RE: Advisory 1/2005 - Linux Kernel arbitrary code execution vulnerability.

[surreal () delusory org]

Hi, y'all with ninja skills:  was that a real local root for "Linux
Kernel <= 2.4.28, <= 2.6.10" that I should be worried about, or just a
really odd example of Net Theatre? 

I did attempt my own homework, but haven't figured it out.

I'm not surprised that " v = (void*) (addr + (ENTRY_GATE*LDT_ENTRY_SIZE
% PAGE_SIZE) ); " doesn't return "0xdeadbabe", but that seems like an
awfully elaborate bit of code to perpetrate a hoax, and there's no
apparent trojan activity when it runs, just something like:

[+] moved stack bfffe000, task_size=c0000000, map_base=bf800000
    cat /proc/1174/maps
[+] exploit thread running pid=1175
[-] FAILED: try again (Cannot allocate memory)

Way anticlimactic.

Playing with RACEDELTA didn't obviously matter with a 2.4.18-3 or
2.4.18-3smp kernel. With 2.4.20-28.8 and whatever kernel SUSE
9.whatever has, gcc notices that multiply-defined old_esp and won't
build as-is. "Fixing" old_esp yielded the same results as with 2.4.18.

Anyway - that code, whatever it is, is beyond my attention span. I'm not
begging for the real MAGIC value, (tho' that'd be fun to play with),
but, sensei: wassup? Do I really have to update any box with shell
access?

Many thanks,

Surreal

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave