lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20031205224124.GM4654@gwolf.cx>
Date: Fri, 5 Dec 2003 16:41:24 -0600
From: Gunnar Wolf <gwolf@...lf.cx>
To: Goetz Babin-Ebell <babin-ebell@...stcenter.de>
Cc: bugtraq@...urityfocus.com
Subject: Re: Hot fix for do_brk bug


Goetz Babin-Ebell dijo [Fri, Dec 05, 2003 at 10:31:27PM +0100]:
> >I've written a linux kernel module that can be used to hot fix a
> >Linux system for the bug in do_brk.  It scans the
> >kernel space and replaces jmp and calls to do_brk
> >to point to a wrapper routine instead.  It also maps
> >the symbol table to point to the wrapper.  This only
> >works on x86 and it has only been tested with RH kernels
> >2.4.18-27.7.xsmp and 2.4.20-20.7smp.  It is quite possible
> >this could crash or screw-up a system, so use at your own
> >risk.  I've tested the module against the proof of concept code
> >written and posted by Christophe Devine.  The module catches
> >the exploit and logs the attempt.
> 
> It would be less intrusive to the kernel to supply a fixed do_brk()
> and replace the do_brk with a jump to your version.
> 
> This way you only have to touch one place
> in the kernel space (and no guesswork, no modify
> of kernel data that might look like a pointer to do_brk()
> but is really something else...)

Not only that - In order to be really effective, the hotfix would
require to remain active and check each module loaded into the kernel,
as modules might point to the real do_brk() call. Yes, it becomes
_much_ harder for an intruder to exploit it, but the patch is not
perfect. 

...But anyway, it is quite welcome, a very valuable work. Of course,
the only way out of troubles is to install a new kernel. Sadly, many
people handle uptimes as pissing contests and disregard updating their
systems. 

Greetings,

-- 
Gunnar Wolf - gwolf@...lf.cx - (+52-55)5630-9700 ext. 1366
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973  F800 D80E F35A 8BB5 27AF

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ