Re: Linux kernel ELF core dump privilege elevation (kernel module workaround)

[Andrew Griffiths <andrewg () felinemenace org>]

On Wed, May 11, 2005 at 01:08:56PM +0200, Paul Starzetz wrote:
> Impact:
> =======
>
> Unprivileged local users may gain elevated (root) privileges.  Code  may
> be  executed  at  the kernel privilege level potentially breaking out of
> Linux virtual machines. A hotfix for this vulnerability is  to  disallow
> processes  to  drop  core.  This can be accomplished by setting the hard
> core size limit to 0.

Some code for doing this in kernel space is at
http://felinemenace.org/~andrewg/safecore/ 

It loops over all processes and sets the soft limit and hard limit for
processes to 0. The limits.conf measure isn't entirely enough if people
have screen sessions, or you have various daemons running etc. 

Here is the output of the PoC code failing:

[+] Compiling...elfcd1.c: In function `main':
elfcd1.c:48: warning: implicit declaration of function
`strlen'
elfcd1.c:54: warning: implicit declaration of function
`memset'
elfcd1.c:60: warning: implicit declaration of function
`strcmp'
[+] ./elfcd1 argv_start=0xbffff791 argv_end=0xbffff799
ESP: 0xbffff5e0
setrlimit: Operation not permitted

This code has been tested twice so far, one on a non-production box, and
one of a production box. I'd like to thank mercy for doing the initial
test for me as I didn't have an test boxes nearby. It has been only
tested on 2.4 series kernels.

If it does break anything, I'd like to know. Granted, doesn't mean I can
do anything with it to make it work for you, as it works for me (tm).


Enjoy,
Andrew Griffiths