lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050512002902.GA21778@felinemenace.org>
Date: Thu, 12 May 2005 00:29:02 +0000
From: Andrew Griffiths <andrewg@...inemenace.org>
To: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com,
	vulnwatch@...nwatch.org
Subject: Re: Linux kernel ELF core dump privilege elevation (kernel module workaround)


On Wed, May 11, 2005 at 01:08:56PM +0200, Paul Starzetz wrote:
> 
> Impact:
> =======
> 
> Unprivileged local users may gain elevated (root) privileges.  Code  may
> be  executed  at  the kernel privilege level potentially breaking out of
> Linux virtual machines. A hotfix for this vulnerability is  to  disallow
> processes  to  drop  core.  This can be accomplished by setting the hard
> core size limit to 0.
> 
> 

Some code for doing this in kernel space is at
http://felinemenace.org/~andrewg/safecore/ 

It loops over all processes and sets the soft limit and hard limit for
processes to 0. The limits.conf measure isn't entirely enough if people
have screen sessions, or you have various daemons running etc. 

Here is the output of the PoC code failing:

[+] Compiling...elfcd1.c: In function `main':
elfcd1.c:48: warning: implicit declaration of function
`strlen'
elfcd1.c:54: warning: implicit declaration of function
`memset'
elfcd1.c:60: warning: implicit declaration of function
`strcmp'
[+] ./elfcd1 argv_start=0xbffff791 argv_end=0xbffff799
ESP: 0xbffff5e0
setrlimit: Operation not permitted

This code has been tested twice so far, one on a non-production box, and
one of a production box. I'd like to thank mercy for doing the initial
test for me as I didn't have an test boxes nearby. It has been only
tested on 2.4 series kernels.

If it does break anything, I'd like to know. Granted, doesn't mean I can
do anything with it to make it work for you, as it works for me (tm).


Enjoy,
Andrew Griffiths


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ