lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1073429825.6468.67.camel@unsigned.local.fr>
From: info16 at ifrance.com (Pierre BETOUIN)
Subject: Re: Linux kernel do_mremap()
	proof-of-concept exploit code

That's true. The piece of vulnerable code is here :

#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
                if (current->flags & PF_PAX_SEGMEXEC) {
                        if (new_len > SEGMEXEC_TASK_SIZE || new_addr
					> SEGMEXEC_TASK_SIZE-new_len)
                        goto out;
                } else
#endif  

The PoC can be easily adapted.

	Pierre

Le mar 06/01/2004 ? 21:34, backblue a ?crit :
> On Tue, 6 Jan 2004 11:47:26 -0700
> "Epic" <epic@...k3r.com> wrote:
> 
> > I too tested it on my 2.4.23 kernel with grsec, and nothing.
> > 
> > 
> > ----- Original Message ----- 
> > From: "Daniel Husand" <io@...v.us>
> > To: <full-disclosure@...ts.netsys.com>
> > Sent: Tuesday, January 06, 2004 10:54 AM
> > Subject: [Full-Disclosure] Re: Linux kernel do_mremap() proof-of-concept
> > exploit code
> > 
> > 
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > Christophe Devine wrote:
> > >
> > > | The following program can be used to test if a x86 Linux system
> > > | is vulnerable to the do_mremap() exploit; use at your own risk.
> > > |
> > > | $ cat mremap_poc.c
> > > |
> > >
> > > This didnt do anything on my 2.4.23-grsec kernel.
> > >
> > > - --
> > > Daniel
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.2.3 (MingW32)
> > > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> > >
> > > iD8DBQE/+vZz1PIgHh6MkiIRAiqNAKCiuyxtA9rgaAS+eT3o9ATvLE7EuQCeJAZP
> > > Xf8JIDehgtGba4b1Eb2Qv0w=
> > > =xyYM
> > > -----END PGP SIGNATURE-----

-- 
Pierre BETOUIN
	http://securitech.homeunix.org
	http://www.challenge-securitech.com
GnuPG key : E7AD 29A1 7345 5BA0 9469  DE62 2CD5 9242 94D9 CB23
lynx -dump securitech.homeunix.org/pbetouin.asc | gpg --import
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message
	=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?=
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040106/d09b11ed/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ