From: Athanasius <link@miggy.org>
To: linux-os@analogic.com, linux-kernel <linux-kernel@vger.kernel.org>
Cc: Marcelo Tosatti <marcelo.tosatti@cyclades.com>,
Lukasz Trabinski <lukasz@wsisiz.edu.pl>
Subject: Re: uselib() & 2.6.X?
Date: Fri, 7 Jan 2005 22:29:40 +0000 [thread overview]
Message-ID: <20050107222940.GE22324@miggy.org> (raw)
In-Reply-To: <Pine.LNX.4.61.0501071519330.21405@chaos.analogic.com>
[-- Attachment #1: Type: text/plain, Size: 2370 bytes --]
On Fri, Jan 07, 2005 at 03:27:05PM -0500, linux-os wrote:
> On Fri, 7 Jan 2005, Marcelo Tosatti wrote:
> >>Hello
> >>
> >>
> >>http://isec.pl/vulnerabilities/isec-0021-uselib.txt
> >>
> >>[...]
> >>Locally exploitable flaws have been found in the Linux binary format
> >>loaders' uselib() functions that allow local users to gain root
> >>privileges.
> >>[...]
> >>Version: 2.4 up to and including 2.4.29-rc2, 2.6 up to and including
> >>2.6.10
> >>[...]
> >>
> >>It's was fixed by Marcelo on 2.4.29-rc1. Thank's :)
> >>What about 2.6.X? Is any patch available? I don't see any changes
> >>around binfmt_elf in 2.6.10-bk10?
> >
> >2.6.10-ac contains a version of the fix.
> >
> >Attached is what going to be merged in mainline, most likely.
> >
> >
>
> FYI, the provided source-code won't build with the 2.6.x kernel
> because one of the structures is no longer defined. However,
> building on 2.4.20 and attempting to exploit the alleged bug
> results in:
>
> Script started on Fri 07 Jan 2005 03:22:24 PM EST
> LINUX> ./isec
>
> [+] SLAB cleanup
> [+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
> [+] vmalloc area 0xef800000 - 0xffffd000
>
> [-] FAILED: try again (No such device)
It's trying to use /dev/shm/_elf_lib, which doesn't work too well if
you don't have tmpfs/shm support and /dev/shm mounted. Changing this to
a normal filename doesn't get much further in the exploit. It just
repeatedly fails:
22:26:41 0$ ./elflbl_v108
[+] SLAB cleanup
child 1 VMAs 31876
child 2 VMAs 250
[+] moved stack bfffd000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xfec00000 - 0xffffd000
Wait... -
[-] FAILED: 502: try again (Cannot allocate memory)
Killed
Oh, and in 2.6.x it seems struct modify_ldt_ldt_s is now struct
user_desc, not that making that change and running the exploit results
in any further luck.
There are comments in the code about a 'race' though, so I assume it's
a race condition being exploited and it might work eventually if you
loop the thing.
-Ath
--
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
Finger athan(at)fysh.org for PGP key
"And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]
next prev parent reply other threads:[~2005-01-07 22:34 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-07 15:59 uselib() & 2.6.X? Lukasz Trabinski
2005-01-07 17:07 ` Marcelo Tosatti
2005-01-07 20:27 ` linux-os
2005-01-07 22:29 ` Athanasius [this message]
2005-01-07 22:49 ` Alan Cox
2005-01-08 0:15 ` Linus Torvalds
2005-01-07 22:12 ` Marcelo Tosatti
2005-01-08 18:46 ` Linus Torvalds
2005-01-08 18:28 ` Marcelo Tosatti
2005-01-09 1:38 ` Linus Torvalds
2005-01-09 11:06 ` Marcelo Tosatti
2005-01-10 8:34 ` Frank Steiner
2005-01-10 16:51 ` Marcelo Tosatti
2005-01-10 18:28 ` Alan Cox
2005-01-11 7:49 ` Frank Steiner
2005-01-08 21:07 ` Andreas Schwab
2005-01-08 22:30 ` Barry K. Nathan
2005-01-08 23:21 ` Andi Kleen
2005-01-08 23:30 ` Alan Cox
2005-01-09 0:57 ` Andi Kleen
2005-01-09 0:49 ` Andries Brouwer
2005-01-09 2:21 ` Jesper Juhl
2005-01-09 2:17 ` Andries Brouwer
2005-01-08 21:47 ` Alan Cox
2005-01-11 22:51 ` [PATCH] make uselib configurable (was Re: uselib() & 2.6.X?) Barry K. Nathan
2005-01-11 23:42 ` Jesper Juhl
2005-01-11 23:59 ` Andries Brouwer
2005-01-12 1:06 ` Jesper Juhl
2005-01-12 1:18 ` David Lang
2005-01-11 22:36 ` Marcelo Tosatti
2005-01-12 2:32 ` Barry K. Nathan
2005-01-12 0:56 ` Marcelo Tosatti
2005-01-12 6:10 ` Barry K. Nathan
2005-01-12 16:47 ` Adrian Bunk
2005-01-12 17:10 ` Barry K. Nathan
2005-01-12 20:16 ` Matt Mackall
2005-01-12 2:12 ` Barry K. Nathan
2005-01-12 2:23 ` David Lang
2005-01-12 2:30 ` Adrian Bunk
2005-01-12 5:11 ` Stephen Pollei
2005-01-12 16:54 ` Adrian Bunk
2005-01-12 7:58 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050107222940.GE22324@miggy.org \
--to=link@miggy.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-os@analogic.com \
--cc=lukasz@wsisiz.edu.pl \
--cc=marcelo.tosatti@cyclades.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.