Mailing List Archive: about the recent ELF kernel bug

about the recent ELF kernel bug

May 13, 2005, 7:09 AM

Post #1 of 3 (1539 views)

hi everyone,

Has anyone got a clue on how should the proof of concept code behave on
vulnerable and not vulnerable machines?

On a PaX+grsecurity hardened server, it outputs:

[+] ./elfcd1 argv_start=0xb47b23d4 argv_end=0xb47b23dc ESP: 0xb47b1890
[+] phase 1
[+] AAAA argv_start=0xb5e0442e argv_end=0xb5e04432 ESP: 0xb5e03930
[+] phase2, <RET> to crash Killed

and doesn't core-dump. Also it doesn't warn about the segmentation violation
process in the logs...

On my laptop, a test server and 2 other workstations (standard 2.6.11.5-8
kernels) results are consistent but different from the hardened server:
pjlv@archon test $ ./elfcd1

[+] ./elfcd1 argv_start=0xbfffeff7 argv_end=0xbfffefff ESP: 0xbfffedb0
[+] phase 1
[+] AAAA argv_start=0xbfff6fee argv_end=0xbfff6ff2 ESP: 0xbfff6e80
[+] phase 2, <RET> to crash Segmentation fault (core dumped)

and core-dumps.

any help? is the hardened server secure? I suppose so, since it didn't core
dump.

regards,
pedro venda.
--

Pedro João Lopes Venda
email: pjvenda < at > arrakis.dhis.org
http://arrakis.dhis.org

Re: [gentoo-hardened] about the recent ELF kernel bug [ In reply to ]

miguel.filipe at gmail

May 13, 2005, 7:42 AM

Post #2 of 3 (1484 views)

Permalink

Hi there,

On 5/13/05, Pedro Venda <pjvenda@arrakis.dhis.org> wrote:
> hi everyone,
>
> Has anyone got a clue on how should the proof of concept code behave on
> vulnerable and not vulnerable machines?
>
> On a PaX+grsecurity hardened server, it outputs:
>
> [+] ./elfcd1 argv_start=0xb47b23d4 argv_end=0xb47b23dc ESP: 0xb47b1890
> [+] phase 1
> [+] AAAA argv_start=0xb5e0442e argv_end=0xb5e04432 ESP: 0xb5e03930
> [+] phase2, <RET> to crash Killed
>
> and doesn't core-dump. Also it doesn't warn about the segmentation violation
> process in the logs...
>
> On my laptop, a test server and 2 other workstations (standard 2.6.11.5-8
> kernels) results are consistent but different from the hardened server:
> pjlv@archon test $ ./elfcd1
>
> [+] ./elfcd1 argv_start=0xbfffeff7 argv_end=0xbfffefff ESP: 0xbfffedb0
> [+] phase 1
> [+] AAAA argv_start=0xbfff6fee argv_end=0xbfff6ff2 ESP: 0xbfff6e80
> [+] phase 2, <RET> to crash Segmentation fault (core dumped)
>
> and core-dumps.
>
> any help? is the hardened server secure? I suppose so, since it didn't core
> dump.
>

From what I understood, a core dump doesn't meen the POC worked.
But I could be wrong...

> regards,
> pedro venda.
> --
>
> Pedro João Lopes Venda
> email: pjvenda < at > arrakis.dhis.org
> http://arrakis.dhis.org
>
>
>

best regards, e abraços pa ti pj! :-p

--
Miguel Sousa Filipe

--
gentoo-security@gentoo.org mailing list

Re: about the recent ELF kernel bug [ In reply to ]

antoine at nagafix

May 13, 2005, 9:03 AM

Post #3 of 3 (1487 views)

Permalink

I failed to crash any of my test systems with that exploit, hardened or
not. And no-one else seems to have confirmed that it does work.
I can however crash x86_64 systems with another unfixed bug (up to
2.6.12-rc4).

Antoine

On Fri, 2005-05-13 at 15:09 +0100, Pedro Venda wrote:
> hi everyone,
>
> Has anyone got a clue on how should the proof of concept code behave on
> vulnerable and not vulnerable machines?
>
> On a PaX+grsecurity hardened server, it outputs:
>
> [+] ./elfcd1 argv_start=0xb47b23d4 argv_end=0xb47b23dc ESP: 0xb47b1890
> [+] phase 1
> [+] AAAA argv_start=0xb5e0442e argv_end=0xb5e04432 ESP: 0xb5e03930
> [+] phase2, <RET> to crash Killed
>
> and doesn't core-dump. Also it doesn't warn about the segmentation violation
> process in the logs...
>
> On my laptop, a test server and 2 other workstations (standard 2.6.11.5-8
> kernels) results are consistent but different from the hardened server:
> pjlv@archon test $ ./elfcd1
>
> [+] ./elfcd1 argv_start=0xbfffeff7 argv_end=0xbfffefff ESP: 0xbfffedb0
> [+] phase 1
> [+] AAAA argv_start=0xbfff6fee argv_end=0xbfff6ff2 ESP: 0xbfff6e80
> [+] phase 2, <RET> to crash Segmentation fault (core dumped)
>
> and core-dumps.
>
> any help? is the hardened server secure? I suppose so, since it didn't core
> dump.
>
> regards,
> pedro venda.

--
gentoo-security@gentoo.org mailing list