Re: Linux kernel ELF core dump privilege elevation

To: Bruno Lustosa <bruno.lists@xxxxxxxxx>
Subject: Re: Linux kernel ELF core dump privilege elevation
From: codeQ <newsclient@xxxxxxxxxx>
Date: Thu, 12 May 2005 19:52:53 +0200
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <b9e0c3fe050511123454aa2ada@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: TeamQ
References: <Pine.LNX.4.44.0505101615410.1618-100000@xxxxxxx> <b9e0c3fe050511123454aa2ada@xxxxxxxxxxxxxx>

I wasn't able to make it work either, getting exactly the same output
(without GCC's warnings). I'm on a Debian 2.6.11-7 kernel. I just tested
but really didn't even look what it failed, not even gdb'ed the core.

If someone notices what's wrong on the POC please, let me know.

Thanks,
Pablo Fernandez

--- Begin Message ---

To: bugtraq@xxxxxxxxxxxxxxxxx

Subject: Re: Linux kernel ELF core dump privilege elevation

From: Bruno Lustosa <bruno.lists@xxxxxxxxx>

Date: Wed, 11 May 2005 16:34:58 -0300

Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=PniZvZ8k2IiY//WW06LhDcBVqGStVXtMnaYjbPFsLZJQEII7qeVbOlBe4pzPxuOc0ZdIMrqYxpUUxI205Gl5FavcaAnayuQy5852K01/7XTgYCoZ63oFE4ihDX5n0WHHsNypLdy+XZpUnBSP1gxPnsT+GoJ376KlgXQbdwquxkY=

In-reply-to: <Pine.LNX.4.44.0505101615410.1618-100000@xxxxxxx>

List-help: <mailto:bugtraq-help@securityfocus.com>

List-id: <bugtraq.list-id.securityfocus.com>

List-post: <mailto:bugtraq@securityfocus.com>

List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>

List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>

Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

References: <Pine.LNX.4.44.0505101615410.1618-100000@xxxxxxx>

Reply-to: Bruno Lustosa <bruno.lists@xxxxxxxxx>
On 5/11/05, Paul Starzetz <ihaquer@xxxxxxx> wrote:
> since it became clear from the discussion in January about the uselib()
> vulnerability, that the Linux community prefers full, non-embargoed
> disclosure of kernel bugs, I release full details right now. However to
> follows at least some of the responsable disclosure rules, no exploit code 
> will be
> released. Instead, only a proof-of-concept code is released to demonstrate
> the vulnerability.

Paul, I was unable to make it work on my amd64.
Running Gentoo on kernel 2.6.11.
This was the output:

[+] Compiling...elfcd1.c: In function `main':
elfcd1.c:48: warning: implicit declaration of function `strlen'
elfcd1.c:54: warning: implicit declaration of function `memset'
elfcd1.c:60: warning: implicit declaration of function `strcmp'
/usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/../../../../x86_64-pc-linux-gnu/bin/ld:
warning: i386:x86-64 architecture of input file `/tmp/ccSCdKeo.o' is
incompatible with i386 output

[+] ./elfcd1 argv_start=0x7ffffffff451 argv_end=0x7ffffffff459  ESP: 0xfffff0e0
[+] phase 1
[+] AAAA argv_start=0x7fffffff6fea argv_end=0x7fffffff6fee  ESP: 0xffff6de0
[+] phase 2, <RET> to crash Segmentation fault (core dumped)

-- 
Bruno Lustosa, aka Lofofora          | Email: bruno@xxxxxxxxxxx
Network Administrator/Web Programmer | ICQ: 1406477
Rio de Janeiro - Brazil              |
--- End Message ---

References:
- Linux kernel ELF core dump privilege elevation
  - From: Paul Starzetz
- Re: Linux kernel ELF core dump privilege elevation
  - From: Bruno Lustosa

Prev by Date: OpenBB SQL Injection & Cross-site Scripting Vulnerability
Next by Date: Yahoo! Messenger URL Handler Remote DoS Vulnerability
Previous by thread: Re: Linux kernel ELF core dump privilege elevation
Next by thread: Re: Linux kernel ELF core dump privilege elevation
Index(es):
- Date
- Thread