Summary: | Linux kernel do_mremap local privilege escalation vulnerability | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Romang <zataz> |
Component: | GLSA Errors | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | critical | CC: | x86-kernel |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Romang
2004-03-07 22:40:03 UTC
Same problem on recently emerged wolk-sources-4.9r4. [+] kernel 2.4.20-wolk4.9s vulnerable: YES exploitable YES MMAP #65530 0x50bfa000 - 0x50bfb000 [-] Failed Regards, Cammy. OK; a few people have already asked about the strange output given so I'll just paste in a mail reply I sent out. --- > Hello, > > You say that the gentoo-sources-2.4.22-r7 is not affected > by do_mremap local privilege escalation vulnerability. > > I have read the mail on FullDisclosure : > > Version: 2.2 up to and including 2.2.25, 2.4 up to to and including > 2.4.24, ~ 2.6 up to to and including 2.6.2 Yes, I released 2.4.22-r7 with the patch for the vulnerability. > I decide to test the code source on my gentoo box. > > me@dell me $ uname -a > Linux dell.zataz.net 2.4.22-gentoo-r7 #1 Thu Feb 19 09:51:03 CET 2004 > i686 GNU/Linux > > me@dell me $ id > uid=1000(me) gid=407(untrusted) groups=407(untrusted),10(wheel),440(cvs) > > me@dell me $ ./mremap2 > > [+] kernel 2.4.22-gentoo-r7 vulnerable: YES exploitable YES > ~ MMAP #56832 0x4ea00000 - 0x4ea01000Segmentation fault > me@dell me $ > Message from syslogd@dell at Mon Mar 8 07:35:57 2004 ... > dell kernel: grsec: From xxx.xxx.xxx.xxx: signal 11 sent to > (mremap2:7016) UID(1000) EUID(1000), parent (bash:2768) UID(1000) > EUID(1000) > > Message from syslogd@dell at Mon Mar 8 07:35:57 2004 ... > dell kernel: grsec: From xxx.xxx.xxx.xxx: attempted resource overstep > by requesting 4096 for RLIMIT_CORE against limit 0 by (mremap2:7016) > UID(1000) EUID(1000), parent (bash:2768) UID(1000) EUID(1000) > > How can you explain this results ? The "vulnerable: YES exploitable YES" line is a bad way of testing the vulnerability of the kernel by the code posted to Full-Disclosure by iSEC - what it does; basically; is that it just checks the kernel version { whether it's 2.4.25+ } and gives a result from that; rather than actually checking whether it's vulnerable or a vulnerable version but with the patch to make it unaffected by the issue. So you should just ignore that line. The reason you get a Segmentation Fault is because GRSecurity zaps the application before it even has time to test the exploit: basically, that exploit would end up with a result of "Failed" on 2.4.22-gentoo-r7 without GRSecurity; and it should just segfault as it did if you have GRSecurity. As you don't get a "Success" output, you're safe from the issue. Thanks. --- Closing; please see comment #2. |