Linux is considered to be one of the safest operating system in the world. At least this is the opinion of Internet users. Personally, I always disagreed with that, but I always remember that mistakes happen each. When I look at the red squares in my Nagios, I know that there were some vulnerabilities, but the update will fix this. However, this bug in Linux surprised even me.

From the time when kernel 3.8 was released (for the uninitiated it was the year 2012), there was a mistake in the keyring mechanism in Linux. The sad truth is that it allows for escalation of privileges, even to a root level. It sounds not good, and I would even say that quite drastically. Of course, as is the case of Linux – the error was discovered and the exploit appeared as early as this week. Linux is contrary to appearances, a very popular operating system. Most servers, embedded systems and also Android smartphones are exposed. This does not apply only to personal computers. Also, the Internet of Things devices can be attacked.

Very interesting is the potential usage of this exploit on Android devices. Therefore, every application installed on our smartphone is able to escape from the sandbox and gains an access to data from other programs. Unfortunately, even if Google provide the fix very quickly then it will not installed on ours smartphones. Only owners of the newest devices can hope for the update with this fix.

The source code of this exploit is available at GitHub. It can be used in very easy way, but it will take from a few to several minutes. The only think which you have to do is to compile the code using gcc and run it:

$gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall
$./cve-2016_0728 PP1
uid=1000, euid=1000
Increfing
finished increfing
forking...
finished forking
caling revoke...
uid=0, euid=0
#
#whoami
root
#

If after compilation you will see the information that keyutils.h header is missing then you have to install it from libkeyutils-dev repository. You can find information on the Internet that the exploit does not work on SELinux, but hackers claim that they know how to workaround this “limitation”. The exploit can be also blocked by grsecurity and PaX. In the meantime, when the fix is not available, Reddit users propose two simple temporary solutions:

echo 1 > /proc/sys/kernel/keys/maxkeys

or

sysctl -w kernel.keys.maxkeys=1

At the moment there are no recorded attacks using this vulnerability, but probably this is only the matter of time when we will hear about them.

There is also a group of users who run this exploit on Android. They have informed that this vulnerability is not so dangerous. It requires a lot of time (about 30 minutes) and resources, so Android phone will probably freeze before the root access will be granted. Also, Google scans all applications available in Google Play, so the only think which you have to do is to not install any applications from unknown sources.