Four variants of working Linux/Exploit-PRCTL code has been made available to the Internet over the past 4 days. All of these variants takes advantage of a bug in core dump file handling within Linux Kernel 2.6 that enables local non-privileged users to write into the cron.d folder which they would not normally have write access to. For those unfamiliar with the Linux operating system, the cron.d folder is the Windows Task Scheduler equivalent where tasks or files residing within will be executed on a schedule. To make it relevant, tasks executed in this folder will have privileges of the cron service user - typically root.

Execution of Linux/Exploit-PRCTL

This is not the first malware to exploit a Linux kernel vulnerability to gain escalated privileges. But it must be one of the most potent ones in a long while. Despite being limited to only local users, running one of the many vulnerable PHP scripts on a Linux web server could mean quick remote access for those with a malicious intent. One would expect it to be very popular with hackers and PHP worm authors.

Linux 2.6 users should update to the Linux 2.6.17.4 stable release.