[33917] in bugtraq
Re: Hotfix for new mremap vulnerability
daemon@ATHENA.MIT.EDU (Marc-Christian Petersen)
Mon Feb 23 18:15:35 2004
From: Marc-Christian Petersen <m.c.p@gmx.net>
To: bugtraq@securityfocus.com
Date: Sat, 21 Feb 2004 04:14:54 +0100
Cc: Pavel harry_x =?iso-8859-2?q?Pal=E1t?= <harry_x@babylon5.cz>
In-Reply-To: <Pine.LNX.4.58.0402191712480.2090@orodruina.lan>
MIME-Version: 1.0
Content-Disposition: inline
Message-Id: <200402210227.16522@WOLK>
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: 8bit
On Thursday 19 February 2004 17:32, Pavel harry_x Palát wrote:
Hi Pavel,
> Greetings,
>
> Here (http://wizard.ath.cx/fixmremap2.tar.gz) is small hotfix for newly
> discovered mremap() vulnerability. It
> doesn't directly change do_mremap() code, it just overwrites syscall
> handler with LKM. In my opinion it is enough to fix just mremap() syscall
> because at least on x86 there are no other functions which would use
> do_mremap directly. But this may not be true on others platforms (for
> example ia64)...
> The package contains the hotfix and a small proof of concept program which
> can be used to see if kernel is vulnerable.
> Use at your own risk.
- call the POC exploit on a vulnerable system
- echo "1000000" > /proc/sys/vm/max_map_count
- call the POC exploit again
- see the difference
Well, at least it prevents the POC exploit, maybe there's more though.
Kudos to the PaX team :)
--
ciao, Marc
