Akkerman explained in the security bulletin how the exploit was discovered:
Forensics revealed a burneye encrypted exploit. Robert van der Meulen managed to decrypt the binary which revealed a kernel exploit. Study of the exploit by the RedHat and SuSE kernel and security teams quickly revealed that the exploit used an integer overflow in the brk system call. Using this bug it is possible for a userland program to trick the kernel into giving access to the full kernel address space.
What, me worry?
Here's the kicker. You need to be worried about this exploit even if you are positive that your own machine could not have been cracked with it. I'm running Mandrake 9.2, for example. This version of Mandrake is immune to the exploit because it incorporated the fix for it discovered in September. But I still need to worry about the exploit and you probably do too.
Here's why. You may have signed on to another machine across the network in the past month or so using the same password on it that you do on your own machine. This is extremely poor security practice, but it is also a very common practice. If that machine has or had been cracked and a sniffer put in place, somebody out there has your IP address and your user name and your password. This is, after all, how the Debian servers were breached.
What to do
Here's a check list of corrective action to take if you are at risk:
- Change your passwords immediately
- Make your passwords unique for each machine you log onto
- Upgrade to a secure version of the kernel if needed
- Examine your machine for evidence of rootkits or sniffers
Red Hat, SuSE, and Debian have already issued advisories to users telling them where to get newly patched kernels to protect against the exploit. Although Mandrake 9.2 is immune since it already includes the fix for the exploit, earlier versions of Mandrake are at risk and users are urged to upgrade the kernel at once.