[grsec] Re: [gentoo-hardened] about the recent ELF kernel bug

Igor Gueths igueths at lava-net.com
Sat May 14 10:57:35 EDT 2005 

Hi there.
On Fri, May 13, 2005 at 03:42:45PM +0100, Miguel Filipe wrote:
> Hi there,
> 
> On 5/13/05, Pedro Venda <pjvenda at arrakis.dhis.org> wrote:
> > hi everyone,
> > 
> > Has anyone got a clue on how should the proof of concept code behave on
> > vulnerable and not vulnerable machines?
> > 
> > On a PaX+grsecurity hardened server, it outputs:
> > 
> > [+] ./elfcd1 argv_start=0xb47b23d4 argv_end=0xb47b23dc  ESP: 0xb47b1890
> > [+] phase 1
> > [+] AAAA argv_start=0xb5e0442e argv_end=0xb5e04432  ESP: 0xb5e03930
> > [+] phase2, <RET> to crash Killed
> > 
> > and doesn't core-dump. Also it doesn't warn about the segmentation violation
> > process in the logs...
> > 
> > On my laptop, a test server and 2 other workstations (standard 2.6.11.5-8
> > kernels) results are consistent but different from the hardened server:
> > pjlv at archon test $ ./elfcd1
> > 
> > [+] ./elfcd1 argv_start=0xbfffeff7 argv_end=0xbfffefff  ESP: 0xbfffedb0
> > [+] phase 1
> > [+] AAAA argv_start=0xbfff6fee argv_end=0xbfff6ff2  ESP: 0xbfff6e80
> > [+] phase 2, <RET> to crash Segmentation fault (core dumped)
> > 
> > and core-dumps.
> > 
> > any help? is the hardened server secure? I suppose so, since it didn't core
> > dump.
> > 
> 
> >From what I understood, a core dump doesn't meen the POC worked.
> But I could be wrong...

Is this the bug that is being refered to? I googled and this is the closest possible match i have so far: http://seclists.org/lists/vulnwatch/2005/Apr-Jun/0042.html. I assume I should be 
looking at a possible upgrade?
> 
> > regards,
> > pedro venda.
> > --
> > 
> > Pedro João Lopes Venda
> > email: pjvenda < at > arrakis.dhis.org
> > http://arrakis.dhis.org
> > 
> > 
> > 
> 
> best regards, e abraços pa ti pj! :-p
> 
> 
> 
> -- 
> Miguel Sousa Filipe
> _______________________________________________
> grsecurity mailing list
> grsecurity at grsecurity.net
> http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity

-- 
How many chunks could checkchunk check if checkchunck could check chunks?
-- Alan Cox
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: not available
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20050514/4da9ea16/attachment.pgp

More information about the grsecurity mailing list