# Linux kernel 2.6.18/2.6.30 0day local exploit (18 July 09)

## Januszzz

For those for whom the Gentoo Forum is the only source of information, there is new serious local Linux kernel exploit:

http://lwn.net/Articles/341773/

From exploit.c by Brad Spengler:

" super fun 2.6.30+/RHEL5 2.6.18 local kernel exploit in /dev/net/tun

   A vulnerability which, when viewed at the source level, is unexploitable!

   But which, thanks to gcc optimizations, becomes exploitable  :Smile: 

   Also, bypass of mmap_min_addr via SELinux vulnerability!

   (where having SELinux enabled actually increases your risk against a

    large class of kernel vulnerabilities)

"

----------

## tgR10

i wanted to try my machines on regular users but can't compile exploit.c :)

```
];-> gcc exploit.c -o exploit

exploit.c: Assembler messages:

exploit.c:455: Error: Incorrect register `%rax' used with `l' suffix
```

but pwkernel compile without any error

gcc ver

```

 [1] x86_64-pc-linux-gnu-4.3.3 *
```

```
];-> equery u gcc|grep +

+fortran

+mudflap

+multilib

+nls

+nptl

+objc

-objc++

+openmp
```

kernel

```
Linux bitis-gabonica-64 2.6.30-gentoo-r2-amd64-ext4 #1 PREEMPT Sun Jul 5 05:49:14 EDT 2009 x86_64 AMD Athlon(tm) 64 Processor 3500+ AuthenticAMD GNU/Linux
```

later i try it on another machine

----------

## Januszzz

User: Januszzz

Topic: Linux kernel 2.6.18/2.6.30 0day local exploit (18 July 09)

Post: post 5879699

Reason: Last time, when splice() local root exploit was on topic, there was huge discussion whether Gentoo should submit GLSA or not. I accept this time there should not GLSA be submitted, but previously _we_ agreed, that there should be information delivered to community through proper means. So be it: this time, this news deserves Gentoo homepage warning. Thanks.

----------

## bunder

 *Januszzz wrote:*   

> User: Januszzz
> 
> Topic: Linux kernel 2.6.18/2.6.30 0day local exploit (18 July 09)
> 
> Post: post 5879699
> ...

 

last i checked, 2.6.30+ was still masked (~ or M, not sure)...  and from what i gather it only affects RHEL's 2.6.18...  i don't think it warrants a big bloated "check your kernel" warning the vmsplice exploit did, but 2.6.30 should probably be hard-masked until patched.   :Wink: 

edit: at the very least, there is a bug for it... https://bugs.gentoo.org/show_bug.cgi?id=278122

----------

## Januszzz

Well, I've tested the exploit on 9 or ten machines and the exploit compiled successfully only on i686, and worked only on one...

----------

