Re: Wheezy is vulnerable to CVE-2013-2094
On 15 May 2013 12:50, Kees de Jong keesdej...@gmail.com wrote: Gavin, did you use the right exploit? The output looks like it's designed for a 2.6.37 kernel. I don't have a computer near me to check the exploit myself. Could you please verify you used the right exploit? Thanks! Hi Kees, I grabbed the source from here:- http://packetstormsecurity.com/files/121616/semtex.c Compiled it like so:- gavin@caelyn:~$ gcc -O2 semtex.c ./a.out As soon as I hit enter my kernel panics:- BUG: unable to handle kernel paging request at x. gavin@caelyn:~$ uname -a Linux caelyn 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux gavin@caelyn:~$ gcc -v Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.7/lto-wrapper Target: x86_64-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Debian 4.7.2-5' --with-bugurl=file:///usr/share/doc/gcc-4.7/README.Bugs --enable-languages=c,c++,go,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.7 --enable-shared --enable-linker-build-id --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.7 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --enable-plugin --enable-objc-gc --with-arch-32=i586 --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu Thread model: posix gcc version 4.7.2 (Debian 4.7.2-5) Platform: Dell XPS Laptop (Intel Core i7-3612QM) with 16GB RAM. Thanks, Gavin -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN=HbL+YvwKs99_AW3amHtX-_rKoYwz=yleo4s4xbjvqv_b...@mail.gmail.com
Re: Wheezy is vulnerable to CVE-2013-2094
On 14 May 2013 18:36, John Andreasson andreassonj...@gmail.com wrote: Hi. Was just alerted of a kernel bug in RHEL [1], but when testing the sample code on Wheezy as an unprivileged user it successfully gives me a root prompt. Kind of suboptimal. :-( Any idea when this is fixed? [1] https://bugzilla.redhat.com/show_bug.cgi?id=962792 Hi John, I'm unable to replicate this 'issue' on my up to date Wheezy laptop. gavin@caelyn:~$ uname -a Linux caelyn 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux When I run the compiled binary of this exploit as my unprivileged user I get the following error:- gavin@caelyn:~$ ./getroot 2.6.37-3.x x86_64 sd@f***sheep.org 2010 getroot: getroot.c:81: main: Assertion `p = memmem(code, 1024, needle, 8)' failed. Aborted What kernel are you able to replicate this bug with ? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN=HbLKvPKCop39STjdivBFGCaymjzmmH1FvfU=qNMitrNYJ=w...@mail.gmail.com
Re: Wheezy is vulnerable to CVE-2013-2094
On 14 May 2013 19:41, Gerald Turner gtur...@unzane.com wrote: Gavin netmatt...@gmail.com writes: On 14 May 2013 18:36, John Andreasson andreassonj...@gmail.com wrote: Was just alerted of a kernel bug in RHEL [1], but when testing the sample code on Wheezy as an unprivileged user it successfully gives me a root prompt. Kind of suboptimal. :-( Any idea when this is fixed? [1] https://bugzilla.redhat.com/show_bug.cgi?id=962792 Hi John, I'm unable to replicate this 'issue' on my up to date Wheezy laptop. gavin@caelyn:~$ uname -a Linux caelyn 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux When I run the compiled binary of this exploit as my unprivileged user I get the following error:- gavin@caelyn:~$ ./getroot 2.6.37-3.x x86_64 sd@f***sheep.org 2010 getroot: getroot.c:81: main: Assertion `p = memmem(code, 1024, needle, 8)' failed. Aborted What kernel are you able to replicate this bug with ? At first I thought the same thing, however compile with -O2: $ gcc -O2 semtex.c ./a.out 2.6.37-3.x x86_64 s...@fucksheep.org 2010 root@xo-laptop:/tmp# uname -a Linux xo-laptop 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux Ok, if I compile with the -O2 then I don't get a root shell, however my kernel panics with:- BUG: unable to handle kernel paging request at x. Still not ideal. Thanks for the heads-up! -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN=hbljp+ngqx4d6mjeeppoeh_f7zw8efqvpmu1sc+ichg9...@mail.gmail.com