local root exploit all linux kernels patch now

[the_JinX]

Synopsis: Linux kernel uselib() privilege elevation
Product: Linux kernel
Version: 2.4 up to and including 2.4.29-pre3, 2.6 up to and including 2.6.10
Vendor: http://www.kernel.org/
URL: http://isec.pl/vulnerabilities/isec-0021-uselib.txt
CVE: CAN-2004-1235
Author: Paul Starzetz <ihaquer@isec.pl>
Date: Jan 07, 2005


Issue:
======

Locally exploitable flaws have been found in the Linux binary format
loaders' uselib() functions that allow local users to gain root
privileges.


Details:
========

The Linux kernel provides a binary format loader layer to load (execute)
programs of different binary formats like ELF or a.out and more. The
kernel also provides a function named sys_uselib() to load a
corresponding library. This function is dispatched to the current
process's binary format handler and is basically a simplified mmap()
coupled with some header parsing code.

An analyze of the uselib function load_elf_library() from binfmt_elf.c
revealed a flaw in the handling of the library's brk segment (VMA). That
segment is created with the current->mm->mmap_sem semaphore NOT held
while modifying the memory layout of the calling process. This can be
used to disturb the memory management and gain elevated privileges. Also
the binfmt_aout binary format loader code is affected in the same way

http://www.isec.pl/vulnerabilities/isec-0021-uselib.txt


Update now to 2.4.29-rc1 or 2.6.10-ac6

[the_JinX]

Nice discussion on this and copyright and more on /.

http://linux.slashdot.org/linux/05/0...id=172&tid=106

<edit type="remove">
The exploit is made lamer proof.. never mind
stupid me
</edit>
<edit type="add">
My test box (Slackware Current stock kernel 2.4.28) seem invulnerable..

Code:

the_jinx@copycat:~$ ./elflbl

[+] SLAB cleanup
    child 1 VMAs 65527
    child 2 VMAs 65294
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xcfc00000 - 0xdf625000
    Wait... \
[-] FAILED: try again (Cannot allocate memory)
Killed

</edit>

[sweet_angel]

Mmm..failed on Gentoo..kernel 2.6.10

Code:

bitchbabe@sexybitches: pts/6: 21 files 113Mb -> uname -ar

Linux sexybitches 2.6.10-morph10 #1 Sat Jan 8 00:35:33 EDT 2005 i686 Intel(R) Pentium(R) 4 Mobile CPU 1.60GHz GenuineIntel GNU/Linux

Sun Jan  9 04:31:30 EDT 2005
~
bitchbabe@sexybitches: pts/6: 21 files 113Mb -> ./test4

    child 1 VMAs 0
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xef800000 - 0xffffd000
Segmentation fault

Sun Jan  9 04:31:43 EDT 2005
~
bitchbabe@sexybitches: pts/6: 21 files 113Mb ->

[

[skiddieleet]

the_JinX, what's the difference with yours and mine. I just installed slack 10, 2 or 3 days ago and run slapt-get to upgrade everything that it could, also with --ignore-excludes for the kernel, so I have 2.4.28 also right now and here is my output.

Code:

Script started on Sat 08 Jan 2005 04:23:30 PM CST
skiddieleet@h3r3tic2:~/c$ ./elfsp

[+] SLAB cleanup

    child 1 VMAs 0
    child 1 VMAs 90
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xd8000000 - 0xefee1000
[-] FAILED: open lib (/dev/shm/_elf_lib not writable?) (Permission denied) 
Killed
skiddieleet@h3r3tic2:~/c$ exit
Script done on Sat 08 Jan 2005 04:23:37 PM CST

I guess it failed, but I would think I would have almost the same output as you. Did it get farther on one of our boxes? Peace.

[hypronix]

Originally posted here by sweet_angel
Mmm..failed on Gentoo..kernel 2.6.10

Code:

[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xef800000 - 0xffffd000
Segmentation fault

[

There's a question here about where the segfault occurs, either in your compiled program or the processes it creates... because if it's the latter some modification of the code could possibly spawn a shell as root [though it might just be a user shell].

Another thing, just to make sure... everybody testing this should have the option selected in the kernel I'd assume... otherwise there shouldn't be any problem? Not sure on that though...

[the_JinX]

Originally posted here by h3r3tic
the_JinX, what's the difference with yours and mine. I just installed slack 10, 2 or 3 days ago and run slapt-get to upgrade everything that it could, also with --ignore-excludes for the kernel, so I have 2.4.28 also right now and here is my output.

Code:

[-] FAILED: open lib (/dev/shm/_elf_lib not writable?) (Permission denied) 
Killed

I guess it failed, but I would think I would have almost the same output as you. Did it get farther on one of our boxes? Peace.

Ehm.. you found the skiddy deterrent.. change that file in de c-code to /tmp/_elf_lib or something.. should help..

[gore]

LOL, a Skiddie being deterred by a skiddie deterrent.

[skiddieleet]

lol, serves me right I guess. I just grabbed the code, pasted it, compiled it, and ran it :P.
Now I get about the same output as you though.

[the_JinX]

I have something cool for you to compile and run, h3r3tic, you will have to run it as root though

[skiddieleet]

Oh cool, I love testing people's code. I guess attach it in a pm or something. Thanks.