Bugtraq mailing list archives
Re: ptrace/execve race condition exploit (non brute-force)
From: Wouter de Jong <wouter () WIDEXS NL>
Date: Tue, 27 Mar 2001 20:37:49 +0200
On Tue, Mar 27, 2001 at 02:05:54PM +0200, Wojciech Purczynski wrote:
Hi,
Hi,
Here is exploit for ptrace/execve race condition bug in Linux kernels up to 2.2.18. It works even on openwall patched kernels (including broken fix in 2.2.18ow4) if you use address of BSS section in memory (use objdump -h /suid/binary to get .bss section address). It does not use brute-force! It does only one attemt, parent process detects exact moment of context-switch after child goes sleep in execve. If you have some problems, ensure that suid binary you want to sploit does not exist in disk cache. For more info read comments in the source code. It has been broken in two places.
<cut sample>
It works with any suid binary.
I've tried this on several hosts, all with 2.2.18 (not all ow4) (RedHat 6.2 + Slackware 7.1), and they gave me ither the following result : ptrace: PTRACE_ATTACH: Operation not permitted Error! Or : [wouter@nivedita wouter]$ uname -a Linux nivedita 2.2.18 #1 Tue Feb 13 20:26:05 CET 2001 i686 unknown [wouter@nivedita wouter]$ objdump -h /bin/su | grep .bss 8 .rel.bss 00000030 08048ca8 08048ca8 00000ca8 2**2 21 .bss 000000d4 0804bf04 0804bf04 00002f04 2**2 [wouter@nivedita wouter]$ find / >/dev/null 2>&1;~/epcs /bin/su 0804bf04 Bug exploited successfully. Password: If I use for example : 08048ca8, I'll get this : [wouter@nivedita wouter]$ find / >/dev/null 2>&1;~/epcs /bin/su 08048ca8 Bug exploited successfully. [wouter@nivedita wouter]$ id uid=519(wouter) gid=519(wouter) groups=519(wouter)
Cheers, wp +---------------------------------------------------------+ | Wojciech Purczynski Linux Administrator | | wp () elzabsoft pl http://www.elzabsoft.pl/~wp | | +48604432981 http://www.elzabsoft.pl/~wp/gpg.asc | +---------------------------------------------------------+
-- Met vriendelijke groet/With kind regards, Wouter de Jong System-Administrator/Developer __ _ / / (_)__ __ ____ __ / /__/ / _ \/ // /\ \/ / /____/_/_//_/\_._/ /_/\_\
Current thread:
- ptrace/execve race condition exploit (non brute-force) Wojciech Purczynski (Mar 27)
- Re: ptrace/execve race condition exploit (non brute-force) Wouter de Jong (Mar 27)
- Re: ptrace/execve race condition exploit (non brute-force) Solar Designer (Mar 27)
- <Possible follow-ups>
- Re: ptrace/execve race condition exploit (non brute-force) Mariusz Woloszyn (Mar 27)
- Re: ptrace/execve race condition exploit (non brute-force) Solar Designer (Mar 28)