| < | July 2006 | > | ||||
| Su | Mo | Tu | We | Th | Fr | Sa |
| 1 | ||||||
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 | 29 |
| 30 | 31 | |||||
From man prctl(2):
prctl() is called with a first argument describing what to do (with
values defined in <linux/prctl.h>),
and further parameters with a significance depending on the first one.
There is a bug/feature in sys_prctl() in kernel/sys.c exploiting which a
process can be forced to dump
its core in directories which should not be writable by the process.
Original Advisory: http://rhn.redhat.com/errata/RHSA-2006-0574.html
This vulnerability is fixed in the following patch:
http://www.kernel.org/diff/diffview.cgi?file=%2Fpub%2Flinux%2Fkernel%2Fv2.6%2Fincr%2Fpatch-2.6.17.3-4.bz2;z=2
My following hotfix should prevent exploitation of the above mentioned
vulnerability from publicly used techniques.
Hotfix: http://www.freeshell.in/~abhisek/linux_prctl_lkm.tar.gz
Some dmesg output while playing around with this hotfix.
neo@compaq blog $ dmesg | tail -n 11 Loading sys_prctl hotifx sys_call_table: 0xc0453780 Unloading sys_prctl hotfix Loading sys_prctl hotifx sys_call_table: 0xc0453780 Denied possible exploitation attempt [uid=1000 gid=100 pid=13805] Unloading sys_prctl hotfix Loading sys_prctl hotifx sys_call_table: 0xc0453780 Denied possible exploitation attempt [uid=1000 gid=100 pid=14008] Unloading sys_prctl hotfix neo@compaq blog $
Alright, another nice linux kernel bug got fixed. Kudoz to the RedHat Security
Team guys for finding such subtle bug/feature in the heart of the linux
kernel.
Now initially a lot of people had doubt weather this bug is actually
exploitable even after Paul Starzetz confirmed (made fun) of the bug and its
ease of exploitation.
Since I am documenting it for some unknown reason, I should mention clearly
for the poor people out there, THIS BUG _IS_ EXPLOITABLE FOR LOCAL PRIVILEGE
ESCALATION and rm -rf /& is quite possible in this case.
For those who believe in ``seeing is believing'' can take a look at:
http://www.freeshell.in/~abhisek/rs_prctl_kernel.c
and dotslah their way to some fun.
References:
http://www.kernel.org/diff/diffview.cgi?file=%2Fpub%2Flinux%2Fkernel%2Fv2.6%2Fincr%2Fpatch-2.6.17.3-4.bz2;z=2
http://www.securityfocus.com/bid/18874
posted at: 23:31 | path: / | permanent link to this entry