[19901] in bugtraq
Re: ptrace/execve race condition exploit (non brute-force)
daemon@ATHENA.MIT.EDU (Mariusz Woloszyn)
Wed Mar 28 03:38:13 2001
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="429728448-1942321658-985735935=:455"
Message-ID: <Pine.LNX.4.04.10103280129160.455-200000@dzyngiel.ipartners.pl>
Date: Wed, 28 Mar 2001 01:32:15 +0200
Reply-To: Mariusz Woloszyn <emsi@IPARTNERS.PL>
From: Mariusz Woloszyn <emsi@IPARTNERS.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--429728448-1942321658-985735935=:455
Content-Type: TEXT/PLAIN; charset=ISO-8859-2
Content-Transfer-Encoding: 8BIT
On Tue, 27 Mar 2001, Wojciech Purczynski wrote:
>
> Hi,
>
> Here is exploit for ptrace/execve race condition bug in Linux kernels up
> to 2.2.18.
>
Hi!
I've seen a tool that works better than this, useing different aproach to
the same bug explits it on all platforms giving instant root without the
need for cat garbage files to clear disk cache!!!
Anyway: here is a fast way to fix the problem (but intoduces new one), the
kernel module that disables ptrace syscall.
It works for 2.0 and 2.2 kernel (I didn't tested it under 2.4).
All you need to do is:
emsi:~# gcc -c npt.c
emsi:~# insmod ./npt.o
And here is how it works:
[before installing module]
emsi:~/hack/ptrace> ./a.out /sbin/powerd
[*] Child exec...
[+] Waiting for disk sleep.... dunno why but that printf helps sometimes
;)
[OK]
[+] ATTACH: 0 : Success
[+] eip: 0x1109d0 -> 0x805a41b
[+] copy data from 0x805a3e0 to 0xbffff100
[...............]
[?] DETACH: 0 : Success
Status of 5342: R
bash#
[installing module[
bash# /sbin/insmod ./npt.o
bash# exit
emsi:~/hack/ptrace> ./a.out /sbin/reboot
[*] Child exec...
[+] Waiting for disk sleep.... dunno why but that printf helps sometimes
;)
[OK]
[--] ATTACH: Operation not permitted <==== see this
Exiting...
emsi:~/hack/ptrace> Unknown id: ELF```
It removes the posibility to trace process, but gives instant shield
against hackers.
greets: nergal, Lam3rZ, teso brothers, nises, hert and others :)
--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners
--429728448-1942321658-985735935=:455
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="npt.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.04.10103280132150.455@dzyngiel.ipartners.pl>
Content-Description:
Content-Disposition: attachment; filename="npt.c"
Lyogbm8gcHRyYWNlIG1vZHVsZQ0KICAgZmFzdCBwcmV2ZW50aW9uIGZvciBr
ZW5yZWwgYnVnDQogICAoYykgMjAwMSBhIExhbTNyWiBvZHlzc2V5DQoqLw0K
DQoNCiNkZWZpbmUgTU9EVUxFDQojZGVmaW5lIF9fS0VSTkVMX18NCg0KI2lu
Y2x1ZGUgPGxpbnV4L21vZHVsZS5oPg0KI2luY2x1ZGUgPGxpbnV4L3VuaXN0
ZC5oPg0KI2luY2x1ZGUgPHN5cy9zeXNjYWxsLmg+DQoNCiNpZm5kZWYgS0VS
TkVMX1ZFUlNJT04NCiNkZWZpbmUgS0VSTkVMX1ZFUlNJT04oYSxiLGMpICgo
YSkqNjU1MzYrKGIpKjI1NisoYykpDQojZW5kaWYNCg0KI2lmIExJTlVYX1ZF
UlNJT05fQ09ERSA+PSBLRVJORUxfVkVSU0lPTigyLDIsMCkNCiNpbmNsdWRl
IDxhc20vdW5pc3RkLmg+DQojZW5kaWYNCg0KI2lmIExJTlVYX1ZFUlNJT05f
Q09ERSA+PSBLRVJORUxfVkVSU0lPTigyLDIsMTQpDQojaW5jbHVkZSA8Yml0
cy9zeXNjYWxsLmg+DQojZW5kaWYNCg0KZXh0ZXJuIHZvaWQgKnN5c19jYWxs
X3RhYmxlW107DQoNCmludCAoKm9yaWdfcHRyYWNlKShpbnQsIGludCwgaW50
LCBpbnQpOw0KDQppbnQgbm9fcHRyYWNlIChpbnQgcmVxdWVzdCwgaW50IHBp
ZCwgaW50IGFkZHIsIGludCBkYXRhKQ0Ke3JldHVybiAtMTt9DQoNCg0KaW50
IGluaXRfbW9kdWxlKHZvaWQpIHsNCgkNCglvcmlnX3B0cmFjZSA9IHN5c19j
YWxsX3RhYmxlW19fTlJfcHRyYWNlXTsNCglzeXNfY2FsbF90YWJsZVtfX05S
X3B0cmFjZV09bm9fcHRyYWNlOw0KCXJldHVybiAwOw0KfQ0KDQp2b2lkIGNs
ZWFudXBfbW9kdWxlKHZvaWQpIHsNCgkNCglzeXNfY2FsbF90YWJsZVtfX05S
X3B0cmFjZV09b3JpZ19wdHJhY2U7DQp9DQo=
--429728448-1942321658-985735935=:455--
