On Tue, 27 Mar 2001, Wojciech Purczynski wrote: > > Hi, > > Here is exploit for ptrace/execve race condition bug in Linux kernels up > to 2.2.18. > Hi! I've seen a tool that works better than this, useing different aproach to the same bug explits it on all platforms giving instant root without the need for cat garbage files to clear disk cache!!! Anyway: here is a fast way to fix the problem (but intoduces new one), the kernel module that disables ptrace syscall. It works for 2.0 and 2.2 kernel (I didn't tested it under 2.4). All you need to do is: emsi:~# gcc -c npt.c emsi:~# insmod ./npt.o And here is how it works: [before installing module] emsi:~/hack/ptrace> ./a.out /sbin/powerd [*] Child exec... [+] Waiting for disk sleep.... dunno why but that printf helps sometimes ;) [OK] [+] ATTACH: 0 : Success [+] eip: 0x1109d0 -> 0x805a41b [+] copy data from 0x805a3e0 to 0xbffff100 [...............] [?] DETACH: 0 : Success Status of 5342: R bash# [installing module[ bash# /sbin/insmod ./npt.o bash# exit emsi:~/hack/ptrace> ./a.out /sbin/reboot [*] Child exec... [+] Waiting for disk sleep.... dunno why but that printf helps sometimes ;) [OK] [--] ATTACH: Operation not permitted <==== see this Exiting... emsi:~/hack/ptrace> Unknown id: ELF``` It removes the posibility to trace process, but gives instant shield against hackers. greets: nergal, Lam3rZ, teso brothers, nises, hert and others :) -- Mariusz Wołoszyn Internet Security Specialist, Internet Partners
/* no ptrace module fast prevention for kenrel bug (c) 2001 a Lam3rZ odyssey */ #define MODULE #define __KERNEL__ #include <linux/module.h> #include <linux/unistd.h> #include <sys/syscall.h> #ifndef KERNEL_VERSION #define KERNEL_VERSION(a,b,c) ((a)*65536+(b)*256+(c)) #endif #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,2,0) #include <asm/unistd.h> #endif #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,2,14) #include <bits/syscall.h> #endif extern void *sys_call_table[]; int (*orig_ptrace)(int, int, int, int); int no_ptrace (int request, int pid, int addr, int data) {return -1;} int init_module(void) { orig_ptrace = sys_call_table[__NR_ptrace]; sys_call_table[__NR_ptrace]=no_ptrace; return 0; } void cleanup_module(void) { sys_call_table[__NR_ptrace]=orig_ptrace; }