local root exploit all linux kernels patch now
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: local root exploit all linux kernels patch now

  1. #1
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534

    local root exploit all linux kernels patch now

    Synopsis: Linux kernel uselib() privilege elevation
    Product: Linux kernel
    Version: 2.4 up to and including 2.4.29-pre3, 2.6 up to and including 2.6.10
    Vendor: http://www.kernel.org/
    URL: http://isec.pl/vulnerabilities/isec-0021-uselib.txt
    CVE: CAN-2004-1235
    Author: Paul Starzetz <ihaquer@isec.pl>
    Date: Jan 07, 2005


    Issue:
    ======

    Locally exploitable flaws have been found in the Linux binary format
    loaders' uselib() functions that allow local users to gain root
    privileges.


    Details:
    ========

    The Linux kernel provides a binary format loader layer to load (execute)
    programs of different binary formats like ELF or a.out and more. The
    kernel also provides a function named sys_uselib() to load a
    corresponding library. This function is dispatched to the current
    process's binary format handler and is basically a simplified mmap()
    coupled with some header parsing code.

    An analyze of the uselib function load_elf_library() from binfmt_elf.c
    revealed a flaw in the handling of the library's brk segment (VMA). That
    segment is created with the current->mm->mmap_sem semaphore NOT held
    while modifying the memory layout of the calling process. This can be
    used to disturb the memory management and gain elevated privileges. Also
    the binfmt_aout binary format loader code is affected in the same way
    http://www.isec.pl/vulnerabilities/isec-0021-uselib.txt


    Update now to 2.4.29-rc1 or 2.6.10-ac6
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  2. #2
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534

    Also...

    Nice discussion on this and copyright and more on /.

    http://linux.slashdot.org/linux/05/0...id=172&tid=106

    <edit type="remove">
    The exploit is made lamer proof.. never mind
    stupid me
    </edit>
    <edit type="add">
    My test box (Slackware Current stock kernel 2.4.28) seem invulnerable..

    Code:
    the_jinx@copycat:~$ ./elflbl
    
    [+] SLAB cleanup
        child 1 VMAs 65527
        child 2 VMAs 65294
    [+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
    [+] vmalloc area 0xcfc00000 - 0xdf625000
        Wait... \
    [-] FAILED: try again (Cannot allocate memory)
    Killed
    </edit>
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  3. #3
    Senior Member
    Join Date
    Aug 2002
    Posts
    508
    Mmm..failed on Gentoo..kernel 2.6.10

    Code:
    bitchbabe@sexybitches: pts/6: 21 files 113Mb -&gt; uname -ar
    
    Linux sexybitches 2.6.10-morph10 #1 Sat Jan 8 00:35:33 EDT 2005 i686 Intel(R) Pentium(R) 4 Mobile CPU 1.60GHz GenuineIntel GNU/Linux
    
    Sun Jan  9 04:31:30 EDT 2005
    ~
    bitchbabe@sexybitches: pts/6: 21 files 113Mb -&gt; ./test4
    
        child 1 VMAs 0
    [+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
    [+] vmalloc area 0xef800000 - 0xffffd000
    Segmentation fault
    
    Sun Jan  9 04:31:43 EDT 2005
    ~
    bitchbabe@sexybitches: pts/6: 21 files 113Mb -&gt;
    [
    Not an image or image does not exist!
    Not an image or image does not exist!

  4. #4
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    the_JinX, what's the difference with yours and mine. I just installed slack 10, 2 or 3 days ago and run slapt-get to upgrade everything that it could, also with --ignore-excludes for the kernel, so I have 2.4.28 also right now and here is my output.

    Code:
    Script started on Sat 08 Jan 2005 04:23:30 PM CST
    skiddieleet@h3r3tic2:~/c$ ./elfsp
    
    [+] SLAB cleanup
    
        child 1 VMAs 0
        child 1 VMAs 90
    [+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
    [+] vmalloc area 0xd8000000 - 0xefee1000
    [-] FAILED: open lib (/dev/shm/_elf_lib not writable?) (Permission denied) 
    Killed
    skiddieleet@h3r3tic2:~/c$ exit
    Script done on Sat 08 Jan 2005 04:23:37 PM CST
    I guess it failed, but I would think I would have almost the same output as you. Did it get farther on one of our boxes? Peace.

  5. #5
    Senior Member
    Join Date
    Jul 2003
    Posts
    813
    Originally posted here by sweet_angel
    Mmm..failed on Gentoo..kernel 2.6.10

    Code:
    [+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
    [+] vmalloc area 0xef800000 - 0xffffd000
    Segmentation fault
    [
    There's a question here about where the segfault occurs, either in your compiled program or the processes it creates... because if it's the latter some modification of the code could possibly spawn a shell as root [though it might just be a user shell].

    Another thing, just to make sure... everybody testing this should have the option selected in the kernel I'd assume... otherwise there shouldn't be any problem? Not sure on that though...
    /\\

  6. #6
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    Originally posted here by h3r3tic
    the_JinX, what's the difference with yours and mine. I just installed slack 10, 2 or 3 days ago and run slapt-get to upgrade everything that it could, also with --ignore-excludes for the kernel, so I have 2.4.28 also right now and here is my output.

    Code:
    [-] FAILED: open lib (/dev/shm/_elf_lib not writable?) (Permission denied) 
    Killed
    I guess it failed, but I would think I would have almost the same output as you. Did it get farther on one of our boxes? Peace.

    Ehm.. you found the skiddy deterrent.. change that file in de c-code to /tmp/_elf_lib or something.. should help..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  7. #7
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    LOL, a Skiddie being deterred by a skiddie deterrent.

  8. #8
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    lol, serves me right I guess. I just grabbed the code, pasted it, compiled it, and ran it :P.
    Now I get about the same output as you though.

  9. #9
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    I have something cool for you to compile and run, h3r3tic, you will have to run it as root though
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  10. #10
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    Oh cool, I love testing people's code. I guess attach it in a pm or something. Thanks.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •