I love waking up in on a nice Saturday morning to find out that one of my servers was rooted.
A two-year-old kernel issue in Redhat distributions has surfaced in the form of a nasty exploit byAc1db1tch3z. Basically, a 32-bit binary is compiled and loaded to the server, and when run by any users (even non-root users), it uses a bug in the 32/64-bit compatibility layer to open a root shell. Here’s a copy and paste of one that I ran on a test server:
user1@server [~]# ./badscript
Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y
$$$ Kallsyms +r
$$$ K3rn3l r3l3as3: 2.6.18-194.11.3.el5
??? Trying the F0PPPPPPPPPPPPPPPPpppppppppp_____ m3th34d
$$$ L00k1ng f0r kn0wn t4rg3tz..
$$$ c0mput3r 1z aqu1r1ng n3w t4rg3t...
$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - F0PZzzZzZZ/LSD(M) m3th34d
$$$ Prepare: m0rn1ng w0rk0ut b1tch3z
$$$ Us1ng st4nd4rd s3ash3llz
$$$ 0p3n1ng th3 m4giq p0rt4l
$$$ bl1ng bl1ng n1gg4 :PppPpPPpPPPpP
Scary, eh? And to think, Redhat has still not released a fix for this, and it’s been two days. Therefore, if you’re running a 64-bit CentOS or RHEL 5 server, you may be a sitting duck. All it takes is one site on your server to be prone to remote file injection, and the hack is in.
No reason to fret, though, you have a couple options.
- Download a working patch from here, and install the kernel, kernel-devel, and kernel-headers RPMs, then reboot
- Ksplice really came through on this one, and by nature, provided an update that does not require a reboot. Take a look at their post here, and download their diagnostic tool to any of your 64-bit servers running CentOS or RHEL 5, to make sure they haven’t been compromised. They are also offering a 30-day trial so you can secure your servers. $4/mo is a worthy investment, and I’m 100% sure that you’ll be happy with your results.