A flaw in the implementation of the Reliable Datagram Sockets protocol (RDS) in the Linux kernel can be exploited to gain root (also known as superuser) rights or permissions on a victim’s system. Attackers can exploit the hole to get complete control remotely once they have broken into the system. Dan Rosenberg, who discovered the vulnerability, has published an exploit for demonstration purposes; in a test conducted by The H’s associates at heise Security on Ubuntu 10.04 (64-bit), it opened a root shell.
Kernel versions 2.6.30 to 2.6.36-rc8 are said to be affected. Linux developers have already provided a patch, in the Git repository, that solves the problem. Distributors will probably be publishing new kernel versions soon. As a workaround, Rosenberg recommends preventing the kernel module from loading: echo “alias net-pf-21 off” > /etc/modprobe.d/disable-rds (as root). Most systems will not be affected as they do not use the protocol anyway.
Rosenberg says the problem came about because the kernel functions in the RDS protocol do not correctly check the addresses given when data are copied from kernel memory and user memory. As a result, local users can indicate a basic address within the kernel for a socket structure. Code can then be written into kernel memory and launched with kernel rights when certain sockets are called.
Just a few days ago, a hole in the GNU-C library’s loader was made public that also allows attackers to expand their rights on the system.