[gentoo-hardened] about the recent ELF kernel bug

[gentoo-hardened] about the recent ELF kernel bug

[Pedro Venda]

[-- Attachment #1: Type: text/plain, Size: 1108 bytes --]

hi everyone,

Has anyone got a clue on how should the proof of concept code behave on 
vulnerable and not vulnerable machines?

On a PaX+grsecurity hardened server, it outputs:

[+] ./elfcd1 argv_start=0xb47b23d4 argv_end=0xb47b23dc  ESP: 0xb47b1890
[+] phase 1
[+] AAAA argv_start=0xb5e0442e argv_end=0xb5e04432  ESP: 0xb5e03930
[+] phase2, <RET> to crash Killed

and doesn't core-dump. Also it doesn't warn about the segmentation violation 
process in the logs...

On my laptop, a test server and 2 other workstations (standard 2.6.11.5-8 
kernels) results are consistent but different from the hardened server:
pjlv@archon test $ ./elfcd1

[+] ./elfcd1 argv_start=0xbfffeff7 argv_end=0xbfffefff  ESP: 0xbfffedb0
[+] phase 1
[+] AAAA argv_start=0xbfff6fee argv_end=0xbfff6ff2  ESP: 0xbfff6e80
[+] phase 2, <RET> to crash Segmentation fault (core dumped)

and core-dumps.

any help? is the hardened server secure? I suppose so, since it didn't core 
dump. 

regards,
pedro venda.
-- 

Pedro João Lopes Venda
email: pjvenda < at > arrakis.dhis.org
http://arrakis.dhis.org

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

[gentoo-security] Re: [gentoo-hardened] about the recent ELF kernel bug

[Miguel Filipe]

Hi there,

On 5/13/05, Pedro Venda <pjvenda@arrakis.dhis.org> wrote:
> hi everyone,
> 
> Has anyone got a clue on how should the proof of concept code behave on
> vulnerable and not vulnerable machines?
> 
> On a PaX+grsecurity hardened server, it outputs:
> 
> [+] ./elfcd1 argv_start=0xb47b23d4 argv_end=0xb47b23dc  ESP: 0xb47b1890
> [+] phase 1
> [+] AAAA argv_start=0xb5e0442e argv_end=0xb5e04432  ESP: 0xb5e03930
> [+] phase2, <RET> to crash Killed
> 
> and doesn't core-dump. Also it doesn't warn about the segmentation violation
> process in the logs...
> 
> On my laptop, a test server and 2 other workstations (standard 2.6.11.5-8
> kernels) results are consistent but different from the hardened server:
> pjlv@archon test $ ./elfcd1
> 
> [+] ./elfcd1 argv_start=0xbfffeff7 argv_end=0xbfffefff  ESP: 0xbfffedb0
> [+] phase 1
> [+] AAAA argv_start=0xbfff6fee argv_end=0xbfff6ff2  ESP: 0xbfff6e80
> [+] phase 2, <RET> to crash Segmentation fault (core dumped)
> 
> and core-dumps.
> 
> any help? is the hardened server secure? I suppose so, since it didn't core
> dump.
> 

>From what I understood, a core dump doesn't meen the POC worked.
But I could be wrong...

> regards,
> pedro venda.
> --
> 
> Pedro João Lopes Venda
> email: pjvenda < at > arrakis.dhis.org
> http://arrakis.dhis.org
> 
> 
> 

best regards, e abraços pa ti pj! :-p



-- 
Miguel Sousa Filipe

-- 
gentoo-security@gentoo.org mailing list

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Re: [gentoo-security] about the recent ELF kernel bug

[Robert Paskowitz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Did you make sure to change ulimit -c away from '0'? (The default)

antoine wrote:
> I failed to crash any of my test systems with that exploit, hardened or
> not. And no-one else seems to have confirmed that it does work.
> I can however crash x86_64 systems with another unfixed bug (up to
> 2.6.12-rc4).
> 
> Antoine
> 
> On Fri, 2005-05-13 at 15:09 +0100, Pedro Venda wrote:
> 
>>hi everyone,
>>
>>Has anyone got a clue on how should the proof of concept code behave on 
>>vulnerable and not vulnerable machines?
>>
>>On a PaX+grsecurity hardened server, it outputs:
>>
>>[+] ./elfcd1 argv_start=0xb47b23d4 argv_end=0xb47b23dc  ESP: 0xb47b1890
>>[+] phase 1
>>[+] AAAA argv_start=0xb5e0442e argv_end=0xb5e04432  ESP: 0xb5e03930
>>[+] phase2, <RET> to crash Killed
>>
>>and doesn't core-dump. Also it doesn't warn about the segmentation violation 
>>process in the logs...
>>
>>On my laptop, a test server and 2 other workstations (standard 2.6.11.5-8 
>>kernels) results are consistent but different from the hardened server:
>>pjlv@archon test $ ./elfcd1
>>
>>[+] ./elfcd1 argv_start=0xbfffeff7 argv_end=0xbfffefff  ESP: 0xbfffedb0
>>[+] phase 1
>>[+] AAAA argv_start=0xbfff6fee argv_end=0xbfff6ff2  ESP: 0xbfff6e80
>>[+] phase 2, <RET> to crash Segmentation fault (core dumped)
>>
>>and core-dumps.
>>
>>any help? is the hardened server secure? I suppose so, since it didn't core 
>>dump. 
>>
>>regards,
>>pedro venda.
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFChL2CZwjIiODIZ4oRAiXDAJ0ci101Dx/KRcCQcXsxt5hralewlQCcC5CJ
tc1hBT+hc2hh85hLjJJ605Y=
=xtdv
-----END PGP SIGNATURE-----
-- 
gentoo-hardened@gentoo.org mailing list

[gentoo-hardened] Re: [gentoo-security] about the recent ELF kernel bug

[antoine]

I failed to crash any of my test systems with that exploit, hardened or
not. And no-one else seems to have confirmed that it does work.
I can however crash x86_64 systems with another unfixed bug (up to
2.6.12-rc4).

Antoine

On Fri, 2005-05-13 at 15:09 +0100, Pedro Venda wrote:
> hi everyone,
> 
> Has anyone got a clue on how should the proof of concept code behave on 
> vulnerable and not vulnerable machines?
> 
> On a PaX+grsecurity hardened server, it outputs:
> 
> [+] ./elfcd1 argv_start=0xb47b23d4 argv_end=0xb47b23dc  ESP: 0xb47b1890
> [+] phase 1
> [+] AAAA argv_start=0xb5e0442e argv_end=0xb5e04432  ESP: 0xb5e03930
> [+] phase2, <RET> to crash Killed
> 
> and doesn't core-dump. Also it doesn't warn about the segmentation violation 
> process in the logs...
> 
> On my laptop, a test server and 2 other workstations (standard 2.6.11.5-8 
> kernels) results are consistent but different from the hardened server:
> pjlv@archon test $ ./elfcd1
> 
> [+] ./elfcd1 argv_start=0xbfffeff7 argv_end=0xbfffefff  ESP: 0xbfffedb0
> [+] phase 1
> [+] AAAA argv_start=0xbfff6fee argv_end=0xbfff6ff2  ESP: 0xbfff6e80
> [+] phase 2, <RET> to crash Segmentation fault (core dumped)
> 
> and core-dumps.
> 
> any help? is the hardened server secure? I suppose so, since it didn't core 
> dump. 
> 
> regards,
> pedro venda.

-- 
gentoo-security@gentoo.org mailing list

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] about the recent ELF kernel bug

[Mike Frysinger]

On Friday 13 May 2005 10:09 am, Pedro Venda wrote:
> hi everyone,

dont cross-post on mailing lists, it's annoying and bad form

this should prob stay on hardened since it makes more sense there than 
security

> and doesn't core-dump.

core-dumping is a setting in userspace, not kernel-specific

see /etc/limits and read about ulimit in `man bash`
-mike
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] about the recent ELF kernel bug

[Aleksander Kamil Modzelewski]

[-- Attachment #1: Type: text/plain, Size: 1024 bytes --]

Mike Frysinger wrote:
> dont cross-post on mailing lists, it's annoying and bad form
I cross posted?

> this should prob stay on hardened since it makes more sense there than 
> security
To security? Uh... sorry, then. Still, I can't see how I have done it. I 
have only gentoo-hardened in the destination of my local copy of the post, 
neither I found it in the MARC archive of gentoo-security (but maybe it's 
lagging behind).

>>and doesn't core-dump.
> core-dumping is a setting in userspace, not kernel-specific
...of course. And I was unprecise, I meant segfaulting, not core-dumping, of 
course. Sorry, I'm a bit tired here :). Anyway there is both a sigsegv in 
the app and an oops (a NULL pointer dereference while unregistering the vlan 
device) in the logs. _And_, I reproduced the segfault, I mistakenly forgot 
that I'm in permissive mode :), so the vconfig requires access to the /sys 
(and, when provided with it, it works). It shouldn't segfault, but that's an 
app's bug probably.

[snip]

> -mike
Aleander

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3174 bytes --]

Re: [gentoo-hardened] about the recent ELF kernel bug

[Aleksander Kamil Modzelewski]

[-- Attachment #1: Type: text/plain, Size: 320 bytes --]

Aleksander Kamil Modzelewski wrote:
>> dont cross-post on mailing lists, it's annoying and bad form
> I cross posted?
Uhh, sorry, I identified some parts similiar to my post and mis-identified
it as mine. Should sleep more. Or get more caffeine. Or both. Sorry again :)

/me blushes and hides away.

Regards...
Aleander

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3174 bytes --]

Re: [gentoo-hardened] about the recent ELF kernel bug

[Kevin F. Quinn]

On 13/5/2005 16:09:23, Pedro Venda (pjvenda@arrakis.dhis.org) wrote:

> On a PaX+grsecurity hardened server, it outputs:
> ...
> [+] phase2, <RET> to crash Killed
What kernel version?

The hardened 2.6.11.1 kernel is not vulnerable to the exploit as described, because the bug used to trigger the feature is not present.  If you read all the way through http://isec.pl/vulnerabilities/isec-0023-coredump.txt and compare it with the 2.6.11 kernel source, you'll see that although the arithmetic error is present (see fill_psinfo()), the bug used to get to it is not.  See https://bugs.gentoo.org/show_bug.cgi?id=92264

This doesn't mean necessarily that there is not another way to exploit it.  Exercise for the reader to find one ;)

> On my laptop, a test server and 2 other workstations (standard 2.6.11.5-8 
> kernels) [...]
> [+] phase 2, <RET> to crash Segmentation fault (core dumped)

I haven't checked all kernel versions, but the vanilla 2.6.11.7 prevents the exploit in the same way as the hardened kernel.  The difference between killed and core dump may be due to the grsecurity/pax patches, or could simply be differences between 2.6.11.1 and 2.6.11.7 (i.e. nothing to do with hardened).  Either way, the exploit fails - not because of anything particular in the hardened kernel, but due to better written upstream code in create_elf_tables().

Kev.

(removed cc to security@, since they've already seen this argument on bug #92264)



-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] about the recent ELF kernel bug

[Pedro Venda]

[-- Attachment #1: Type: text/plain, Size: 1643 bytes --]

On Sunday 15 May 2005 16:25, Kevin F. Quinn wrote:
> On 13/5/2005 16:09:23, Pedro Venda (pjvenda@arrakis.dhis.org) wrote:
> > On a PaX+grsecurity hardened server, it outputs:
> > ...
> > [+] phase2, <RET> to crash Killed
>
> What kernel version?
>
> The hardened 2.6.11.1 kernel is not vulnerable to the exploit as described,
> because the bug used to trigger the feature is not present.  If you read
> all the way through http://isec.pl/vulnerabilities/isec-0023-coredump.txt
> and compare it with the 2.6.11 kernel source, you'll see that although the
> arithmetic error is present (see fill_psinfo()), the bug used to get to it
> is not.  See https://bugs.gentoo.org/show_bug.cgi?id=92264
>
> This doesn't mean necessarily that there is not another way to exploit it. 
> Exercise for the reader to find one ;)
>
> > On my laptop, a test server and 2 other workstations (standard 2.6.11.5-8
> > kernels) [...]
> > [+] phase 2, <RET> to crash Segmentation fault (core dumped)
>
> I haven't checked all kernel versions, but the vanilla 2.6.11.7 prevents
> the exploit in the same way as the hardened kernel.  The difference between
> killed and core dump may be due to the grsecurity/pax patches, or could
> simply be differences between 2.6.11.1 and 2.6.11.7 (i.e. nothing to do
> with hardened).  Either way, the exploit fails - not because of anything
> particular in the hardened kernel, but due to better written upstream code
> in create_elf_tables().

thanks for the explanations.

regards,
pedro venda.

-- 

Pedro João Lopes Venda
email: pjvenda < at > arrakis.dhis.org
http://arrakis.dhis.org

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]