Bugtraq mailing list archives
Re: ptrace/execve race condition exploit (non brute-force)
From: Mariusz Woloszyn <emsi () IPARTNERS PL>
Date: Wed, 28 Mar 2001 01:32:15 +0200
On Tue, 27 Mar 2001, Wojciech Purczynski wrote:
Hi, Here is exploit for ptrace/execve race condition bug in Linux kernels up to 2.2.18.
Hi! I've seen a tool that works better than this, useing different aproach to the same bug explits it on all platforms giving instant root without the need for cat garbage files to clear disk cache!!! Anyway: here is a fast way to fix the problem (but intoduces new one), the kernel module that disables ptrace syscall. It works for 2.0 and 2.2 kernel (I didn't tested it under 2.4). All you need to do is: emsi:~# gcc -c npt.c emsi:~# insmod ./npt.o And here is how it works: [before installing module] emsi:~/hack/ptrace> ./a.out /sbin/powerd [*] Child exec... [+] Waiting for disk sleep.... dunno why but that printf helps sometimes ;) [OK] [+] ATTACH: 0 : Success [+] eip: 0x1109d0 -> 0x805a41b [+] copy data from 0x805a3e0 to 0xbffff100 [...............] [?] DETACH: 0 : Success Status of 5342: R bash# [installing module[ bash# /sbin/insmod ./npt.o bash# exit emsi:~/hack/ptrace> ./a.out /sbin/reboot [*] Child exec... [+] Waiting for disk sleep.... dunno why but that printf helps sometimes ;) [OK] [--] ATTACH: Operation not permitted <==== see this Exiting... emsi:~/hack/ptrace> Unknown id: ELF``` It removes the posibility to trace process, but gives instant shield against hackers. greets: nergal, Lam3rZ, teso brothers, nises, hert and others :) -- Mariusz Wołoszyn Internet Security Specialist, Internet Partners
Attachment:
npt.c
Description:
Current thread:
- ptrace/execve race condition exploit (non brute-force) Wojciech Purczynski (Mar 27)
- Re: ptrace/execve race condition exploit (non brute-force) Wouter de Jong (Mar 27)
- Re: ptrace/execve race condition exploit (non brute-force) Solar Designer (Mar 27)
- <Possible follow-ups>
- Re: ptrace/execve race condition exploit (non brute-force) Mariusz Woloszyn (Mar 27)
- Re: ptrace/execve race condition exploit (non brute-force) Solar Designer (Mar 28)