Chedder Bay Kernel Exploit
Found at : http://www.jethrocarr.com/index.php?cms=blog:20090718
A new 0-day attack on the Linux kernel has just been released by Brad Spengler called the “Chedder Bay Exploit” which exploits a flaw in the Linux 2.6.30+ kernel.
This exploit is interesting, in that the code doesn’t look particularly broken, but when compiled the compiler optimisations causes the compiled code to have a security hole.
For more technical details on this exploit and further news, check the LWN.net article or use the CVE reference CVE-2009-1897.
From my quick review of the exploit, it appears the attack uses Pulseaudio to bypass Selinux security if it is enabled and then performs an attack against the /dev/net/tun device, allowing a standard user to gain root access.
Not having pulseaudio or the tun kernel module loaded should prevent this exploit from working, although I have not yet had sufficient time to test this since I received the alert announcement around 3am NZ time.
The exploit affects the 2.6.30+ kernel releases and also some of the test kernel 2.6.18 kernel releases by Redhat.
However, all production kernel releases for RHEL/CentOS do not appear to be vulnerable since the change that introduced the security exploit had not been backported yet.
In my tests on CentOS 5.3 with kernel 2.6.18-128.1.16.el5xen on i386/xen, I was unable to trigger the exploit.
pulseaudio is not required to exploit the kernel when SELinux is enabled. In other words, as mentioned in the exploit, having SELinux enabled has actually opened you up to an entire class of kernel vulnerabilities that the vanilla kernel would have protected you against.
-Brad
Thanks for the clarification 🙂