[19889] in bugtraq
Re: ptrace/execve race condition exploit (non brute-force)
daemon@ATHENA.MIT.EDU (Wouter de Jong)
Wed Mar 28 00:59:45 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20010327203749.A3131@widexs.nl>
Date: Tue, 27 Mar 2001 20:37:49 +0200
Reply-To: Wouter de Jong <wouter@WIDEXS.NL>
From: Wouter de Jong <wouter@WIDEXS.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.30.0103271358190.31983-200000@alfa.elzabsoft.pl>;
from wp@ELZABSOFT.PL on Tue, Mar 27, 2001 at 02:05:54PM +0200
On Tue, Mar 27, 2001 at 02:05:54PM +0200, Wojciech Purczynski wrote:
>
> Hi,
Hi,
> Here is exploit for ptrace/execve race condition bug in Linux kernels up
> to 2.2.18.
>
> It works even on openwall patched kernels (including broken fix in 2.2.18ow4)
> if you use address of BSS section in memory (use objdump -h /suid/binary
> to get .bss section address).
>
> It does not use brute-force! It does only one attemt, parent process detects
> exact moment of context-switch after child goes sleep in execve.
>
> If you have some problems, ensure that suid binary you want to sploit does
> not exist in disk cache.
>
> For more info read comments in the source code.
>
> It has been broken in two places.
<cut sample>
> It works with any suid binary.
I've tried this on several hosts, all with 2.2.18 (not all ow4) (RedHat 6.2 + Slackware 7.1), and they gave me
ither the following result :
ptrace: PTRACE_ATTACH: Operation not permitted
Error!
Or :
[wouter@nivedita wouter]$ uname -a
Linux nivedita 2.2.18 #1 Tue Feb 13 20:26:05 CET 2001 i686 unknown
[wouter@nivedita wouter]$ objdump -h /bin/su | grep .bss
8 .rel.bss 00000030 08048ca8 08048ca8 00000ca8 2**2
21 .bss 000000d4 0804bf04 0804bf04 00002f04 2**2
[wouter@nivedita wouter]$ find / >/dev/null 2>&1;~/epcs /bin/su 0804bf04
Bug exploited successfully.
Password:
If I use for example : 08048ca8, I'll get this :
[wouter@nivedita wouter]$ find / >/dev/null 2>&1;~/epcs /bin/su 08048ca8
Bug exploited successfully.
[wouter@nivedita wouter]$ id
uid=519(wouter) gid=519(wouter) groups=519(wouter)
> Cheers,
> wp
>
> +---------------------------------------------------------+
> | Wojciech Purczynski Linux Administrator |
> | wp@elzabsoft.pl http://www.elzabsoft.pl/~wp |
> | +48604432981 http://www.elzabsoft.pl/~wp/gpg.asc |
> +---------------------------------------------------------+
--
Met vriendelijke groet/With kind regards,
Wouter de Jong
System-Administrator/Developer
__ _
/ / (_)__ __ ____ __
/ /__/ / _ \/ // /\ \/ /
/____/_/_//_/\_._/ /_/\_\
