[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: uselib() & 2.6.X?

From: Athanasius <link@xxxxxxxxx>
Date: Fri, 7 Jan 2005 22:29:40 +0000
Mail-followup-to: Athanasius <link@xxxxxxxxx>, linux-os@xxxxxxxxxxxx, linux-kernel <linux-kernel@xxxxxxxxxxxxxxx>, Marcelo Tosatti <marcelo.tosatti@xxxxxxxxxxxx>, Lukasz Trabinski <lukasz@xxxxxxxxxxxxx>
References: <Pine.LNX.4.58LT.0501071648160.30645@oceanic.wsisiz.edu.pl> <20050107170712.GK29176@logos.cnet> <Pine.LNX.4.61.0501071519330.21405@chaos.analogic.com>
User-agent: Mutt/1.3.28i

On Fri, Jan 07, 2005 at 03:27:05PM -0500, linux-os wrote:
> On Fri, 7 Jan 2005, Marcelo Tosatti wrote:
> >>Hello
> >>
> >>
> >>http://isec.pl/vulnerabilities/isec-0021-uselib.txt
> >>
> >>[...]
> >>Locally  exploitable  flaws  have  been found in the Linux binary format
> >>loaders'  uselib()  functions  that  allow  local  users  to  gain  root
> >>privileges.
> >>[...]
> >>Version:   2.4 up to and including 2.4.29-rc2, 2.6 up to and including 
> >>2.6.10
> >>[...]
> >>
> >>It's was fixed by Marcelo on 2.4.29-rc1. Thank's :)
> >>What about 2.6.X? Is any patch available? I don't see any changes
> >>around binfmt_elf in 2.6.10-bk10?
> >
> >2.6.10-ac contains a version of the fix.
> >
> >Attached is what going to be merged in mainline, most likely.
> >
> >
> 
> FYI, the provided source-code won't build with the 2.6.x kernel
> because one of the structures is no longer defined. However,
> building on 2.4.20 and attempting to exploit the alleged bug
> results in:
> 
> Script started on Fri 07 Jan 2005 03:22:24 PM EST
> LINUX> ./isec
> 
> [+] SLAB cleanup
> [+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
> [+] vmalloc area 0xef800000 - 0xffffd000
> 
> [-] FAILED: try again (No such device) 

  It's trying to use /dev/shm/_elf_lib, which doesn't work too well if
you don't have tmpfs/shm support and /dev/shm mounted.  Changing this to
a normal filename doesn't get much further in the exploit.  It just
repeatedly fails:

22:26:41 0$ ./elflbl_v108 

[+] SLAB cleanup
    child 1 VMAs 31876
    child 2 VMAs 250
[+] moved stack bfffd000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xfec00000 - 0xffffd000
    Wait... -
[-] FAILED: 502: try again (Cannot allocate memory) 
Killed

Oh, and in 2.6.x it seems struct modify_ldt_ldt_s is now struct
user_desc, not that making that change and running the exploit results
in any further luck.

  There are comments in the code about a 'race' though, so I assume it's
a race condition being exploited and it might work eventually if you
loop the thing.

-Ath
-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

Attachment: pgp7CxTbsWkw6.pgp
Description: PGP signature

References:

uselib() & 2.6.X?Lukasz Trabinski
Re: uselib() & 2.6.X?Marcelo Tosatti
Re: uselib() & 2.6.X?linux-os

Prev by Date: [ANNOUNCE] January Release of LTP now available
Next by Date: Re: [PATCH] [request for inclusion] Realtime LSM
Previous by thread: Re: uselib() & 2.6.X?
Next by thread: Re: uselib() & 2.6.X?
Indexes:[Main][Thread]