lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1115862407.9965.55.camel@localhost>
Date: Thu, 12 May 2005 02:46:47 +0100
From: antoine <antoine@...afix.co.uk>
To: security@...c.pl
Cc: bugtraq@...urityfocus.com
Subject: Re: Linux kernel ELF core dump privilege elevation


Paul,

I failed to crash any of my test machines, x86_86 based systems get the
same result as reported by Bruno Lustosa (segfaults), x86 system exit
after printing ".. to crash" as do UML x86 systems. SELinux exits with:
"[+] phase 2, <RET> to crash Killed" but interestingly do not cause any
audit event.

I just stumbled upon another bug which does crash systems reliably, it
only works on x86_64 (maybe other 64 bit archs?). No CVE, and not sure
it can be used for privilege escalation, but it does crash hard:
"It is a kernel bug that allows to set non canonical addresses in 64bit
segment registers through ptrace." Andi Kleen on LKML.
It is being worked on. The (accidental) code that triggered it is
contained in a UML instance (kernel + filesystem and commands) - too big
and suboptimal to be published here and much smaller PoC code is doable.

Antoine


On Wed, 2005-05-11 at 13:08 +0200, Paul Starzetz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> since it became clear from the discussion in January about the uselib() 
> vulnerability, that the Linux community prefers full, non-embargoed 
> disclosure of kernel bugs, I release full details right now. However to 
> follows at least some of the responsable disclosure rules, no exploit code will be 
> released. Instead, only a proof-of-concept code is released to demonstrate 
> the vulnerability.
> 
> regards
> 
> - -- 
> Paul Starzetz
> iSEC Security Research
> http://isec.pl/
> 
> 
> Synopsis:  Linux kernel ELF core dump privilege elevation
(...)



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ