Local root in expand_stack()?

a forum for discussing usability issues, general maintenance, and general support for a grsecurity-enabled system.

Moderators: spender, PaX Team

Local root in expand_stack()?

Postby grsecuser » Thu Jan 11, 2007 5:09 pm

http://www.digitalarmaments.com/pre2007-00018659.html just got sent to bugtraq. Anyone got an exploit? ;)
grsecuser
 
Posts: 3
Joined: Tue Jun 28, 2005 9:31 am

Postby ralphy » Thu Jan 11, 2007 10:05 pm

There's supposedly a remote vulnerability as well.

>> 01.08.2007: Linux Grsecurity Remote Vulnerability available to the Platinum Customers. . http://www.digitalarmaments.com/news_news.shtml#
ralphy
 
Posts: 52
Joined: Wed Jan 11, 2006 12:51 pm

Postby Jason » Fri Jan 12, 2007 6:23 am

Hi,

is there any update today on this?

Jason
Jason
 
Posts: 1
Joined: Fri Jan 12, 2007 5:54 am

Re: Local root in expand_stack()?

Postby Oscon » Fri Jan 12, 2007 7:23 am

grsecuser wrote:http://www.digitalarmaments.com/pre2007-00018659.html just got sent to bugtraq. Anyone got an exploit? ;)


Have you got 80.000 USD ? :wink:

D.A Platinum subscr. :roll:

"exploit avaiable only to Platinum Subscriptors" :wink:

"The annual Platinum Subscription fee is 80,000 $ (US Dollars)" :oops:
The Capitalism is dictatorship of Money.
Oscon
 
Posts: 44
Joined: Fri Jun 11, 2004 6:32 pm
Location: Sopron/Hungary

Postby tosh » Sat Jan 20, 2007 12:43 pm

tosh
 
Posts: 19
Joined: Mon Apr 10, 2006 9:13 pm

Postby ralphy » Sat Jan 20, 2007 1:09 pm

if( mprotect( (void *) MAP1_BASE, PAGE_SIZE,
PROT_READ | PROT_WRITE | PROT_EXEC ) < 0 )
{
perror( "mprotect map1 base" );
fprintf( stderr, "run chpax -m on this executable\n" );
return( 1 );
}

$ ls -al /sbin/chpax
-rwx--x--- 1 root root 14344 Aug 1 10:50 /sbin/chpax
$
ralphy
 
Posts: 52
Joined: Wed Jan 11, 2006 12:51 pm

Postby aldee » Sat Jan 20, 2007 2:37 pm

ralphy wrote:$ ls -al /sbin/chpax
-rwx--x--- 1 root root 14344 Aug 1 10:50 /sbin/chpax
$
Are you serious?

Checked it out:
Code: Select all
Jan 20 20:39:37 xena kernel: grsec: From a.b.c.d: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /chroot/.../a.out[a.out:12532] uid/euid:1000/1000 gid/egid:100/100, parent /chroot/bin/bash[bash:12383] uid/euid:1000/1000 gid/egid:100/100
Jan 20 20:39:37 xena kernel: ------------[ cut here ]------------
Jan 20 20:39:37 xena kernel: kernel BUG at mm/mmap.c:2240!
Jan 20 20:39:37 xena kernel: invalid opcode: 0000 [#13]
Jan 20 20:39:37 xena kernel: Modules linked in: raid1 md_mod dm_mod r8169 crc32
Jan 20 20:39:37 xena kernel: CPU:    0
Jan 20 20:39:37 xena kernel: EIP:    0060:[<00035bca>]    Not tainted VLI
Jan 20 20:39:37 xena kernel: EFLAGS: 00010202   (2.6.19.2-grsec #1)
Jan 20 20:39:37 xena kernel: eax: 00000000   ebx: e70f1e50   ecx: c18d7c40   edx: c12c96a0
Jan 20 20:39:37 xena kernel: esi: 00000000   edi: f7589040   ebp: 00000001   esp: e70f1e40
Jan 20 20:39:37 xena kernel: ds: 0068   es: 0068   ss: 0068
Jan 20 20:39:37 xena kernel: Process a.out (pid: 12532, ti=e70f0000 task=f75cf560 task.ti=e70f0000)
Jan 20 20:39:37 xena kernel: Stack: 00000000 e70f1e4c 00000000 00000042 c0c25bbc f7589040 f75cf560 0000000b
Jan 20 20:39:37 xena kernel:        00010c6d 0000000b 00014a11 e70f1f0c 0001a0f0 0000000b 0000000b 0000000a
Jan 20 20:39:37 xena kernel:        00000000 00000000 e70f1e88 00000000 0000000b f794f11c f794f10c e70f1eec
Jan 20 20:39:37 xena kernel: Call Trace:
Jan 20 20:39:37 xena kernel:  =======================
Jan 20 20:39:37 xena kernel: Code: 00 e0 ff ff 8b 00 8b 80 84 00 00 00 39 02 75 11 0f 20 d8 0f 22 d8 eb 09 89 f0 e8 1a ff ff ff 89 c6 85 f6 75 f3 83 7f 74 00
74 09 <0f> 0b ea be dc 54 c0 c0 08 83 c4 14 5b 5e 5f c3 55 89 cd 57 56
Jan 20 20:39:37 xena kernel: EIP: [<00035bca>]  SS:ESP 0068:e70f1e40
Jan 20 20:39:37 xena kernel:  <1>Fixing recursive fault but reboot is needed!

That doesn't look too healthy indeed, from what I can tell.

Edit: Looks like a preliminary fix is available: http://grsecurity.net/pipermail/grsecur ... 00829.html
aldee
 
Posts: 25
Joined: Tue Aug 15, 2006 11:41 am

Postby specs » Sun Jan 21, 2007 5:22 pm

I did not get such a warning when trying to run the exploit on a C3 (CONFIG_MCYRIXIII=y).
With an AMD64 I got a minimal message.

Might be just some missing debugging options in the kernel though.
specs
 
Posts: 188
Joined: Sun Mar 26, 2006 7:00 am

Re: Local root in expand_stack()?

Postby crespowu » Fri Jan 18, 2008 2:52 am

I also think it's related with debugging.
crespowu
 
Posts: 1
Joined: Fri Jan 18, 2008 2:45 am

Re: Local root in expand_stack()?

Postby danielrigano » Sat Feb 23, 2008 7:01 am

Have you got 80.000 USD ?

Too expensive!
danielrigano
 
Posts: 1
Joined: Sat Feb 23, 2008 6:53 am


Return to grsecurity support