Re: Wheezy is vulnerable to CVE-2013-2094
On 05/15/2013 01:50 PM, Kees de Jong wrote: > Gavin, did you use the right exploit? The output looks like it's > designed for a 2.6.37 kernel. I don't have a computer near me to check > the exploit myself. Could you please verify you used the right exploit? > Thanks! Bug is in 2.6.37-3.8.8, fixed in 3.8.9 and kernel must be compiled with PERF_EVENTS (default on most modern distros). Bug fixed in 3.8.10. ref: https://news.ycombinator.com/item?id=5703758 Hope at this help Regards, Riku -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51939588.9090...@vallit.fi
Re: Wheezy is vulnerable to CVE-2013-2094
On 15 May 2013 12:50, Kees de Jong wrote: > Gavin, did you use the right exploit? The output looks like it's designed > for a 2.6.37 kernel. I don't have a computer near me to check the exploit > myself. Could you please verify you used the right exploit? Thanks! Hi Kees, I grabbed the source from here:- http://packetstormsecurity.com/files/121616/semtex.c Compiled it like so:- gavin@caelyn:~$ gcc -O2 semtex.c && ./a.out As soon as I hit enter my kernel panics:- " BUG: unable to handle kernel paging request at x. " gavin@caelyn:~$ uname -a Linux caelyn 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux gavin@caelyn:~$ gcc -v Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.7/lto-wrapper Target: x86_64-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Debian 4.7.2-5' --with-bugurl=file:///usr/share/doc/gcc-4.7/README.Bugs --enable-languages=c,c++,go,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.7 --enable-shared --enable-linker-build-id --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.7 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --enable-plugin --enable-objc-gc --with-arch-32=i586 --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu Thread model: posix gcc version 4.7.2 (Debian 4.7.2-5) Platform: Dell XPS Laptop (Intel Core i7-3612QM) with 16GB RAM. Thanks, Gavin -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN=HbL+YvwKs99_AW3amHtX-_rKoYwz=yleo4s4xbjvqv_b...@mail.gmail.com
Re: Wheezy is vulnerable to CVE-2013-2094
Gavin, did you use the right exploit? The output looks like it's designed for a 2.6.37 kernel. I don't have a computer near me to check the exploit myself. Could you please verify you used the right exploit? Thanks!
Re: Wheezy is vulnerable to CVE-2013-2094
Hi all. I'm confirm exploit is working on Debian wheezy with kernel 3.2.0-4-rt-amd64 with gcc -O2 options On 05/15/2013 12:20 AM, Gavin wrote: On 14 May 2013 19:41, Gerald Turner wrote: Gavin writes: On 14 May 2013 18:36, John Andreasson wrote: Was just alerted of a kernel bug in RHEL [1], but when testing the sample code on Wheezy as an unprivileged user it successfully gives me a root prompt. Kind of suboptimal. :-( Any idea when this is fixed? [1] https://bugzilla.redhat.com/show_bug.cgi?id=962792 Hi John, I'm unable to replicate this 'issue' on my up to date Wheezy laptop. gavin@caelyn:~$ uname -a Linux caelyn 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux When I run the compiled binary of this exploit as my unprivileged user I get the following error:- gavin@caelyn:~$ ./getroot 2.6.37-3.x x86_64 sd@f***sheep.org 2010 getroot: getroot.c:81: main: Assertion `p = memmem(code, 1024, &needle, 8)' failed. Aborted What kernel are you able to replicate this bug with ? At first I thought the same thing, however compile with -O2: $ gcc -O2 semtex.c&& ./a.out 2.6.37-3.x x86_64 s...@fucksheep.org 2010 root@xo-laptop:/tmp# uname -a Linux xo-laptop 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux Ok, if I compile with the -O2 then I don't get a root shell, however my kernel panics with:- BUG: unable to handle kernel paging request at x. Still not ideal. Thanks for the heads-up! -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/519307de.9050...@mail.ru
Re: Wheezy is vulnerable to CVE-2013-2094
On 14 May 2013 19:41, Gerald Turner wrote: > Gavin writes: >> On 14 May 2013 18:36, John Andreasson wrote: >>> Was just alerted of a kernel bug in RHEL [1], but when testing the >>> sample code on Wheezy as an unprivileged user it successfully gives >>> me a root prompt. Kind of suboptimal. :-( >>> >>> Any idea when this is fixed? >>> >>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=962792 >> >> Hi John, >> >> I'm unable to replicate this 'issue' on my up to date Wheezy laptop. >> >> gavin@caelyn:~$ uname -a >> Linux caelyn 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux >> >> When I run the compiled binary of this exploit as my unprivileged user >> I get the following error:- >> >> gavin@caelyn:~$ ./getroot >> 2.6.37-3.x x86_64 >> sd@f***sheep.org 2010 >> getroot: getroot.c:81: main: Assertion `p = memmem(code, 1024, >> &needle, 8)' failed. >> Aborted >> >> What kernel are you able to replicate this bug with ? > > At first I thought the same thing, however compile with -O2: > > $ gcc -O2 semtex.c && ./a.out > 2.6.37-3.x x86_64 > s...@fucksheep.org 2010 > root@xo-laptop:/tmp# uname -a > Linux xo-laptop 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux Ok, if I compile with the -O2 then I don't get a root shell, however my kernel panics with:- BUG: unable to handle kernel paging request at x. Still not ideal. Thanks for the heads-up! -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN=hbljp+ngqx4d6mjeeppoeh_f7zw8efqvpmu1sc+ichg9...@mail.gmail.com
Re: Wheezy is vulnerable to CVE-2013-2094
Gavin writes: > On 14 May 2013 18:36, John Andreasson wrote: >> Was just alerted of a kernel bug in RHEL [1], but when testing the >> sample code on Wheezy as an unprivileged user it successfully gives >> me a root prompt. Kind of suboptimal. :-( >> >> Any idea when this is fixed? >> >> [1] https://bugzilla.redhat.com/show_bug.cgi?id=962792 > > Hi John, > > I'm unable to replicate this 'issue' on my up to date Wheezy laptop. > > gavin@caelyn:~$ uname -a > Linux caelyn 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux > > When I run the compiled binary of this exploit as my unprivileged user > I get the following error:- > > gavin@caelyn:~$ ./getroot > 2.6.37-3.x x86_64 > sd@f***sheep.org 2010 > getroot: getroot.c:81: main: Assertion `p = memmem(code, 1024, > &needle, 8)' failed. > Aborted > > What kernel are you able to replicate this bug with ? At first I thought the same thing, however compile with -O2: $ gcc -O2 semtex.c && ./a.out 2.6.37-3.x x86_64 s...@fucksheep.org 2010 root@xo-laptop:/tmp# uname -a Linux xo-laptop 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux -- Gerald Turner Email: gtur...@unzane.com JID: gtur...@unzane.com GPG: 0xFA8CD6D5 21D9 B2E8 7FE7 F19E 5F7D 4D0C 3FA0 810F FA8C D6D5 pgpsMeqMOsy3d.pgp Description: PGP signature
Re: Wheezy is vulnerable to CVE-2013-2094
On Tuesday, May 14, 2013, Gavin wrote: > On 14 May 2013 18:36, John Andreasson > > wrote: > > > > Hi. > > > > Was just alerted of a kernel bug in RHEL [1], but when testing the > sample code on Wheezy as an unprivileged user it successfully gives me a > root prompt. Kind of suboptimal. :-( > > > > Any idea when this is fixed? > > > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=962792 > > Hi John, > > I'm unable to replicate this 'issue' on my up to date Wheezy laptop. > > gavin@caelyn:~$ uname -a > Linux caelyn 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux > > When I run the compiled binary of this exploit as my unprivileged user > I get the following error:- > > gavin@caelyn:~$ ./getroot > 2.6.37-3.x x86_64 > sd@f***sheep.org 2010 > getroot: getroot.c:81: main: Assertion `p = memmem(code, 1024, > &needle, 8)' failed. > Aborted > > What kernel are you able to replicate this bug with ? > Hi. I'm on the same kernel version/arch. Did you compile with -O2? I had to compile with that flag for it to work.
Re: Wheezy is vulnerable to CVE-2013-2094
On Tue, May 14, 2013 at 09:36:12AM -0700, John Andreasson wrote: > Hi. > > Was just alerted of a kernel bug in RHEL [1], but when testing the sample > code on Wheezy as an unprivileged user it successfully gives me a root > prompt. Kind of suboptimal. :-( > > Any idea when this is fixed? We're investigating it now and will provide a fix ASAP. -dann > [1] https://bugzilla.redhat.com/show_bug.cgi?id=962792 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130514172905.gb6...@dannf.org
Re: Wheezy is vulnerable to CVE-2013-2094
On 14 May 2013 18:36, John Andreasson wrote: > > Hi. > > Was just alerted of a kernel bug in RHEL [1], but when testing the sample > code on Wheezy as an unprivileged user it successfully gives me a root > prompt. Kind of suboptimal. :-( > > Any idea when this is fixed? > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=962792 Hi John, I'm unable to replicate this 'issue' on my up to date Wheezy laptop. gavin@caelyn:~$ uname -a Linux caelyn 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux When I run the compiled binary of this exploit as my unprivileged user I get the following error:- gavin@caelyn:~$ ./getroot 2.6.37-3.x x86_64 sd@f***sheep.org 2010 getroot: getroot.c:81: main: Assertion `p = memmem(code, 1024, &needle, 8)' failed. Aborted What kernel are you able to replicate this bug with ? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN=HbLKvPKCop39STjdivBFGCaymjzmmH1FvfU=qNMitrNYJ=w...@mail.gmail.com