PLanET ABhisEK
< July 2006 >
SuMoTuWeThFrSa
       1
2 3 4 5 6 7 8
9101112131415
16171819202122
23242526272829
3031     

Wed, 12 Jul 2006 23:31:00 IST

LINUX SYS_PRCTL BUG/BACKDOOR/FEATURE FUN

From man prctl(2):
prctl() is called with a first argument describing what to do (with values defined in <linux/prctl.h>),
and further parameters with a significance depending on the first one.

There is a bug/feature in sys_prctl() in kernel/sys.c exploiting which a process can be forced to dump
its core in directories which should not be writable by the process.

Original Advisory: http://rhn.redhat.com/errata/RHSA-2006-0574.html

This vulnerability is fixed in the following patch:
http://www.kernel.org/diff/diffview.cgi?file=%2Fpub%2Flinux%2Fkernel%2Fv2.6%2Fincr%2Fpatch-2.6.17.3-4.bz2;z=2

My following hotfix should prevent exploitation of the above mentioned vulnerability from publicly used techniques.

Hotfix: http://www.freeshell.in/~abhisek/linux_prctl_lkm.tar.gz

Some dmesg output while playing around with this hotfix. 

neo@compaq blog $ dmesg | tail -n 11
Loading sys_prctl hotifx
sys_call_table: 0xc0453780
Unloading sys_prctl hotfix
Loading sys_prctl hotifx
sys_call_table: 0xc0453780
Denied possible exploitation attempt [uid=1000 gid=100 pid=13805]
Unloading sys_prctl hotfix
Loading sys_prctl hotifx
sys_call_table: 0xc0453780
Denied possible exploitation attempt [uid=1000 gid=100 pid=14008]
Unloading sys_prctl hotfix
neo@compaq blog $

Alright, another nice linux kernel bug got fixed. Kudoz to the RedHat Security Team guys for finding such subtle bug/feature in the heart of the linux kernel.

Now initially a lot of people had doubt weather this bug is actually exploitable even after Paul Starzetz confirmed (made fun) of the bug and its ease of exploitation.

Since I am documenting it for some unknown reason, I should mention clearly for the poor people out there, THIS BUG _IS_ EXPLOITABLE FOR LOCAL PRIVILEGE ESCALATION and rm -rf /& is quite possible in this case.

For those who believe in ``seeing is believing'' can take a look at: http://www.freeshell.in/~abhisek/rs_prctl_kernel.c and dotslah their way to some fun.

References:
http://www.kernel.org/diff/diffview.cgi?file=%2Fpub%2Flinux%2Fkernel%2Fv2.6%2Fincr%2Fpatch-2.6.17.3-4.bz2;z=2 http://www.securityfocus.com/bid/18874

posted at: 23:31 | path: / | permanent link to this entry

Made with PyBlosxom