public inbox for gentoo-hardened@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-hardened] about the recent ELF kernel bug
@ 2005-05-13 14:09 Pedro Venda
  2005-05-13 14:42 ` [gentoo-security] " Miguel Filipe
                   ` (3 more replies)
  0 siblings, 4 replies; 9+ messages in thread
From: Pedro Venda @ 2005-05-13 14:09 UTC (permalink / raw
  To: gentoo-security, gentoo-hardened

[-- Attachment #1: Type: text/plain, Size: 1108 bytes --]

hi everyone,

Has anyone got a clue on how should the proof of concept code behave on 
vulnerable and not vulnerable machines?

On a PaX+grsecurity hardened server, it outputs:

[+] ./elfcd1 argv_start=0xb47b23d4 argv_end=0xb47b23dc  ESP: 0xb47b1890
[+] phase 1
[+] AAAA argv_start=0xb5e0442e argv_end=0xb5e04432  ESP: 0xb5e03930
[+] phase2, <RET> to crash Killed

and doesn't core-dump. Also it doesn't warn about the segmentation violation 
process in the logs...

On my laptop, a test server and 2 other workstations (standard 2.6.11.5-8 
kernels) results are consistent but different from the hardened server:
pjlv@archon test $ ./elfcd1

[+] ./elfcd1 argv_start=0xbfffeff7 argv_end=0xbfffefff  ESP: 0xbfffedb0
[+] phase 1
[+] AAAA argv_start=0xbfff6fee argv_end=0xbfff6ff2  ESP: 0xbfff6e80
[+] phase 2, <RET> to crash Segmentation fault (core dumped)

and core-dumps.

any help? is the hardened server secure? I suppose so, since it didn't core 
dump. 

regards,
pedro venda.
-- 

Pedro João Lopes Venda
email: pjvenda < at > arrakis.dhis.org
http://arrakis.dhis.org

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [gentoo-security] Re: [gentoo-hardened] about the recent ELF kernel bug
  2005-05-13 14:09 [gentoo-hardened] about the recent ELF kernel bug Pedro Venda
@ 2005-05-13 14:42 ` Miguel Filipe
  2005-05-13 16:03 ` [gentoo-hardened] Re: [gentoo-security] " antoine
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 9+ messages in thread
From: Miguel Filipe @ 2005-05-13 14:42 UTC (permalink / raw
  To: gentoo-hardened; +Cc: gentoo-security, grsecurity

Hi there,

On 5/13/05, Pedro Venda <pjvenda@arrakis.dhis.org> wrote:
> hi everyone,
> 
> Has anyone got a clue on how should the proof of concept code behave on
> vulnerable and not vulnerable machines?
> 
> On a PaX+grsecurity hardened server, it outputs:
> 
> [+] ./elfcd1 argv_start=0xb47b23d4 argv_end=0xb47b23dc  ESP: 0xb47b1890
> [+] phase 1
> [+] AAAA argv_start=0xb5e0442e argv_end=0xb5e04432  ESP: 0xb5e03930
> [+] phase2, <RET> to crash Killed
> 
> and doesn't core-dump. Also it doesn't warn about the segmentation violation
> process in the logs...
> 
> On my laptop, a test server and 2 other workstations (standard 2.6.11.5-8
> kernels) results are consistent but different from the hardened server:
> pjlv@archon test $ ./elfcd1
> 
> [+] ./elfcd1 argv_start=0xbfffeff7 argv_end=0xbfffefff  ESP: 0xbfffedb0
> [+] phase 1
> [+] AAAA argv_start=0xbfff6fee argv_end=0xbfff6ff2  ESP: 0xbfff6e80
> [+] phase 2, <RET> to crash Segmentation fault (core dumped)
> 
> and core-dumps.
> 
> any help? is the hardened server secure? I suppose so, since it didn't core
> dump.
> 

>From what I understood, a core dump doesn't meen the POC worked.
But I could be wrong...

> regards,
> pedro venda.
> --
> 
> Pedro João Lopes Venda
> email: pjvenda < at > arrakis.dhis.org
> http://arrakis.dhis.org
> 
> 
> 

best regards, e abraços pa ti pj! :-p



-- 
Miguel Sousa Filipe

-- 
gentoo-security@gentoo.org mailing list

-- 
gentoo-hardened@gentoo.org mailing list


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-hardened] Re: [gentoo-security] about the recent ELF kernel bug
  2005-05-13 16:03 ` [gentoo-hardened] Re: [gentoo-security] " antoine
@ 2005-05-13 14:45   ` Robert Paskowitz
  0 siblings, 0 replies; 9+ messages in thread
From: Robert Paskowitz @ 2005-05-13 14:45 UTC (permalink / raw
  To: gentoo-hardened

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Did you make sure to change ulimit -c away from '0'? (The default)

antoine wrote:
> I failed to crash any of my test systems with that exploit, hardened or
> not. And no-one else seems to have confirmed that it does work.
> I can however crash x86_64 systems with another unfixed bug (up to
> 2.6.12-rc4).
> 
> Antoine
> 
> On Fri, 2005-05-13 at 15:09 +0100, Pedro Venda wrote:
> 
>>hi everyone,
>>
>>Has anyone got a clue on how should the proof of concept code behave on 
>>vulnerable and not vulnerable machines?
>>
>>On a PaX+grsecurity hardened server, it outputs:
>>
>>[+] ./elfcd1 argv_start=0xb47b23d4 argv_end=0xb47b23dc  ESP: 0xb47b1890
>>[+] phase 1
>>[+] AAAA argv_start=0xb5e0442e argv_end=0xb5e04432  ESP: 0xb5e03930
>>[+] phase2, <RET> to crash Killed
>>
>>and doesn't core-dump. Also it doesn't warn about the segmentation violation 
>>process in the logs...
>>
>>On my laptop, a test server and 2 other workstations (standard 2.6.11.5-8 
>>kernels) results are consistent but different from the hardened server:
>>pjlv@archon test $ ./elfcd1
>>
>>[+] ./elfcd1 argv_start=0xbfffeff7 argv_end=0xbfffefff  ESP: 0xbfffedb0
>>[+] phase 1
>>[+] AAAA argv_start=0xbfff6fee argv_end=0xbfff6ff2  ESP: 0xbfff6e80
>>[+] phase 2, <RET> to crash Segmentation fault (core dumped)
>>
>>and core-dumps.
>>
>>any help? is the hardened server secure? I suppose so, since it didn't core 
>>dump. 
>>
>>regards,
>>pedro venda.
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFChL2CZwjIiODIZ4oRAiXDAJ0ci101Dx/KRcCQcXsxt5hralewlQCcC5CJ
tc1hBT+hc2hh85hLjJJ605Y=
=xtdv
-----END PGP SIGNATURE-----
-- 
gentoo-hardened@gentoo.org mailing list


^ permalink raw reply	[flat|nested] 9+ messages in thread

* [gentoo-hardened] Re: [gentoo-security] about the recent ELF kernel bug
  2005-05-13 14:09 [gentoo-hardened] about the recent ELF kernel bug Pedro Venda
  2005-05-13 14:42 ` [gentoo-security] " Miguel Filipe
@ 2005-05-13 16:03 ` antoine
  2005-05-13 14:45   ` Robert Paskowitz
  2005-05-13 19:49 ` [gentoo-hardened] " Mike Frysinger
  2005-05-15 15:25 ` Kevin F. Quinn
  3 siblings, 1 reply; 9+ messages in thread
From: antoine @ 2005-05-13 16:03 UTC (permalink / raw
  To: gentoo-security; +Cc: gentoo-hardened

I failed to crash any of my test systems with that exploit, hardened or
not. And no-one else seems to have confirmed that it does work.
I can however crash x86_64 systems with another unfixed bug (up to
2.6.12-rc4).

Antoine

On Fri, 2005-05-13 at 15:09 +0100, Pedro Venda wrote:
> hi everyone,
> 
> Has anyone got a clue on how should the proof of concept code behave on 
> vulnerable and not vulnerable machines?
> 
> On a PaX+grsecurity hardened server, it outputs:
> 
> [+] ./elfcd1 argv_start=0xb47b23d4 argv_end=0xb47b23dc  ESP: 0xb47b1890
> [+] phase 1
> [+] AAAA argv_start=0xb5e0442e argv_end=0xb5e04432  ESP: 0xb5e03930
> [+] phase2, <RET> to crash Killed
> 
> and doesn't core-dump. Also it doesn't warn about the segmentation violation 
> process in the logs...
> 
> On my laptop, a test server and 2 other workstations (standard 2.6.11.5-8 
> kernels) results are consistent but different from the hardened server:
> pjlv@archon test $ ./elfcd1
> 
> [+] ./elfcd1 argv_start=0xbfffeff7 argv_end=0xbfffefff  ESP: 0xbfffedb0
> [+] phase 1
> [+] AAAA argv_start=0xbfff6fee argv_end=0xbfff6ff2  ESP: 0xbfff6e80
> [+] phase 2, <RET> to crash Segmentation fault (core dumped)
> 
> and core-dumps.
> 
> any help? is the hardened server secure? I suppose so, since it didn't core 
> dump. 
> 
> regards,
> pedro venda.

-- 
gentoo-security@gentoo.org mailing list

-- 
gentoo-hardened@gentoo.org mailing list


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-hardened] about the recent ELF kernel bug
  2005-05-13 14:09 [gentoo-hardened] about the recent ELF kernel bug Pedro Venda
  2005-05-13 14:42 ` [gentoo-security] " Miguel Filipe
  2005-05-13 16:03 ` [gentoo-hardened] Re: [gentoo-security] " antoine
@ 2005-05-13 19:49 ` Mike Frysinger
  2005-05-13 20:25   ` Aleksander Kamil Modzelewski
  2005-05-15 15:25 ` Kevin F. Quinn
  3 siblings, 1 reply; 9+ messages in thread
From: Mike Frysinger @ 2005-05-13 19:49 UTC (permalink / raw
  To: gentoo-hardened; +Cc: Pedro Venda

On Friday 13 May 2005 10:09 am, Pedro Venda wrote:
> hi everyone,

dont cross-post on mailing lists, it's annoying and bad form

this should prob stay on hardened since it makes more sense there than 
security

> and doesn't core-dump.

core-dumping is a setting in userspace, not kernel-specific

see /etc/limits and read about ulimit in `man bash`
-mike
-- 
gentoo-hardened@gentoo.org mailing list


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-hardened] about the recent ELF kernel bug
  2005-05-13 19:49 ` [gentoo-hardened] " Mike Frysinger
@ 2005-05-13 20:25   ` Aleksander Kamil Modzelewski
  2005-05-13 20:37     ` Aleksander Kamil Modzelewski
  0 siblings, 1 reply; 9+ messages in thread
From: Aleksander Kamil Modzelewski @ 2005-05-13 20:25 UTC (permalink / raw
  To: gentoo-hardened

[-- Attachment #1: Type: text/plain, Size: 1024 bytes --]

Mike Frysinger wrote:
> dont cross-post on mailing lists, it's annoying and bad form
I cross posted?

> this should prob stay on hardened since it makes more sense there than 
> security
To security? Uh... sorry, then. Still, I can't see how I have done it. I 
have only gentoo-hardened in the destination of my local copy of the post, 
neither I found it in the MARC archive of gentoo-security (but maybe it's 
lagging behind).

>>and doesn't core-dump.
> core-dumping is a setting in userspace, not kernel-specific
...of course. And I was unprecise, I meant segfaulting, not core-dumping, of 
course. Sorry, I'm a bit tired here :). Anyway there is both a sigsegv in 
the app and an oops (a NULL pointer dereference while unregistering the vlan 
device) in the logs. _And_, I reproduced the segfault, I mistakenly forgot 
that I'm in permissive mode :), so the vconfig requires access to the /sys 
(and, when provided with it, it works). It shouldn't segfault, but that's an 
app's bug probably.

[snip]

> -mike
Aleander

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3174 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-hardened] about the recent ELF kernel bug
  2005-05-13 20:25   ` Aleksander Kamil Modzelewski
@ 2005-05-13 20:37     ` Aleksander Kamil Modzelewski
  0 siblings, 0 replies; 9+ messages in thread
From: Aleksander Kamil Modzelewski @ 2005-05-13 20:37 UTC (permalink / raw
  To: gentoo-hardened

[-- Attachment #1: Type: text/plain, Size: 320 bytes --]

Aleksander Kamil Modzelewski wrote:
>> dont cross-post on mailing lists, it's annoying and bad form
> I cross posted?
Uhh, sorry, I identified some parts similiar to my post and mis-identified
it as mine. Should sleep more. Or get more caffeine. Or both. Sorry again :)

/me blushes and hides away.

Regards...
Aleander

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3174 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-hardened] about the recent ELF kernel bug
  2005-05-13 14:09 [gentoo-hardened] about the recent ELF kernel bug Pedro Venda
                   ` (2 preceding siblings ...)
  2005-05-13 19:49 ` [gentoo-hardened] " Mike Frysinger
@ 2005-05-15 15:25 ` Kevin F. Quinn
  2005-05-15 21:28   ` Pedro Venda
  3 siblings, 1 reply; 9+ messages in thread
From: Kevin F. Quinn @ 2005-05-15 15:25 UTC (permalink / raw
  To: gentoo-hardened

On 13/5/2005 16:09:23, Pedro Venda (pjvenda@arrakis.dhis.org) wrote:

> On a PaX+grsecurity hardened server, it outputs:
> ...
> [+] phase2, <RET> to crash Killed
What kernel version?

The hardened 2.6.11.1 kernel is not vulnerable to the exploit as described, because the bug used to trigger the feature is not present.  If you read all the way through http://isec.pl/vulnerabilities/isec-0023-coredump.txt and compare it with the 2.6.11 kernel source, you'll see that although the arithmetic error is present (see fill_psinfo()), the bug used to get to it is not.  See https://bugs.gentoo.org/show_bug.cgi?id=92264

This doesn't mean necessarily that there is not another way to exploit it.  Exercise for the reader to find one ;)

> On my laptop, a test server and 2 other workstations (standard 2.6.11.5-8 
> kernels) [...]
> [+] phase 2, <RET> to crash Segmentation fault (core dumped)

I haven't checked all kernel versions, but the vanilla 2.6.11.7 prevents the exploit in the same way as the hardened kernel.  The difference between killed and core dump may be due to the grsecurity/pax patches, or could simply be differences between 2.6.11.1 and 2.6.11.7 (i.e. nothing to do with hardened).  Either way, the exploit fails - not because of anything particular in the hardened kernel, but due to better written upstream code in create_elf_tables().

Kev.

(removed cc to security@, since they've already seen this argument on bug #92264)



-- 
gentoo-hardened@gentoo.org mailing list


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-hardened] about the recent ELF kernel bug
  2005-05-15 15:25 ` Kevin F. Quinn
@ 2005-05-15 21:28   ` Pedro Venda
  0 siblings, 0 replies; 9+ messages in thread
From: Pedro Venda @ 2005-05-15 21:28 UTC (permalink / raw
  To: gentoo-hardened; +Cc: Kevin F. Quinn

[-- Attachment #1: Type: text/plain, Size: 1643 bytes --]

On Sunday 15 May 2005 16:25, Kevin F. Quinn wrote:
> On 13/5/2005 16:09:23, Pedro Venda (pjvenda@arrakis.dhis.org) wrote:
> > On a PaX+grsecurity hardened server, it outputs:
> > ...
> > [+] phase2, <RET> to crash Killed
>
> What kernel version?
>
> The hardened 2.6.11.1 kernel is not vulnerable to the exploit as described,
> because the bug used to trigger the feature is not present.  If you read
> all the way through http://isec.pl/vulnerabilities/isec-0023-coredump.txt
> and compare it with the 2.6.11 kernel source, you'll see that although the
> arithmetic error is present (see fill_psinfo()), the bug used to get to it
> is not.  See https://bugs.gentoo.org/show_bug.cgi?id=92264
>
> This doesn't mean necessarily that there is not another way to exploit it. 
> Exercise for the reader to find one ;)
>
> > On my laptop, a test server and 2 other workstations (standard 2.6.11.5-8
> > kernels) [...]
> > [+] phase 2, <RET> to crash Segmentation fault (core dumped)
>
> I haven't checked all kernel versions, but the vanilla 2.6.11.7 prevents
> the exploit in the same way as the hardened kernel.  The difference between
> killed and core dump may be due to the grsecurity/pax patches, or could
> simply be differences between 2.6.11.1 and 2.6.11.7 (i.e. nothing to do
> with hardened).  Either way, the exploit fails - not because of anything
> particular in the hardened kernel, but due to better written upstream code
> in create_elf_tables().

thanks for the explanations.

regards,
pedro venda.

-- 

Pedro João Lopes Venda
email: pjvenda < at > arrakis.dhis.org
http://arrakis.dhis.org

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2005-05-15 21:28 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-05-13 14:09 [gentoo-hardened] about the recent ELF kernel bug Pedro Venda
2005-05-13 14:42 ` [gentoo-security] " Miguel Filipe
2005-05-13 16:03 ` [gentoo-hardened] Re: [gentoo-security] " antoine
2005-05-13 14:45   ` Robert Paskowitz
2005-05-13 19:49 ` [gentoo-hardened] " Mike Frysinger
2005-05-13 20:25   ` Aleksander Kamil Modzelewski
2005-05-13 20:37     ` Aleksander Kamil Modzelewski
2005-05-15 15:25 ` Kevin F. Quinn
2005-05-15 21:28   ` Pedro Venda

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox