local root exploit all linux kernels patch now

Printable View

Show 40 post(s) from this thread on one page

January 8th, 2005, 12:47 AM
the_JinX

local root exploit all linux kernels patch now

Quote:

Synopsis: Linux kernel uselib() privilege elevation
Product: Linux kernel
Version: 2.4 up to and including 2.4.29-pre3, 2.6 up to and including 2.6.10
Vendor: http://www.kernel.org/
URL: http://isec.pl/vulnerabilities/isec-0021-uselib.txt
CVE: CAN-2004-1235
Author: Paul Starzetz <[email protected]>
Date: Jan 07, 2005

Issue:
======

Locally exploitable flaws have been found in the Linux binary format
loaders' uselib() functions that allow local users to gain root
privileges.

Details:
========

The Linux kernel provides a binary format loader layer to load (execute)
programs of different binary formats like ELF or a.out and more. The
kernel also provides a function named sys_uselib() to load a
corresponding library. This function is dispatched to the current
process's binary format handler and is basically a simplified mmap()
coupled with some header parsing code.

An analyze of the uselib function load_elf_library() from binfmt_elf.c
revealed a flaw in the handling of the library's brk segment (VMA). That
segment is created with the current->mm->mmap_sem semaphore NOT held
while modifying the memory layout of the calling process. This can be
used to disturb the memory management and gain elevated privileges. Also
the binfmt_aout binary format loader code is affected in the same way

http://www.isec.pl/vulnerabilities/isec-0021-uselib.txt

Update now to 2.4.29-rc1 or 2.6.10-ac6
January 8th, 2005, 01:35 AM
the_JinX

Also...

Nice discussion on this and copyright and more on /.

http://linux.slashdot.org/linux/05/0...id=172&tid=106

<edit type="remove">
The exploit is made lamer proof.. never mind ;)
stupid me ::hide-beh
</edit>
<edit type="add">
My test box (Slackware Current stock kernel 2.4.28) seem invulnerable..

Code:

the_jinx@copycat:~$ ./elflbl [+] SLAB cleanup child 1 VMAs 65527 child 2 VMAs 65294 [+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000 [+] vmalloc area 0xcfc00000 - 0xdf625000 Wait... \ [-] FAILED: try again (Cannot allocate memory) Killed

</edit>
January 8th, 2005, 03:48 AM
sweet_angel

Mmm..failed on Gentoo..kernel 2.6.10

Code:

bitchbabe@sexybitches: pts/6: 21 files 113Mb -> uname -ar Linux sexybitches 2.6.10-morph10 #1 Sat Jan 8 00:35:33 EDT 2005 i686 Intel(R) Pentium(R) 4 Mobile CPU 1.60GHz GenuineIntel GNU/Linux Sun Jan 9 04:31:30 EDT 2005 ~ bitchbabe@sexybitches: pts/6: 21 files 113Mb -> ./test4 child 1 VMAs 0 [+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000 [+] vmalloc area 0xef800000 - 0xffffd000 Segmentation fault Sun Jan 9 04:31:43 EDT 2005 ~ bitchbabe@sexybitches: pts/6: 21 files 113Mb ->

[
January 8th, 2005, 11:36 PM
skiddieleet

the_JinX, what's the difference with yours and mine. I just installed slack 10, 2 or 3 days ago and run slapt-get to upgrade everything that it could, also with --ignore-excludes for the kernel, so I have 2.4.28 also right now and here is my output.

Code:

Script started on Sat 08 Jan 2005 04:23:30 PM CST skiddieleet@h3r3tic2:~/c$ ./elfsp [+] SLAB cleanup child 1 VMAs 0 child 1 VMAs 90 [+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000 [+] vmalloc area 0xd8000000 - 0xefee1000 [-] FAILED: open lib (/dev/shm/_elf_lib not writable?) (Permission denied) Killed skiddieleet@h3r3tic2:~/c$ exit Script done on Sat 08 Jan 2005 04:23:37 PM CST

I guess it failed, but I would think I would have almost the same output as you. Did it get farther on one of our boxes? Peace.
January 9th, 2005, 01:58 PM
hypronix

Quote:

Originally posted here by sweet_angel
Mmm..failed on Gentoo..kernel 2.6.10

Code:

[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000 [+] vmalloc area 0xef800000 - 0xffffd000 Segmentation fault

[

There's a question here about where the segfault occurs, either in your compiled program or the processes it creates... because if it's the latter some modification of the code could possibly spawn a shell as root [though it might just be a user shell].

Another thing, just to make sure... everybody testing this should have the option selected in the kernel I'd assume... otherwise there shouldn't be any problem? Not sure on that though...
January 9th, 2005, 05:46 PM
the_JinX

Quote:

Originally posted here by h3r3tic
the_JinX, what's the difference with yours and mine. I just installed slack 10, 2 or 3 days ago and run slapt-get to upgrade everything that it could, also with --ignore-excludes for the kernel, so I have 2.4.28 also right now and here is my output.

Code:

[-] FAILED: open lib (/dev/shm/_elf_lib not writable?) (Permission denied) Killed

I guess it failed, but I would think I would have almost the same output as you. Did it get farther on one of our boxes? Peace.

Ehm.. you found the skiddy deterrent.. change that file in de c-code to /tmp/_elf_lib or something.. should help..
January 9th, 2005, 06:55 PM
gore

LOL, a Skiddie being deterred by a skiddie deterrent.
January 9th, 2005, 07:30 PM
skiddieleet

lol, serves me right I guess. I just grabbed the code, pasted it, compiled it, and ran it :P.
Now I get about the same output as you though. ;)
January 10th, 2005, 09:21 AM
the_JinX

I have something cool for you to compile and run, h3r3tic, you will have to run it as root though :p
January 10th, 2005, 09:45 PM
skiddieleet

Oh cool, I love testing people's code. I guess attach it in a pm or something. Thanks.

Show 40 post(s) from this thread on one page