LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 01-13-2005, 05:19 PM   #1
jlangelier
Member
 
Registered: Jun 2003
Location: Denver, CO
Distribution: Debian
Posts: 95

Rep: Reputation: 15
Kernel race condition exploit solution?


I'm asking about that exploit that was publicized a couple of weeks ago. Affects the current Slackware kernel (2.4.28). Allows a local user to get root with ease. Tried it myself. Sure enough, compile this dopey little C program, run it as unpriviliged, and get dumped to root.

Exploit details:[REMOVED BY jlangelier because it works (on my box, anyway) and it's not patched (for slackware) and I don't think the admins want links to exploits. I'll put it back if an admin says I can]

I understand there are patches for some distros. Will these work on the kernels Patrick has compiled? Or is there another reliable source for compiled kernels which are recommended for Slackware?

I know, I can always compile my own. This exploit has inspired me to learn how. I'm still working on it, with less than 100% success. In the meantime, I'm looking for a canned solution.

Thanks in advance.

Last edited by jlangelier; 01-13-2005 at 08:13 PM.
 
Old 01-13-2005, 06:40 PM   #2
keefaz
Senior Member
 
Registered: Mar 2004
Distribution: Slackware
Posts: 4,617

Rep: Reputation: 136Reputation: 136
I just have compiled the exploit example from your link and its output is always :
Code:
    child 1 VMAs 0
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xe0000000 - 0xffff1000
[-] FAILED: open lib (/dev/shm/_elf_lib not writable?) (Permission denied) 
Killed
I run kernel 2.6.9 unpatched and default slackware 10.0 (with packages updated
from current)
 
Old 01-13-2005, 06:44 PM   #3
jlangelier
Member
 
Registered: Jun 2003
Location: Denver, CO
Distribution: Debian
Posts: 95

Original Poster
Rep: Reputation: 15
I'm at work, and on a windows box, but as I recall, find /dev/shm/in the code, and change it to a writable directory. Also, I belive you have to use -n2 as an option when you run it.
 
Old 01-13-2005, 06:51 PM   #4
keefaz
Senior Member
 
Registered: Mar 2004
Distribution: Slackware
Posts: 4,617

Rep: Reputation: 136Reputation: 136
I have exactly the same output even with the -n2 option
for /dev/shm :
Code:
ls -al /dev/shm
total 0
drwxr-xr-x   2 root root 0 2005-01-13 11:48 .
drwxr-xr-x  18 root root 0 2005-01-14 00:32 ..
mmmh it seems that /dev/shm is owned by root so to run sucessfully the exploit that
would give me root privilege, I have to know the root password to change /dev/shm
permissions ? All right...let 's do that
Code:
$ su
$ chmod -R 777 /dev/shm
$ exit
$ ./exploit

    child 1 VMAs 0
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xe0000000 - 0xffff1000
Segmentation fault
$ ./exploit -n2

    child 1 VMAs 0
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xe0000000 - 0xffff1000
Segmentation fault
$ ./exploit -n2

    child 1 VMAs 0
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xe0000000 - 0xffff1000
Segmentation fault

Last edited by keefaz; 01-13-2005 at 06:53 PM.
 
Old 01-13-2005, 06:54 PM   #5
jlangelier
Member
 
Registered: Jun 2003
Location: Denver, CO
Distribution: Debian
Posts: 95

Original Poster
Rep: Reputation: 15
I changed /dev/shm in the code to one of my home directories to get it to run.

[LINKS TO ARTICLES ON THE EXPLOIT REMOVED BY jlangelier]

I find this exploit kind of disconcerting and surprising it has not been addressed by the slackware community other than requiring everybody to compile their own unofficial kernel. I don't believe I saw discussion here (and could not find it by searching for it), there was certainly no email from slackware security or from slackgus. I only learned about it on slashdot. Meanwhile the official kernel is still wide open for local users, as confirmed by myself and any number of others.

Red Hat's starting to look good to me.

Last edited by jlangelier; 01-13-2005 at 08:24 PM.
 
Old 01-13-2005, 07:03 PM   #6
keefaz
Senior Member
 
Registered: Mar 2004
Distribution: Slackware
Posts: 4,617

Rep: Reputation: 136Reputation: 136
For my part I can't get it to work, even with change the /dev/shm path in source code, I end
always with a Segmentation fault, with any option used I can see with -h. Maybe you could
post how you did it with success on your machine ?
 
Old 01-13-2005, 07:05 PM   #7
jlangelier
Member
 
Registered: Jun 2003
Location: Denver, CO
Distribution: Debian
Posts: 95

Original Poster
Rep: Reputation: 15
When I get home I will post the exact code I compiled, re-compile it, and log the messages (in about an hour).
 
Old 01-13-2005, 07:54 PM   #8
jlangelier
Member
 
Registered: Jun 2003
Location: Denver, CO
Distribution: Debian
Posts: 95

Original Poster
Rep: Reputation: 15
I said I'd post the exact code I compiled, but it is exactly the same as the code posted in the link, except that I changed the /dev directory to my /home.

The first time I tried it (couple of days ago) it worked. Now I tried to re-create it, and it did not work until about the eighth time I tried it, monkeying with the params. Note that even with the params below that I used, it did not work very often but it did ultimately work. One time, it kicked me to the login prompt. I'm sorry I ran it now, because I don't understand the code.

Anyway, here's the results of the time it worked:

Code:
testuser@darkstar:~$ ./exploit -n2 -f

child 1 VMAs 0
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xd7c00000 - 0xef4ca000
Wait... /
[+] race won maps=10181
expanded VMA (0xbfffc000-0xffffe000)
[!] try to exploit 0xd8cad000
[+] gate modified ( 0xffec90b0 0x0804ec00 )
[+] exploited, uid=0

sh-2.05b# cp /var/log/messages ~
sh-2.05b# chown testuser /home/testuser/messages
sh-2.05b# exit
testuser@darkstar:$ ls -al messages
-rw-r-----  1 testuser root 93857 Jan 13 17:32 messages
testuser@darkstar:
I cp'd /var/log/messages and chown'd it to verify it was'nt just smoke and mirrors. Interesting that when I cp'd messages to ~ it copied it to the /home dir rather than /root, even though I had root permission at the time.

Last edited by jlangelier; 01-13-2005 at 08:48 PM.
 
Old 01-13-2005, 08:22 PM   #9
jlangelier
Member
 
Registered: Jun 2003
Location: Denver, CO
Distribution: Debian
Posts: 95

Original Poster
Rep: Reputation: 15
Update: I googled on the incident ID from the site which reported the exploit, and it's all over the net. Many distros have patched their kernels (including Sun, Ubuntu and Redhat) but others, including Slackware, have not. I originally posted the link to the demo of the exploit, but removed it because I think that would be against website policy.

But if you don't trust your local users (including ssh and telnet logins, and CGI writers), and run 2.2 all versions, 2.4 up to and including 2.4.29-pre3, 2.6 up to and including 2.6.10 I would upgrade your kernel.

Also note that there was no evidence of going root using this exploit in /var/log/messages, secure, or sulog on my box and none of the commands showed up in the root bash history


Last edited by jlangelier; 01-13-2005 at 08:44 PM.
 
Old 01-14-2005, 05:36 AM   #10
keefaz
Senior Member
 
Registered: Mar 2004
Distribution: Slackware
Posts: 4,617

Rep: Reputation: 136Reputation: 136
Well, for me it definitivly does not work, even over one hundred of try...
What kernel does you run ? I even use gdb to see something about the seg fault but
all I can see is :

Program received signal SIGUSR1, User defined signal 1
0x400b59e8 in fork () from /lib/libc.so.6

My system specs :
proc : athlon 2600+ barton
512 ddr memory
kernel 2.6.9
glibc 2.3.3
slackware 10
 
Old 01-14-2005, 10:11 AM   #11
jlangelier
Member
 
Registered: Jun 2003
Location: Denver, CO
Distribution: Debian
Posts: 95

Original Poster
Rep: Reputation: 15
Pentium III 600Mhz
348 MB RAM
2.4.26 Kernel
glibc 2.3.2
Slackware 10

I'm putting a link to the incident. I searched on the CVE reference ID and found that many distros have patched for this. I am doing this only because I am the only one here who confirms it works, and I don't want to be taken for a hoaxer.

I note that several security sites are still evaluating it. That may be because it does not work on every machine. Even on my box, it took multiple attempts for it to work.

http://www.securitytracker.com/alert...n/1012810.html

Last edited by jlangelier; 01-14-2005 at 10:29 AM.
 
Old 01-14-2005, 10:39 AM   #12
keefaz
Senior Member
 
Registered: Mar 2004
Distribution: Slackware
Posts: 4,617

Rep: Reputation: 136Reputation: 136
Please note that I never said you were lying or something similar, I just was very curious
about this and wanted to test.

I tested the code on two machines (duron athlon and XP athlon), both produce seg fault
I noticed that you use glibc 2.3.2 and I use glibc 2.3.3 (from current) I don't know if
that matter

Both machines have same specs on installed software

Last edited by keefaz; 01-14-2005 at 10:40 AM.
 
Old 01-14-2005, 11:15 AM   #13
jlangelier
Member
 
Registered: Jun 2003
Location: Denver, CO
Distribution: Debian
Posts: 95

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by keefaz
Please note that I never said you were lying or something similar, I just was very curious
about this and wanted to test.
I know, and I hope I didn't imply that you did. It was just something of a shock to me when it worked for me, and it therefore became a big deal to me, because this has been reported as working for pretty much any distro running those kernels, and not having heard much about it besides that article on Slashdot, I had to wonder what was going on. Thanks for trying and reporting your results.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
race condition in close socket?? jwstric2 Programming 3 03-18-2005 06:01 PM
Kernel Crash-Exploit affects 2.4.2x and 2.6.x kernels on x86 and x86_64 unSpawn Linux - Security 8 11-24-2004 02:29 PM
Linux kernel exploit in the wild chort Linux - Security 9 12-05-2003 12:18 AM
P-thread+race condition+mutex+Peterson's algorithm bangla_linux Programming 3 10-29-2003 04:01 AM
i need PATCH that protect against local root exploit for kernel 2.2.19 Slackware veenrak Linux - Security 2 10-09-2002 10:23 PM


All times are GMT -5. The time now is 04:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration