Page 1 of 1

Local root in expand_stack()?

PostPosted: Thu Jan 11, 2007 5:09 pm
by grsecuser
http://www.digitalarmaments.com/pre2007-00018659.html just got sent to bugtraq. Anyone got an exploit? ;)

PostPosted: Thu Jan 11, 2007 10:05 pm
by ralphy
There's supposedly a remote vulnerability as well.

>> 01.08.2007: Linux Grsecurity Remote Vulnerability available to the Platinum Customers. . http://www.digitalarmaments.com/news_news.shtml#

PostPosted: Fri Jan 12, 2007 6:23 am
by Jason
Hi,

is there any update today on this?

Jason

Re: Local root in expand_stack()?

PostPosted: Fri Jan 12, 2007 7:23 am
by Oscon
grsecuser wrote:http://www.digitalarmaments.com/pre2007-00018659.html just got sent to bugtraq. Anyone got an exploit? ;)


Have you got 80.000 USD ? :wink:

D.A Platinum subscr. :roll:

"exploit avaiable only to Platinum Subscriptors" :wink:

"The annual Platinum Subscription fee is 80,000 $ (US Dollars)" :oops:

PostPosted: Sat Jan 20, 2007 12:43 pm
by tosh

PostPosted: Sat Jan 20, 2007 1:09 pm
by ralphy
if( mprotect( (void *) MAP1_BASE, PAGE_SIZE,
PROT_READ | PROT_WRITE | PROT_EXEC ) < 0 )
{
perror( "mprotect map1 base" );
fprintf( stderr, "run chpax -m on this executable\n" );
return( 1 );
}

$ ls -al /sbin/chpax
-rwx--x--- 1 root root 14344 Aug 1 10:50 /sbin/chpax
$

PostPosted: Sat Jan 20, 2007 2:37 pm
by aldee
ralphy wrote:$ ls -al /sbin/chpax
-rwx--x--- 1 root root 14344 Aug 1 10:50 /sbin/chpax
$
Are you serious?

Checked it out:
Code: Select all
Jan 20 20:39:37 xena kernel: grsec: From a.b.c.d: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /chroot/.../a.out[a.out:12532] uid/euid:1000/1000 gid/egid:100/100, parent /chroot/bin/bash[bash:12383] uid/euid:1000/1000 gid/egid:100/100
Jan 20 20:39:37 xena kernel: ------------[ cut here ]------------
Jan 20 20:39:37 xena kernel: kernel BUG at mm/mmap.c:2240!
Jan 20 20:39:37 xena kernel: invalid opcode: 0000 [#13]
Jan 20 20:39:37 xena kernel: Modules linked in: raid1 md_mod dm_mod r8169 crc32
Jan 20 20:39:37 xena kernel: CPU:    0
Jan 20 20:39:37 xena kernel: EIP:    0060:[<00035bca>]    Not tainted VLI
Jan 20 20:39:37 xena kernel: EFLAGS: 00010202   (2.6.19.2-grsec #1)
Jan 20 20:39:37 xena kernel: eax: 00000000   ebx: e70f1e50   ecx: c18d7c40   edx: c12c96a0
Jan 20 20:39:37 xena kernel: esi: 00000000   edi: f7589040   ebp: 00000001   esp: e70f1e40
Jan 20 20:39:37 xena kernel: ds: 0068   es: 0068   ss: 0068
Jan 20 20:39:37 xena kernel: Process a.out (pid: 12532, ti=e70f0000 task=f75cf560 task.ti=e70f0000)
Jan 20 20:39:37 xena kernel: Stack: 00000000 e70f1e4c 00000000 00000042 c0c25bbc f7589040 f75cf560 0000000b
Jan 20 20:39:37 xena kernel:        00010c6d 0000000b 00014a11 e70f1f0c 0001a0f0 0000000b 0000000b 0000000a
Jan 20 20:39:37 xena kernel:        00000000 00000000 e70f1e88 00000000 0000000b f794f11c f794f10c e70f1eec
Jan 20 20:39:37 xena kernel: Call Trace:
Jan 20 20:39:37 xena kernel:  =======================
Jan 20 20:39:37 xena kernel: Code: 00 e0 ff ff 8b 00 8b 80 84 00 00 00 39 02 75 11 0f 20 d8 0f 22 d8 eb 09 89 f0 e8 1a ff ff ff 89 c6 85 f6 75 f3 83 7f 74 00
74 09 <0f> 0b ea be dc 54 c0 c0 08 83 c4 14 5b 5e 5f c3 55 89 cd 57 56
Jan 20 20:39:37 xena kernel: EIP: [<00035bca>]  SS:ESP 0068:e70f1e40
Jan 20 20:39:37 xena kernel:  <1>Fixing recursive fault but reboot is needed!

That doesn't look too healthy indeed, from what I can tell.

Edit: Looks like a preliminary fix is available: http://grsecurity.net/pipermail/grsecur ... 00829.html

PostPosted: Sun Jan 21, 2007 5:22 pm
by specs
I did not get such a warning when trying to run the exploit on a C3 (CONFIG_MCYRIXIII=y).
With an AMD64 I got a minimal message.

Might be just some missing debugging options in the kernel though.

Re: Local root in expand_stack()?

PostPosted: Fri Jan 18, 2008 2:52 am
by crespowu
I also think it's related with debugging.

Re: Local root in expand_stack()?

PostPosted: Sat Feb 23, 2008 7:01 am
by danielrigano
Have you got 80.000 USD ?

Too expensive!