A security researcher has posted an exploit for the Linux on the Full Disclosure mailing list that utilizes three different bugs to permit an attacker to get root access.
The exploit was posted by Dan Rosenberg, and affects Linux kernel version 2.6.37. The bugs he used were reported by researcher Nelson Elhage, and include two issues - CVE-2010-3849 and CVE-2010-3850 - that have already been patched by Ubuntu and Debian.
"I wouldn't be able to reach the NULL pointer dereference and trigger the OOPS if users weren't able to assign Econet addresses to arbitrary interfaces due to a missing capabilities check," Rosenberg wrote.
"In the interest of public safety, this exploit was specifically designed to be limited: the particular symbols I resolve are not exported on Slackware or Debian (and) Red Hat does not support Econet by default," he added.
The third bug is CVE-2010-4258, which he wrote "affects everyone."
"If a thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL word will be written to a user-specified pointer when that thread exits," he explained. "This write is done using put_user(), which ensures the provided destination resides in valid userspace by invoking access_ok(). However, Nelson discovered that when the kernel performs an address limit override via set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault, etc.), this override is not reverted before calling put_user() in the exit path, allowing a user to write a NULL word to an arbitrary kernel address. Note that this issue requires an additional vulnerability to trigger."