan"
document Latest findings about the Random JavaScript Rootkit
document RKhunter report: The command '/usr/bin/ldd' has been replaced by a script
document Horde v3.1.6 and earlier is NOT secure
document IFRAME injection code :: infected Web sites and suggestions
document Warning :: A new wave of domain scam/spam
document Your client or your PC might be a zombie in a Botnet
document HowTo scan and stop uploading infected files to your server


RSS
Last update: December 22nd, 2009 ••• Copyright © 2004-2010 ServerTune Inc.
Control Panel Licensing
cPanel Plesk Miva Merchant