[33023] in bugtraq
RE: Linux kernel do_mremap() proof-of-concept exploit code
daemon@ATHENA.MIT.EDU (tlarholm@pivx.com)
Tue Jan 6 15:09:38 2004
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Date: Tue, 6 Jan 2004 10:08:10 -0800
Message-ID: <8B32EDC90D8F4E4AB40918883281874D273CC9@pivxwin2k1.secnet.pivx.com>
From: <tlarholm@pivx.com>
To: <bruno@lustosa.net>, <bugtraq@securityfocus.com>
Content-Transfer-Encoding: 8bit
> From: Bruno Lustosa [mailto:bruno@lustosa.net]
> Tested it under Linux 2.6.1-rc1, and surprisingly,
> the machine rebooted instantly. Isn't the mremap
> bug supposed to be fixed on the 2.6 series?
It is, but not in 2.6.1-rc1.
From http://isec.pl/vulnerabilities/isec-0013-mremap.txt:
"Version: 2.2, 2.4 and 2.6 series"
"The exploitability of the discovered vulnerability is possible,
although not a trivial one. We have identified at least two different
attack vectors for the 2.4 kernel series."
And from
http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.1-rc2
"<torvalds@home.osdl.org>
Don't allow mremap of zero-sized areas."
The do_mremap() vulnerability is fixed in the 2.6 kernel only in
2.6.1-rc2, where as you tested on 2.6.1-rc1.
The latest version of the 2.2 kernel is 2.2.25, but there was no
immediate changelog available. However, it was created on January 3 so I
suspect it would have the patch?
Regards
Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@pivx.com
949-231-8496
PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net>
