headers
Calum | 2 Dec 2003 11:06
Picon

The brk() overflow

Hello all,

Regarding the local kernel exploit that was used against the Debian servers 
recently, does anyone know if the gentoo-sources are already patched against 
this, as the patch has been out for a while, but isn't included in the stock 
kernel until 2.4.23.

Also, does anyone know if any of the grsec kernel patches will prevent this 
exploit?

--

-- 

The early bird may get the worm, but the second mouse gets the cheese.

jabber: jcalum <at> umtstrial.co.uk
pgp: http://gk.umtstrial.co.uk/~calum/keys.php

--
gentoo-security <at> gentoo.org mailing list
Permalink | Reply | 4 comments |
headers
Thomas Preissler | 2 Dec 2003 11:28
Picon
Picon

Re: The brk() overflow


Hello Calum,

* Calum schrieb am 02.12.2003:

> Hello all,
> 
> Regarding the local kernel exploit that was used against the Debian servers 
> recently, does anyone know if the gentoo-sources are already patched against 
> this, as the patch has been out for a while, but isn't included in the stock 
> kernel until 2.4.23.
> 
> Also, does anyone know if any of the grsec kernel patches will prevent this 
> exploit?

On full-disclosure there is a testing script:

http://lists.netsys.com/pipermail/full-disclosure/2003-December.txt.gz

Greets,
Tom
Permalink | Reply | 3 comments |
headers
Calum | 2 Dec 2003 12:18
Picon

Re: The brk() overflow

On Tuesday 02 December 2003 10:28 am, Thomas Preissler wrote:

> On full-disclosure there is a testing script:
>
> http://lists.netsys.com/pipermail/full-disclosure/2003-December.txt.gz

Thanks for that.

However, I get this error when I try to compile it.
foo.asm:5: error: attempt to set a negative program origin

If I remove that line, it compiles, but doesn't do anything.
As I don't know assembler, I don't know how to fix it.

--

-- 

The early bird may get the worm, but the second mouse gets the cheese.

jabber: jcalum <at> umtstrial.co.uk
pgp: http://gk.umtstrial.co.uk/~calum/keys.php

--
gentoo-security <at> gentoo.org mailing list
Permalink | Reply | 2 comments |
headers
Thomas Preissler | 2 Dec 2003 12:41
Picon
Picon

Re: The brk() overflow

Hello Calum,

* Calum schrieb am 02.12.2003:

> On Tuesday 02 December 2003 10:28 am, Thomas Preissler wrote:
> 
> > On full-disclosure there is a testing script:
> >
> > http://lists.netsys.com/pipermail/full-disclosure/2003-December.txt.gz
> 
> Thanks for that.
> 
> However, I get this error when I try to compile it.
> foo.asm:5: error: attempt to set a negative program origin
> 
> If I remove that line, it compiles, but doesn't do anything.
> As I don't know assembler, I don't know how to fix it.

Erm, maybe your nasm version is wrong?

I have here the actual Gentoo with

$ nasm -v
NASM version 0.98.38 compiled on Oct 13 2003

and if I do

$ nasm brk_poc.asm

I'll get *no errors*. Check your environment please. It is working
(Continue reading)

Permalink | Reply | 1 comment |
headers
Henti Smith | 2 Dec 2003 10:46
Picon

Re: The brk() overflow

On Tue, 2 Dec 2003 12:41:37 +0100
Thomas Preissler <tomjohn <at> gmx.de> wrote:

> $ nasm brk_poc.asm

works fine here as well

> $ nasm brk_poc.asm -o a.out
> $ ./a.out &
> $ cat /proc/`pidof a.out`/maps   # checking

and then after 15 seconds ... my machine reboots itself ;P 

--

-- 
Henti Smith
bain <at> tcsn.co.za
Senior Administrator
The Computer-Smith Networking
http://www.tcsn.co.za

--
gentoo-security <at> gentoo.org mailing list
Permalink | Reply | 0 comments |
headers
Thomas Preissler | 2 Dec 2003 14:42
Picon
Picon

Re: The brk() overflow

Hello,

* Henti wrote on 12/02/03:

> On Tue, 2 Dec 2003 12:41:37 +0100
> Thomas Preissler <tomjohn <at> gmx.de> wrote:
> 
> > $ nasm brk_poc.asm
> 
> works fine here as well
> 
> > $ nasm brk_poc.asm -o a.out
> > $ ./a.out &
> > $ cat /proc/`pidof a.out`/maps   # checking
> 
> and then after 15 seconds ... my machine reboots itself ;P 

I am a native German speaking person and I did not understand the
announcment clearly. Does it mean, when the computer reboots, that
it is exploitable?

I have tried it here in a 2.4.22-5um UMLbox (nearly the most actual
one). I couldn't try it on the host, there are some important
downloads...
But that box was *not* rebooting... I was wondering - the
announcemant states, that kernels <2.4.23 are exploitable.
On the other side - it could be that UML itself fixes it or it is
not possible.

Just wondering, but happy,
(Continue reading)

Permalink | Reply | 9 comments |
headers
Thomas Preissler | 2 Dec 2003 15:35
Picon
Picon

Re: The brk() overflow

Hello Calum,

* Calum schrieb am 02.12.2003:

> On Tuesday 02 December 2003 1:53 pm, you wrote:
> 
> > > I didn't get your .asm file. Did you attach it?
> >
> > Ooops, I forgot it.
> 
> Here is the one you sent me saved and nasm'd:
> bash-2.05b$ nasm tom_brk_poc.asm -o tom_brk_poc
> tom_brk_poc.asm:6: error: attempt to set a negative program origin
> 
> > Nope, you forgot it, too ;-))
> 
> Doh! I have attached it this time, but I don't think it will be different.

Ok, "emerge =dev-lang/nasm-0.98.36" is over. Look here:

[root <at> host:/tmp/expl]$ nasm brk_poc.asm 
brk_poc.asm:5: error: attempt to set a negative program origin

So, it is a nasm-0.98.36 issue, that program can't be compiled
properly. Upgrade to nasm-0.98.38, as I had.

I think, that's the solution, so I replied to the list.

Just updating nasm - oh it's over ;-))
Tom
(Continue reading)

Permalink | Reply | 1 comment |
headers
Henti Smith | 2 Dec 2003 13:37
Picon

Re: The brk() overflow

On Tue, 2 Dec 2003 14:42:54 +0100
Thomas Preissler <tomjohn <at> gmx.de> wrote:

> > and then after 15 seconds ... my machine reboots itself ;P 
> 
> I am a native German speaking person and I did not understand the
> announcment clearly. Does it mean, when the computer reboots, that
> it is exploitable?

I don't know ... I'm not 100% what the exploit is supposed to do ..  but when I ran the exploit .. my machine
rebooted automatically a few seconds after running the exploit.

> PS: It is no problem, but I got your mail twice from
>   henti <at> geekware.co.za 
>   bain <at> tcsn.co.za
> It does not bother me, but is this intended? If you want, I can send
> you both headers for examining the Received-lines... ;-))

hehe .. no .. my default mail addy is geekware .. but I'm subscribed with tcsn .. sometimes forget to switch
accounts when I send ;P 

--

-- 
Henti Smith
bain <at> tcsn.co.za
Senior Administrator
The Computer-Smith Networking
http://www.tcsn.co.za

--
gentoo-security <at> gentoo.org mailing list
(Continue reading)

Permalink | Reply | 8 comments |
headers
Ryan Voots | 2 Dec 2003 16:01
Picon
Favicon

Re: The brk() overflow

On Tue, 2 Dec 2003 14:37:12 +0200
"Henti Smith" <bain <at> tcsn.co.za>  Add to Address Book wrote:

> On Tue, 2 Dec 2003 14:42:54 +0100
> Thomas Preissler <tomjohn <at> gmx.de> wrote:
> 
> > > and then after 15 seconds ... my machine reboots itself ;P 
> > 
> > I am a native German speaking person and I did not understand the
> > announcment clearly. Does it mean, when the computer reboots, that
> > it is exploitable?
> 
> I don't know ... I'm not 100% what the exploit is supposed to do ..  but when I ran the exploit .. my machine
rebooted automatically a few seconds after running the exploit.

from the full disclosure it seems like the test forces a reboot on x86 machines, dont know about other archs 
-----
$ nasm brk_poc.asm -o a.out
$ chmod 755 a.out

$ uname -a
Linux test3 2.4.22-10mdk #1 Thu Sep 18 12:30:58 CEST 2003 i686 unknown unknown GNU/Linux
$ ./a.out &
[1] 1698
$ cat /proc/`pidof a.out`/maps
bffff000-c0000000 rwxp 00000000 03:03 376860     /tmp/a.out
c0000000-c0003000 rwxp 00000000 00:00 0

(system reboots when the program exits)
(Continue reading)

Permalink | Reply | 7 comments |
headers
Mark Guertin | 2 Dec 2003 16:35

Re: The brk() overflow

Yep.  It is an x86 thing, and not for other arches.  I was unable to 
compile on a ppc machine as well.  Also there is no nasm for ppc (we 
use as).  This is likely what Calum ran into here (provided he still 
uses ppc ;)

Mark

On Dec 2, 2003, at 10:01 AM, Ryan Voots wrote:

>
> from the full disclosure it seems like the test forces a reboot on x86 
> machines, dont know about other archs

--
gentoo-security <at> gentoo.org mailing list
Permalink | Reply | 6 comments |

Gmane