[grsec] Linux kernel file offset pointer races

Wolfpaw - Dale Corse admin-lists at wolfpaw.net
Sat Aug 7 03:52:14 EDT 2004


Doesn't look like we are immune. I don't run mtrr by default thankfully,
so at least it won't work with the script kiddies on our shell servers 
out of the box..

Here's what we got:

admin at seyonne:~$ uname -a
Linux seyonne 2.4.26-grsec #11 Sat Aug 7 00:13:52 MDT 2004 i686 unknown
unknown GNU/Linux
admin at seyonne:~$ ls -alh UPGRADE_KIT.TGZ

-rw-r--r--    1 admin    users         60M Jun 10 23:06 UPGRADE_KIT.TGZ
admin at seyonne:~$ ./mtrr-x UPGRADE_KIT.TGZ 
 
[+] mmaped uncached file at 0x40157000 - 0x43c90000
[+] mmaped kernel data file at 0x43c90000
[+] Race won!
[+] READ 137 bytes in 1381654 usec
[+] SUCCESS, lseek fails, reading kernel mem...
    PAGE     25
[+] done, err=Bad address

dmesg shows nothing:

*SNIP*
reiserfs: found format "3.6" with standard journal
reiserfs: using ordered data mode
reiserfs: checking transaction log (device sd(8,3)) ...
for (sd(8,3))
sd(8,3):Using r5 hash to sort names
VFS: Mounted root (reiserfs filesystem) readonly.
Freeing unused kernel memory: 2692k freed
PAX: warning, PCI BIOS might still be in use, keeping flat KERNEL_CS.
Adding Swap: 506036k swap-space (priority -1)
reiserfs: found format "3.6" with standard journal
reiserfs: using ordered data mode
reiserfs: checking transaction log (device sd(8,1)) ...
for (sd(8,1))
sd(8,1):Using r5 hash to sort names

The file appears to be accessible (please correct me if im wrong)
and lseek does fail, so I assume it may be exploitable. I have
seen no patches for the kernel at the time of this writing.

My question would be 2 fold for GrSec though.. If it can read
(as claimed) the root password from someone using SSH, I assume
/bin/su is also vulnerable. This may assumably mean that passwords
for the ACL system could be readable, which would completely kill
Grsec protection..

Any comments Brad? :) You're the guru here :P

Regards,
Dale.

> -----Original Message-----
> From: grsecurity-bounces at grsecurity.net 
> [mailto:grsecurity-bounces at grsecurity.net] On Behalf Of 
> Viktors Rotanovs
> Sent: Wednesday, August 04, 2004 10:24 AM
> To: grsecurity at grsecurity.net
> Subject: [grsec] Linux kernel file offset pointer races
> 
> 
> Hi,
> 
> just noticed new kernel exploit on BUGTRAQ 
> (http://isec.pl/vulnerabilities/isec-0016-procleaks.txt)
> As far as I can understand that thing is very difficult to 
> fix in every 
> possible place; does GrSecurity make it more difficult to exploit?
> 
> Best Wishes,
> Viktors
> 
> _______________________________________________
> grsecurity mailing list
> grsecurity at grsecurity.net 
> http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
> 
> --------------------------------------------------------------
> ---------------
> This message has been scanned for Spam and Viruses by ClamAV 
> and SpamAssassin
> --------------------------------------------------------------
> ---------------
> 
> 
> 



More information about the grsecurity mailing list