A security researcher has released zero-day code for a flaw in the
Linux kernel, saying that it bypasses security protections in the
The source code for the exploit was made available last week by
researcher Brad Spengler on the Dailydave mailing list. According to
the researcher, the code exploits a vulnerability in Linux version
2.6.30, and 2.6.18, and affects both 32-bit and 64-bit versions. The
2.6.18 kernel is used in Red Hat Enterprise Linux 5.
The exploit bypasses null pointer de-reference protection in
the mainline kernel, which could allow an attacker to gain root control
of a system, Spengler wrote.
It also uses arbitrary code execution to disable security
features such as auditing, Security-Enhanced Linux (SELinux), AppArmor
and Linux Security Module, while making the applications running
outside the kernel believe that SELinux is still operating.
In the notes for his source code, Spengler said the exploit is
strengthened if SELinux is applied to the operating system. SELinux is
a set of modifications that can be applied to the kernel to harden it,
by providing a set of security policies.
"Having SELinux enabled actually weakens system security for these kinds of exploits," he wrote.
Security training organization the Sans Institute called the exploit "fascinating." In a blog post
on Friday, Sans Institute incident handler Bojan Zdrnja said that the
exploit uses the Linux compiler to overcome the security features.
"The compiler will introduce the vulnerability to the binary
code, which didn't exist in the source code," wrote Zdrnja. "This will
cause the kernel to try to read/write data from 0x00000000, which the
attacker can map to userland--and this finally pwns the box."
In his notes on the source code, Spengler said that a
workaround would be for administrators to compile the kernel with