[grsec] Linux kernel file offset pointer races
Wolfpaw - Dale Corse
admin-lists at wolfpaw.net
Sat Aug 7 03:52:14 EDT 2004
Doesn't look like we are immune. I don't run mtrr by default thankfully,
so at least it won't work with the script kiddies on our shell servers
out of the box..
Here's what we got:
admin at seyonne:~$ uname -a
Linux seyonne 2.4.26-grsec #11 Sat Aug 7 00:13:52 MDT 2004 i686 unknown
unknown GNU/Linux
admin at seyonne:~$ ls -alh UPGRADE_KIT.TGZ
-rw-r--r-- 1 admin users 60M Jun 10 23:06 UPGRADE_KIT.TGZ
admin at seyonne:~$ ./mtrr-x UPGRADE_KIT.TGZ
[+] mmaped uncached file at 0x40157000 - 0x43c90000
[+] mmaped kernel data file at 0x43c90000
[+] Race won!
[+] READ 137 bytes in 1381654 usec
[+] SUCCESS, lseek fails, reading kernel mem...
PAGE 25
[+] done, err=Bad address
dmesg shows nothing:
*SNIP*
reiserfs: found format "3.6" with standard journal
reiserfs: using ordered data mode
reiserfs: checking transaction log (device sd(8,3)) ...
for (sd(8,3))
sd(8,3):Using r5 hash to sort names
VFS: Mounted root (reiserfs filesystem) readonly.
Freeing unused kernel memory: 2692k freed
PAX: warning, PCI BIOS might still be in use, keeping flat KERNEL_CS.
Adding Swap: 506036k swap-space (priority -1)
reiserfs: found format "3.6" with standard journal
reiserfs: using ordered data mode
reiserfs: checking transaction log (device sd(8,1)) ...
for (sd(8,1))
sd(8,1):Using r5 hash to sort names
The file appears to be accessible (please correct me if im wrong)
and lseek does fail, so I assume it may be exploitable. I have
seen no patches for the kernel at the time of this writing.
My question would be 2 fold for GrSec though.. If it can read
(as claimed) the root password from someone using SSH, I assume
/bin/su is also vulnerable. This may assumably mean that passwords
for the ACL system could be readable, which would completely kill
Grsec protection..
Any comments Brad? :) You're the guru here :P
Regards,
Dale.
> -----Original Message-----
> From: grsecurity-bounces at grsecurity.net
> [mailto:grsecurity-bounces at grsecurity.net] On Behalf Of
> Viktors Rotanovs
> Sent: Wednesday, August 04, 2004 10:24 AM
> To: grsecurity at grsecurity.net
> Subject: [grsec] Linux kernel file offset pointer races
>
>
> Hi,
>
> just noticed new kernel exploit on BUGTRAQ
> (http://isec.pl/vulnerabilities/isec-0016-procleaks.txt)
> As far as I can understand that thing is very difficult to
> fix in every
> possible place; does GrSecurity make it more difficult to exploit?
>
> Best Wishes,
> Viktors
>
> _______________________________________________
> grsecurity mailing list
> grsecurity at grsecurity.net
> http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
>
> --------------------------------------------------------------
> ---------------
> This message has been scanned for Spam and Viruses by ClamAV
> and SpamAssassin
> --------------------------------------------------------------
> ---------------
>
>
>
More information about the grsecurity
mailing list