Google luky.org euqset.org
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: uselib() & 2.6.X?

On Fri, 7 Jan 2005, Marcelo Tosatti wrote:

On Fri, Jan 07, 2005 at 04:59:22PM +0100, Lukasz Trabinski wrote: 
Hello


http://isec.pl/vulnerabilities/isec-0021-uselib.txt

[...]
Locally  exploitable  flaws  have  been found in the Linux binary format
loaders'  uselib()  functions  that  allow  local  users  to  gain  root
privileges.
[...]
Version:   2.4 up to and including 2.4.29-rc2, 2.6 up to and including 2.6.10
[...]

It's was fixed by Marcelo on 2.4.29-rc1. Thank's :)
What about 2.6.X? Is any patch available? I don't see any changes
around binfmt_elf in 2.6.10-bk10?


2.6.10-ac contains a version of the fix.

Attached is what going to be merged in mainline, most likely.



FYI, the provided source-code won't build with the 2.6.x kernel
because one of the structures is no longer defined. However,
building on 2.4.20 and attempting to exploit the alleged bug
results in:

Script started on Fri 07 Jan 2005 03:22:24 PM EST
LINUX> ./isec

[+] SLAB cleanup
   child 1 VMAs 0
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xef800000 - 0xffffd000

[-] FAILED: try again (No such device) Killed
LINUX> ./isec

[+] SLAB cleanup
   child 1 VMAs 0
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xef800000 - 0xffffd000

[-] FAILED: try again (No such device) Killed
LINUX> exit

Script done on Fri 07 Jan 2005 03:22:45 PM EST


.... Nothing. It just doesn't do what it's claimed to do....
So, maybe the exploit __can__ happen under rare circumstances,
but I wouldn't worry too much about it at the present time.

Cheers,
Dick Johnson
Penguin : Linux version 2.6.10 on an i686 machine (5537.79 BogoMips).
 Notice : All mail here is now cached for review by Dictator Bush.
                 98.36% of all statistics are fiction.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

$B$3$N>pJs$,$"$J$?$NC5$7$F$$?$b$N$+$I$&$+A*Br$7$F$/$@$5$!#(B
yes/$B$^$5$K$3$l$@!*(B   no/$B0c$&$J$!(B   part/$B0lIt8+$D$+$C$?(B   try/$B$3$l$G;n$7$F$_$k(B
$B$"$J$?$,C5$7$F$$?>pJs$O$I$N$h$&$J$3$H$+!"$4<+M3$K5-F~2<$5$!#FC$K!V$^$5$K$3$l$@!*!W$H8@$&>l9g$O5-F~$r$*4j$$7$^$9!#(B
$BNc(B:$B!VJ#?t$N%^%7%s$+$i(BCATV$B7PM3$G(Bipmasquerade$B$rMxMQ$7$F(BWeb$B$r;2>H$7$?$>l9g$N@_Dj$K$D$$F!W(B
Follow-Ups: References: