On Fri, Jan 07, 2005 at 03:27:05PM -0500, linux-os wrote: > On Fri, 7 Jan 2005, Marcelo Tosatti wrote: > >>Hello > >> > >> > >>http://isec.pl/vulnerabilities/isec-0021-uselib.txt > >> > >>[...] > >>Locally exploitable flaws have been found in the Linux binary format > >>loaders' uselib() functions that allow local users to gain root > >>privileges. > >>[...] > >>Version: 2.4 up to and including 2.4.29-rc2, 2.6 up to and including > >>2.6.10 > >>[...] > >> > >>It's was fixed by Marcelo on 2.4.29-rc1. Thank's :) > >>What about 2.6.X? Is any patch available? I don't see any changes > >>around binfmt_elf in 2.6.10-bk10? > > > >2.6.10-ac contains a version of the fix. > > > >Attached is what going to be merged in mainline, most likely. > > > > > > FYI, the provided source-code won't build with the 2.6.x kernel > because one of the structures is no longer defined. However, > building on 2.4.20 and attempting to exploit the alleged bug > results in: > > Script started on Fri 07 Jan 2005 03:22:24 PM EST > LINUX> ./isec > > [+] SLAB cleanup > [+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000 > [+] vmalloc area 0xef800000 - 0xffffd000 > > [-] FAILED: try again (No such device) It's trying to use /dev/shm/_elf_lib, which doesn't work too well if you don't have tmpfs/shm support and /dev/shm mounted. Changing this to a normal filename doesn't get much further in the exploit. It just repeatedly fails: 22:26:41 0$ ./elflbl_v108 [+] SLAB cleanup child 1 VMAs 31876 child 2 VMAs 250 [+] moved stack bfffd000, task_size=0xc0000000, map_base=0xbf800000 [+] vmalloc area 0xfec00000 - 0xffffd000 Wait... - [-] FAILED: 502: try again (Cannot allocate memory) Killed Oh, and in 2.6.x it seems struct modify_ldt_ldt_s is now struct user_desc, not that making that change and running the exploit results in any further luck. There are comments in the code about a 'race' though, so I assume it's a race condition being exploited and it might work eventually if you loop the thing. -Ath -- - Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/ Finger athan(at)fysh.org for PGP key "And it's me who is my enemy. Me who beats me up. Me who makes the monsters. Me who strips my confidence." Paula Cole - ME