Re: ptrace/execve race condition exploit (non brute-force)

Tue, 27 Mar 2001 22:29:59 -0800 

On Tue, 27 Mar 2001, Wojciech Purczynski wrote:

>
> Hi,
>
> Here is exploit for ptrace/execve race condition bug in Linux kernels up
> to 2.2.18.
>

Hi!

I've seen a tool that works better than this, useing different aproach to
the same bug explits it on all platforms giving instant root without the
need for cat garbage files to clear disk cache!!!

Anyway: here is a fast way to fix the problem (but intoduces new one), the
kernel module that disables ptrace syscall.
It works for 2.0 and 2.2 kernel (I didn't tested it under 2.4).
All you need to do is:

emsi:~# gcc -c npt.c
emsi:~# insmod ./npt.o


And here is how it works:

[before installing module]
emsi:~/hack/ptrace> ./a.out /sbin/powerd
[*] Child exec...
[+] Waiting for disk sleep....  dunno why but that printf helps sometimes
;)
[OK]
[+] ATTACH: 0 : Success
[+] eip: 0x1109d0 -> 0x805a41b
[+] copy data from 0x805a3e0 to 0xbffff100
[...............]
[?] DETACH: 0 : Success
Status of 5342: R
bash#
[installing module[
bash# /sbin/insmod ./npt.o
bash# exit
emsi:~/hack/ptrace> ./a.out /sbin/reboot
[*] Child exec...
[+] Waiting for disk sleep....  dunno why but that printf helps sometimes
;)
[OK]
[--] ATTACH: Operation not permitted      <==== see this
Exiting...
emsi:~/hack/ptrace> Unknown id: ELF```


It removes the posibility to trace process, but gives instant shield
against hackers.


greets: nergal, Lam3rZ, teso brothers, nises, hert and others :)

--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners


/* no ptrace module
   fast prevention for kenrel bug
   (c) 2001 a Lam3rZ odyssey
*/


#define MODULE
#define __KERNEL__

#include <linux/module.h>
#include <linux/unistd.h>
#include <sys/syscall.h>

#ifndef KERNEL_VERSION
#define KERNEL_VERSION(a,b,c) ((a)*65536+(b)*256+(c))
#endif

#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,2,0)
#include <asm/unistd.h>
#endif

#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,2,14)
#include <bits/syscall.h>
#endif

extern void *sys_call_table[];

int (*orig_ptrace)(int, int, int, int);

int no_ptrace (int request, int pid, int addr, int data)
{return -1;}


int init_module(void) {
        
        orig_ptrace = sys_call_table[__NR_ptrace];
        sys_call_table[__NR_ptrace]=no_ptrace;
        return 0;
}

void cleanup_module(void) {
        
        sys_call_table[__NR_ptrace]=orig_ptrace;
}

Reply via email to