On Tue, Mar 27, 2001 at 02:05:54PM +0200, Wojciech Purczynski wrote:
>
> Hi,
Hi,
> Here is exploit for ptrace/execve race condition bug in Linux kernels up
> to 2.2.18.
>
> It works even on openwall patched kernels (including broken fix in 2.2.18ow4)
> if you use address of BSS section in memory (use objdump -h /suid/binary
> to get .bss section address).
>
> It does not use brute-force! It does only one attemt, parent process detects
> exact moment of context-switch after child goes sleep in execve.
>
> If you have some problems, ensure that suid binary you want to sploit does
> not exist in disk cache.
>
> For more info read comments in the source code.
>
> It has been broken in two places.
<cut sample>
> It works with any suid binary.
I've tried this on several hosts, all with 2.2.18 (not all ow4) (RedHat 6.2 +
Slackware 7.1), and they gave me
ither the following result :
ptrace: PTRACE_ATTACH: Operation not permitted
Error!
Or :
[wouter@nivedita wouter]$ uname -a
Linux nivedita 2.2.18 #1 Tue Feb 13 20:26:05 CET 2001 i686 unknown
[wouter@nivedita wouter]$ objdump -h /bin/su | grep .bss
8 .rel.bss 00000030 08048ca8 08048ca8 00000ca8 2**2
21 .bss 000000d4 0804bf04 0804bf04 00002f04 2**2
[wouter@nivedita wouter]$ find / >/dev/null 2>&1;~/epcs /bin/su 0804bf04
Bug exploited successfully.
Password:
If I use for example : 08048ca8, I'll get this :
[wouter@nivedita wouter]$ find / >/dev/null 2>&1;~/epcs /bin/su 08048ca8
Bug exploited successfully.
[wouter@nivedita wouter]$ id
uid=519(wouter) gid=519(wouter) groups=519(wouter)
> Cheers,
> wp
>
> +---------------------------------------------------------+
> | Wojciech Purczynski Linux Administrator |
> | [EMAIL PROTECTED] http://www.elzabsoft.pl/~wp |
> | +48604432981 http://www.elzabsoft.pl/~wp/gpg.asc |
> +---------------------------------------------------------+
--
Met vriendelijke groet/With kind regards,
Wouter de Jong
System-Administrator/Developer
__ _
/ / (_)__ __ ____ __
/ /__/ / _ \/ // /\ \/ /
/____/_/_//_/\_._/ /_/\_\
