Bugtraq mailing list archives

Re: ptrace/execve race condition exploit (non brute-force)

From: Wouter de Jong <wouter () WIDEXS NL>
Date: Tue, 27 Mar 2001 20:37:49 +0200

On Tue, Mar 27, 2001 at 02:05:54PM +0200, Wojciech Purczynski wrote:

Hi,

Hi,

Here is exploit for ptrace/execve race condition bug in Linux kernels up
to 2.2.18.

It works even on openwall patched kernels (including broken fix in 2.2.18ow4)
if you use address of BSS section in memory (use objdump -h /suid/binary
to get .bss section address).

It does not use brute-force! It does only one attemt, parent process detects
exact moment of context-switch after child goes sleep in execve.

If you have some problems, ensure that suid binary you want to sploit does
not exist in disk cache.

For more info read comments in the source code.

It has been broken in two places.


<cut sample>

It works with any suid binary.


I've tried this on several hosts, all with 2.2.18 (not all ow4) (RedHat 6.2 + Slackware 7.1), and they gave me
ither the following result :

ptrace: PTRACE_ATTACH: Operation not permitted
Error!


Or :

[wouter@nivedita wouter]$ uname -a
Linux nivedita 2.2.18 #1 Tue Feb 13 20:26:05 CET 2001 i686 unknown
[wouter@nivedita wouter]$ objdump -h /bin/su | grep .bss
  8 .rel.bss      00000030  08048ca8  08048ca8  00000ca8  2**2
 21 .bss          000000d4  0804bf04  0804bf04  00002f04  2**2
[wouter@nivedita wouter]$ find / >/dev/null 2>&1;~/epcs /bin/su 0804bf04
Bug exploited successfully.
Password:

If I use for example : 08048ca8, I'll get this :

[wouter@nivedita wouter]$ find / >/dev/null 2>&1;~/epcs /bin/su 08048ca8
Bug exploited successfully.
[wouter@nivedita wouter]$ id
uid=519(wouter) gid=519(wouter) groups=519(wouter)

Cheers,
wp

+---------------------------------------------------------+
| Wojciech Purczynski                 Linux Administrator |
| wp () elzabsoft pl             http://www.elzabsoft.pl/~wp |
| +48604432981        http://www.elzabsoft.pl/~wp/gpg.asc |
+---------------------------------------------------------+



--
Met vriendelijke groet/With kind regards,

Wouter de Jong
System-Administrator/Developer
   __   _
  / /  (_)__  __ ____  __
 / /__/ / _ \/ // /\ \/ /
/____/_/_//_/\_._/ /_/\_\

Current thread:

ptrace/execve race condition exploit (non brute-force) Wojciech Purczynski (Mar 27)
- Re: ptrace/execve race condition exploit (non brute-force) Wouter de Jong (Mar 27)
- Re: ptrace/execve race condition exploit (non brute-force) Solar Designer (Mar 27)
- <Possible follow-ups>
- Re: ptrace/execve race condition exploit (non brute-force) Mariusz Woloszyn (Mar 27)
  - Re: ptrace/execve race condition exploit (non brute-force) Solar Designer (Mar 28)