Google security specialists Tavis Ormandy and Julien Tiennes report that a critical security vulnerability in the Linux kernel affects all versions of 2.4 and 2.6 since 2001, on all architectures. The vulnerability enables users with limited rights to get root rights on the system. The cause is a NULL pointer dereference in connection with the initialisation of sockets for rarely used protocols.
Ormandy and Tiennes believe that all Linux version 2.4 and 2.6 since May 2001 are affected, which means 2.4.4 up to and including 126.96.36.199, as well as 2.6.0 up to and including 188.8.131.52. Instead of fixing all incompletely implemented protocols, the kernel developers have simply remapped sock_sendpage to the function kernel_sendpage, which also handles the case of an uninitialised pointer. So far, this correction has only gone into the kernel repository.
Check out more over @ Julien Tiennes' blog...
Brad Spengler also wrote an exploit for this and published it. The bug triggering is based on our exploit which leaked to Brad though the private vendor-sec mailing list. He implements the personality trick Tavis and I published in June to bypass mmap_min_addr and also makes use of a feature that allows any unconfined user to gain the right to map at address zero in Redhat's default SELinux policy.