[Slackware security] vulnerabilities outstanding 20140101

brianL · 02-03-2014, 06:48 AM

Where do I put the nox32recvmmsg module, so that it's loaded permanently (survives reboot, etc) in /lib/modules/3.10.17? Which subdirectory?
EDIT
Doesn't seem to work.
Module loaded:

Code:

bash-4.2$ lsmod
Module                  Size  Used by
nox32recvmmsg           1201  1

Ran .poc:

Code:

bash-4.2$ ./slack64-14.1_CVE-2014-0038_poc 
13 minutes to root
................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ praise bob!


The Golden Rule is of no use to you whatever unless you realize it
is your move.
                -- Frank Crane

root@slackdesk:~/temp#

mancha · 02-03-2014, 10:55 AM

Quote:

Originally Posted by brianL

Where do I put the nox32recvmmsg module, so that it's loaded permanently (survives reboot, etc) in /lib/modules/3.10.17? Which subdirectory?

To have the module load on boot, do the following:

Code:

# mkdir -p /lib/modules/$(uname -r)/misc
# cp nox32recvmmsg.ko /lib/modules/$(uname -r)/misc
# depmod -a

Then place an insmod (or modprobe) call in /etc/rc.d/rc.local or /etc/rc.d/rc.modules. i.e.

Code:

# echo "/sbin/modprobe nox32recvmmsg" >> /etc/rc.d/rc.local

Quote:

Originally Posted by brianL

EDIT
Doesn't seem to work.

Did you try the PoC first, then load the module, then try the PoC again by chance?

To be protected you must load the module on an untainted kernel. Reboot, insmod, and you should be OK. If that doesn't work let me know.

--mancha

brianL · 02-03-2014, 10:57 AM

Thanks, mancha. I'll do all you suggest.

metaschima · 02-03-2014, 10:59 AM

It looks like it does work, because you are root at the bottom, by the # sign.

brianL · 02-03-2014, 11:04 AM

Quote:

Originally Posted by metaschima

It looks like it does work, because you are root at the bottom, by the # sign.

mancha's module is to prevent that happening.

brianL · 02-03-2014, 11:36 AM

I think I've done everything right, the module is loaded, but I'm still getting:

Code:

bash-4.2$ cd temp
bash-4.2$ ./slack64-14.1_CVE-2014-0038_poc 
13 minutes to root
................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ praise bob!


If you can't say anything good about someone, sit right here by me.
                -- Alice Roosevelt Longworth

root@slackdesk:~/temp#

mancha · 02-03-2014, 12:33 PM

OK, I think I know what is going on. Is there an "unable to handle kernel paging request" after the module is loaded (check /var/log/syslog).

If this is the case, I have uploaded a new module that accounts for protected-mode CPUs.

Please download and try it (note: it might take a minute or two to propagate to the SF servers). Check against hash below.

SHA256(nox32recvmmsg.tar.bz2)= 8c822d55a0a45f0fa994c73921701e2bb035bdaeb169c2355ed8d767414c4f73

--mancha

brianL · 02-03-2014, 12:47 PM

No, there's nothing in /var/log/syslog. I'll try the new module after I've eaten (never load modules on an empty stomach.

).

brianL · 02-03-2014, 01:31 PM

Yes!!! The new module works:

Code:

bash-4.2$ cd temp
bash-4.2$ ./slack64-14.1_CVE-2014-0038_poc 
13 minutes to root
 doh!
bash-4.2$

Thanks, mancha.

mancha · 02-03-2014, 01:50 PM

Quote:

Originally Posted by brianL

Yes!!! The new module works...Thanks, mancha.

You're welcome and thanks back to you for making me realize/remember I needed to deal with CR0.

--mancha

mancha · 02-05-2014, 01:16 PM

Update 20140205

Mozilla various
Firefox 27 (for current)
Firefox ESR 24.3
Thunderbird 24.3
Seamonkey 2.24

Fixed:
CVE-2014-1477 CVE-2014-1478 CVE-2014-1479
CVE-2014-1480 CVE-2014-1481 CVE-2014-1482
CVE-2014-1483 CVE-2014-1484 CVE-2014-1485
CVE-2014-1486 CVE-2014-1487 CVE-2014-1488
CVE-2014-1489 CVE-2014-1490 CVE-2014-1491

--mancha

ponce · 02-05-2014, 03:22 PM

Quote:

Originally Posted by mancha

Mozilla various
Firefox 27 (for current)
Firefox ESR 24.3
Thunderbird 24.3
Seamonkey 2.24

I was thinking that when one or more vulns hit the mozilla suite, to build the three on 12 different Slackware versions (13.0, 13.1, 13.37, 14.0, 14.1 and current, for i486 and x86_64) it's surely time-consuming...

mancha · 02-05-2014, 03:39 PM

Quote:

Originally Posted by ponce

I was thinking that when one or more vulns hit the mozilla suite, to build the three on 12 different Slackware versions (13.0, 13.1, 13.37, 14.0, 14.1 and current, for i486 and x86_64) it's surely time-consuming...

Surely serves as a good RAM/CPU stress tester. The good news for Pat is I think he's only updating FF and Tbird for 14.1+current and
Seamonkey for 14.0+14.1+current (right?).

--mancha

brianL · 02-06-2014, 05:04 AM

Got FF 27.0 using ruario's latest-firefox script.

angryfirelord · 02-06-2014, 08:36 AM

I apologize if this is slightly off topic and/or has been asked before, but is there a risk with running the 3.10.17 kernel when the latest upstream longterm release is 3.10.28? Are most of the fixes simply bug fixes or do the kernel security patches not really affect Slackware?