-
January 8th, 2005, 12:47 AM
#1
local root exploit all linux kernels patch now
Synopsis: Linux kernel uselib() privilege elevation
Product: Linux kernel
Version: 2.4 up to and including 2.4.29-pre3, 2.6 up to and including 2.6.10
Vendor: http://www.kernel.org/
URL: http://isec.pl/vulnerabilities/isec-0021-uselib.txt
CVE: CAN-2004-1235
Author: Paul Starzetz <ihaquer@isec.pl>
Date: Jan 07, 2005
Issue:
======
Locally exploitable flaws have been found in the Linux binary format
loaders' uselib() functions that allow local users to gain root
privileges.
Details:
========
The Linux kernel provides a binary format loader layer to load (execute)
programs of different binary formats like ELF or a.out and more. The
kernel also provides a function named sys_uselib() to load a
corresponding library. This function is dispatched to the current
process's binary format handler and is basically a simplified mmap()
coupled with some header parsing code.
An analyze of the uselib function load_elf_library() from binfmt_elf.c
revealed a flaw in the handling of the library's brk segment (VMA). That
segment is created with the current->mm->mmap_sem semaphore NOT held
while modifying the memory layout of the calling process. This can be
used to disturb the memory management and gain elevated privileges. Also
the binfmt_aout binary format loader code is affected in the same way
http://www.isec.pl/vulnerabilities/isec-0021-uselib.txt
Update now to 2.4.29-rc1 or 2.6.10-ac6
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
January 8th, 2005, 01:35 AM
#2
Also...
Nice discussion on this and copyright and more on /.
http://linux.slashdot.org/linux/05/0...id=172&tid=106
<edit type="remove">
The exploit is made lamer proof.. never mind
stupid me
</edit>
<edit type="add">
My test box (Slackware Current stock kernel 2.4.28) seem invulnerable..
Code:
the_jinx@copycat:~$ ./elflbl
[+] SLAB cleanup
child 1 VMAs 65527
child 2 VMAs 65294
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xcfc00000 - 0xdf625000
Wait... \
[-] FAILED: try again (Cannot allocate memory)
Killed
</edit>
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
January 8th, 2005, 03:48 AM
#3
Mmm..failed on Gentoo..kernel 2.6.10
Code:
bitchbabe@sexybitches: pts/6: 21 files 113Mb -> uname -ar
Linux sexybitches 2.6.10-morph10 #1 Sat Jan 8 00:35:33 EDT 2005 i686 Intel(R) Pentium(R) 4 Mobile CPU 1.60GHz GenuineIntel GNU/Linux
Sun Jan 9 04:31:30 EDT 2005
~
bitchbabe@sexybitches: pts/6: 21 files 113Mb -> ./test4
child 1 VMAs 0
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xef800000 - 0xffffd000
Segmentation fault
Sun Jan 9 04:31:43 EDT 2005
~
bitchbabe@sexybitches: pts/6: 21 files 113Mb ->
[
Not an image or image does not exist!
Not an image or image does not exist!
-
January 8th, 2005, 11:36 PM
#4
the_JinX, what's the difference with yours and mine. I just installed slack 10, 2 or 3 days ago and run slapt-get to upgrade everything that it could, also with --ignore-excludes for the kernel, so I have 2.4.28 also right now and here is my output.
Code:
Script started on Sat 08 Jan 2005 04:23:30 PM CST
skiddieleet@h3r3tic2:~/c$ ./elfsp
[+] SLAB cleanup
child 1 VMAs 0
child 1 VMAs 90
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xd8000000 - 0xefee1000
[-] FAILED: open lib (/dev/shm/_elf_lib not writable?) (Permission denied)
Killed
skiddieleet@h3r3tic2:~/c$ exit
Script done on Sat 08 Jan 2005 04:23:37 PM CST
I guess it failed, but I would think I would have almost the same output as you. Did it get farther on one of our boxes? Peace.
-
January 9th, 2005, 01:58 PM
#5
Originally posted here by sweet_angel
Mmm..failed on Gentoo..kernel 2.6.10
Code:
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xef800000 - 0xffffd000
Segmentation fault
[
There's a question here about where the segfault occurs, either in your compiled program or the processes it creates... because if it's the latter some modification of the code could possibly spawn a shell as root [though it might just be a user shell].
Another thing, just to make sure... everybody testing this should have the option selected in the kernel I'd assume... otherwise there shouldn't be any problem? Not sure on that though...
/ \\
-
January 9th, 2005, 05:46 PM
#6
Originally posted here by h3r3tic
the_JinX, what's the difference with yours and mine. I just installed slack 10, 2 or 3 days ago and run slapt-get to upgrade everything that it could, also with --ignore-excludes for the kernel, so I have 2.4.28 also right now and here is my output.
Code:
[-] FAILED: open lib (/dev/shm/_elf_lib not writable?) (Permission denied)
Killed
I guess it failed, but I would think I would have almost the same output as you. Did it get farther on one of our boxes? Peace.
Ehm.. you found the skiddy deterrent.. change that file in de c-code to /tmp/_elf_lib or something.. should help..
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
January 9th, 2005, 06:55 PM
#7
LOL, a Skiddie being deterred by a skiddie deterrent.
-
January 9th, 2005, 07:30 PM
#8
lol, serves me right I guess. I just grabbed the code, pasted it, compiled it, and ran it :P.
Now I get about the same output as you though.
-
January 10th, 2005, 09:21 AM
#9
I have something cool for you to compile and run, h3r3tic, you will have to run it as root though
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
January 10th, 2005, 09:45 PM
#10
Oh cool, I love testing people's code. I guess attach it in a pm or something. Thanks.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|