VPS
Main PagecPanel and DirectAdmin LicensingServer Management PlansVirtual Private ServersDedicated Servers
Control Panel Licensing
ServerTune ResellersResellersSpecial PromotionsServerTune SpecialsHomeAbout ServerTuneContact usTechnical SupportKB
ServerTune Main Page
Space
Space
Our most popular service: Issues, Tips, and Solutions

How is ServerTune different from other companies?
Space
Search:    Advanced search
Browse by category:
:: KB Home / Operating Systems / Security / Linux kernels v2.6.17+ vmsplice()Root Exploit
Linux kernels v2.6.17+ vmsplice()Root Exploit
Printer Friendly
Printer friendly
email to a friend
Email to friend
Add comment Add comment
Views: 870
Votes: 1
Comments: 0
Posted: 13 Feb, 2008
by: Support T.
* * * * *
Updated: 13 Feb, 2008
by: Support T.

Linux vmsplice()Root Exploit
On Saturday February 10th, 2008, a new public exploit was released that utilizeed a similar flaw in vmsplice (vmsplice_to_pipe function) which allows a local user to gain root privileges. This exploit affects Linux kernels v2.6.17 and higher.

vmsplice exploit code is available at: http://www.securityfocus.com/bid/27704/exploit

Once an attacker runs the code and gains root privilages, he/she will then be able to read and write to arbitrary memory locations on affected servers.

How can I discover if my system is vulnerable?
SSH to the server and run the following command:

    /bin/grep -ri vmsplice /boot/System.map-$(uname -r)


If the system returns no results/nothing, that means your system is NOT vulnerable. If the system returns something like:
 

    c048fdf7 T sys_vmsplice

that means your system is vulnerable.

Solution:
Many Linux distributions reported this bug and provided the following patches for their respective systems:

Ubuntu
https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.22/+bug/190587

Debian
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953#14

CentOS
http://bugs.centos.org/view.php?id=2667

RedHat
https://bugzilla.redhat.com/show_bug.cgi?id=432251

Gentoo
https://bugs.gentoo.org/show_bug.cgi?id=209460
Other articles in this Category
document Understanding Attack Techniques
document The Concept of Security
document What Causes High Server Load?
document Security Tips
document Mod Security Rules and SPAM
document Limit the resources for a specific user
document Denial of Services (DoS) Detrimental to Businesses
document Protect Your Company Against DDoS Attacks
document Malecious Random JavaScript Rootkit
document Protect your server against IFRAME JS injection code with "ServerTune IFrame Shield" Plan
document Latest findings about the Random JavaScript Rootkit
document RKhunter report: The command '/usr/bin/ldd' has been replaced by a script
document Horde v3.1.6 and earlier is NOT secure
document IFRAME injection code :: infected Web sites and suggestions
document Warning :: A new wave of domain scam/spam
document Your client or your PC might be a zombie in a Botnet


RSS
Last update: August, 2008 ••• Copyright (c) 2004-2008 ServerTune Inc.