From: Athanasius <link@miggy.org>
To: linux-os@analogic.com, linux-kernel <linux-kernel@vger.kernel.org>
Cc: Marcelo Tosatti <marcelo.tosatti@cyclades.com>,
Lukasz Trabinski <lukasz@wsisiz.edu.pl>
Subject: Re: uselib() & 2.6.X?
Date: Fri, 7 Jan 2005 22:29:40 +0000 [thread overview]
Message-ID: <20050107222940.GE22324@miggy.org> (raw)
In-Reply-To: <Pine.LNX.4.61.0501071519330.21405@chaos.analogic.com>
[-- Attachment #1: Type: text/plain, Size: 2370 bytes --]
On Fri, Jan 07, 2005 at 03:27:05PM -0500, linux-os wrote:
> On Fri, 7 Jan 2005, Marcelo Tosatti wrote:
> >>Hello
> >>
> >>
> >>http://isec.pl/vulnerabilities/isec-0021-uselib.txt
> >>
> >>[...]
> >>Locally exploitable flaws have been found in the Linux binary format
> >>loaders' uselib() functions that allow local users to gain root
> >>privileges.
> >>[...]
> >>Version: 2.4 up to and including 2.4.29-rc2, 2.6 up to and including
> >>2.6.10
> >>[...]
> >>
> >>It's was fixed by Marcelo on 2.4.29-rc1. Thank's :)
> >>What about 2.6.X? Is any patch available? I don't see any changes
> >>around binfmt_elf in 2.6.10-bk10?
> >
> >2.6.10-ac contains a version of the fix.
> >
> >Attached is what going to be merged in mainline, most likely.
> >
> >
>
> FYI, the provided source-code won't build with the 2.6.x kernel
> because one of the structures is no longer defined. However,
> building on 2.4.20 and attempting to exploit the alleged bug
> results in:
>
> Script started on Fri 07 Jan 2005 03:22:24 PM EST
> LINUX> ./isec
>
> [+] SLAB cleanup
> [+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
> [+] vmalloc area 0xef800000 - 0xffffd000
>
> [-] FAILED: try again (No such device)
It's trying to use /dev/shm/_elf_lib, which doesn't work too well if
you don't have tmpfs/shm support and /dev/shm mounted. Changing this to
a normal filename doesn't get much further in the exploit. It just
repeatedly fails:
22:26:41 0$ ./elflbl_v108
[+] SLAB cleanup
child 1 VMAs 31876
child 2 VMAs 250
[+] moved stack bfffd000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xfec00000 - 0xffffd000
Wait... -
[-] FAILED: 502: try again (Cannot allocate memory)
Killed
Oh, and in 2.6.x it seems struct modify_ldt_ldt_s is now struct
user_desc, not that making that change and running the exploit results
in any further luck.
There are comments in the code about a 'race' though, so I assume it's
a race condition being exploited and it might work eventually if you
loop the thing.
-Ath
--
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
Finger athan(at)fysh.org for PGP key
"And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]
next prev parent reply other threads:[~2005-01-07 22:34 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-07 15:59 uselib() & 2.6.X? Lukasz Trabinski
2005-01-07 17:07 ` Marcelo Tosatti
2005-01-07 20:27 ` linux-os
2005-01-07 22:29 ` Athanasius [this message]
2005-01-07 22:49 ` Alan Cox
2005-01-08 0:15 ` Linus Torvalds
2005-01-07 22:12 ` Marcelo Tosatti
2005-01-08 18:46 ` Linus Torvalds
2005-01-08 18:28 ` Marcelo Tosatti
2005-01-09 1:38 ` Linus Torvalds
2005-01-09 11:06 ` Marcelo Tosatti
2005-01-10 8:34 ` Frank Steiner
2005-01-10 16:51 ` Marcelo Tosatti
2005-01-10 18:28 ` Alan Cox
2005-01-11 7:49 ` Frank Steiner
2005-01-08 21:07 ` Andreas Schwab
2005-01-08 22:30 ` Barry K. Nathan
2005-01-08 23:21 ` Andi Kleen
2005-01-08 23:30 ` Alan Cox
2005-01-09 0:57 ` Andi Kleen
2005-01-09 0:49 ` Andries Brouwer
2005-01-09 2:21 ` Jesper Juhl
2005-01-09 2:17 ` Andries Brouwer
2005-01-08 21:47 ` Alan Cox
2005-01-11 22:51 ` [PATCH] make uselib configurable (was Re: uselib() & 2.6.X?) Barry K. Nathan
2005-01-11 23:42 ` Jesper Juhl
2005-01-11 23:59 ` Andries Brouwer
2005-01-12 1:06 ` Jesper Juhl
2005-01-12 1:18 ` David Lang
2005-01-11 22:36 ` Marcelo Tosatti
2005-01-12 2:32 ` Barry K. Nathan
2005-01-12 0:56 ` Marcelo Tosatti
2005-01-12 6:10 ` Barry K. Nathan
2005-01-12 16:47 ` Adrian Bunk
2005-01-12 17:10 ` Barry K. Nathan
2005-01-12 20:16 ` Matt Mackall
2005-01-12 2:12 ` Barry K. Nathan
2005-01-12 2:23 ` David Lang
2005-01-12 2:30 ` Adrian Bunk
2005-01-12 5:11 ` Stephen Pollei
2005-01-12 16:54 ` Adrian Bunk
2005-01-12 7:58 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050107222940.GE22324@miggy.org \
--to=link@miggy.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-os@analogic.com \
--cc=lukasz@wsisiz.edu.pl \
--cc=marcelo.tosatti@cyclades.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).