Bugtraq mailing list archives
ptrace/execve race condition exploit (non brute-force)
From: Wojciech Purczynski <wp () ELZABSOFT PL>
Date: Tue, 27 Mar 2001 14:05:54 +0200
Hi, Here is exploit for ptrace/execve race condition bug in Linux kernels up to 2.2.18. It works even on openwall patched kernels (including broken fix in 2.2.18ow4) if you use address of BSS section in memory (use objdump -h /suid/binary to get .bss section address). It does not use brute-force! It does only one attemt, parent process detects exact moment of context-switch after child goes sleep in execve. If you have some problems, ensure that suid binary you want to sploit does not exist in disk cache. For more info read comments in the source code. It has been broken in two places. Sample output: [wp@wp /tmp]$ uname -a Linux wp.local.elzabsoft.pl 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown [wp@wp /tmp]$ objdump -h /bin/su | grep .bss 8 .rel.bss 00000030 08048ca8 08048ca8 00000ca8 2**2 21 .bss 000000d4 0804bf04 0804bf04 00002f04 2**2 [wp@wp /tmp]$ find / >dev/null 2>&1 [wp@wp /tmp]$ ./epcs /bin/su 0x0804bf04 Bug exploited successfully. sh-2.03# It works with any suid binary. Cheers, wp +---------------------------------------------------------+ | Wojciech PurczyĆski Linux Administrator | | wp () elzabsoft pl http://www.elzabsoft.pl/~wp | | +48604432981 http://www.elzabsoft.pl/~wp/gpg.asc | +---------------------------------------------------------+
Attachment:
epcs.c
Description: epcs
Current thread:
- ptrace/execve race condition exploit (non brute-force) Wojciech Purczynski (Mar 27)
- Re: ptrace/execve race condition exploit (non brute-force) Wouter de Jong (Mar 27)
- Re: ptrace/execve race condition exploit (non brute-force) Solar Designer (Mar 27)
- <Possible follow-ups>
- Re: ptrace/execve race condition exploit (non brute-force) Mariusz Woloszyn (Mar 27)
- Re: ptrace/execve race condition exploit (non brute-force) Solar Designer (Mar 28)