- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200403-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~ http://security.gentoo.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~ Severity: High ~ Title: Linux kernel do_mremap local privilege escalation ~ vulnerability ~ Date: March 06, 2004 ~ Bugs: #42024 ~ ID: 200403-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Reproducible: Always Steps to Reproduce: Hello, You say that the gentoo-sources-2.4.22-r7 is not affected by do_mremap local privilege escalation vulnerability. I have read the mail on FullDisclosure : Synopsis: Linux kernel do_mremap VMA limit local privilege escalation vulnerability Product: Linux kernel Version: 2.2 up to and including 2.2.25, 2.4 up to to and including 2.4.24, 2.6 up to to and including 2.6.2 Vendor: http://www.kernel.org/ URL: http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt CVE: CAN-2004-0077 Author: Paul Starzetz <ihaquer@isec.pl> Date: March 1, 2004 I decide to test the code source on my gentoo box. me@dell me $ uname -a Linux dell.zataz.net 2.4.22-gentoo-r7 #1 Thu Feb 19 09:51:03 CET 2004 i686 GNU/Linux me@dell me $ id uid=1000(me) gid=407(untrusted) groups=407(untrusted),10(wheel),440(cvs) me@dell me $ ./mremap2 [+] kernel 2.4.22-gentoo-r7 vulnerable: YES exploitable YES MMAP #56832 0x4ea00000 - 0x4ea01000Segmentation fault me@dell me $ Message from syslogd@dell at Mon Mar 8 07:35:57 2004 ... dell kernel: grsec: From xxx.xxx.xxx.xxx: signal 11 sent to (mremap2:7016) UID(1000) EUID(1000), parent (bash:2768) UID(1000) EUID(1000) Message from syslogd@dell at Mon Mar 8 07:35:57 2004 ... dell kernel: grsec: From xxx.xxx.xxx.xxx: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by (mremap2:7016) UID(1000) EUID(1000), parent (bash:2768) UID(1000) EUID(1000) How can you explain this results ? Regards. Eric
Same problem on recently emerged wolk-sources-4.9r4. [+] kernel 2.4.20-wolk4.9s vulnerable: YES exploitable YES MMAP #65530 0x50bfa000 - 0x50bfb000 [-] Failed Regards, Cammy.
OK; a few people have already asked about the strange output given so I'll just paste in a mail reply I sent out. --- > Hello, > > You say that the gentoo-sources-2.4.22-r7 is not affected > by do_mremap local privilege escalation vulnerability. > > I have read the mail on FullDisclosure : > > Version: 2.2 up to and including 2.2.25, 2.4 up to to and including > 2.4.24, ~ 2.6 up to to and including 2.6.2 Yes, I released 2.4.22-r7 with the patch for the vulnerability. > I decide to test the code source on my gentoo box. > > me@dell me $ uname -a > Linux dell.zataz.net 2.4.22-gentoo-r7 #1 Thu Feb 19 09:51:03 CET 2004 > i686 GNU/Linux > > me@dell me $ id > uid=1000(me) gid=407(untrusted) groups=407(untrusted),10(wheel),440(cvs) > > me@dell me $ ./mremap2 > > [+] kernel 2.4.22-gentoo-r7 vulnerable: YES exploitable YES > ~ MMAP #56832 0x4ea00000 - 0x4ea01000Segmentation fault > me@dell me $ > Message from syslogd@dell at Mon Mar 8 07:35:57 2004 ... > dell kernel: grsec: From xxx.xxx.xxx.xxx: signal 11 sent to > (mremap2:7016) UID(1000) EUID(1000), parent (bash:2768) UID(1000) > EUID(1000) > > Message from syslogd@dell at Mon Mar 8 07:35:57 2004 ... > dell kernel: grsec: From xxx.xxx.xxx.xxx: attempted resource overstep > by requesting 4096 for RLIMIT_CORE against limit 0 by (mremap2:7016) > UID(1000) EUID(1000), parent (bash:2768) UID(1000) EUID(1000) > > How can you explain this results ? The "vulnerable: YES exploitable YES" line is a bad way of testing the vulnerability of the kernel by the code posted to Full-Disclosure by iSEC - what it does; basically; is that it just checks the kernel version { whether it's 2.4.25+ } and gives a result from that; rather than actually checking whether it's vulnerable or a vulnerable version but with the patch to make it unaffected by the issue. So you should just ignore that line. The reason you get a Segmentation Fault is because GRSecurity zaps the application before it even has time to test the exploit: basically, that exploit would end up with a result of "Failed" on 2.4.22-gentoo-r7 without GRSecurity; and it should just segfault as it did if you have GRSecurity. As you don't get a "Success" output, you're safe from the issue. Thanks. ---
Closing; please see comment #2.