Dailydave mailing list archives
Re: Advisory 1/2005 - Linux Kernel arbitrary code execution vulnerability.
From: Dave Aitel <dave () immunitysec com>
Date: Sat, 08 Jan 2005 15:57:42 -0500
It was a real local root, but the one posted by Paul from isec works better. -dave surreal () delusory org wrote:
Hi, y'all with ninja skills: was that a real local root for "Linux Kernel <= 2.4.28, <= 2.6.10" that I should be worried about, or just areally odd example of Net Theatre?I did attempt my own homework, but haven't figured it out. I'm not surprised that " v = (void*) (addr + (ENTRY_GATE*LDT_ENTRY_SIZE % PAGE_SIZE) ); " doesn't return "0xdeadbabe", but that seems like an awfully elaborate bit of code to perpetrate a hoax, and there's no apparent trojan activity when it runs, just something like: [+] moved stack bfffe000, task_size=c0000000, map_base=bf800000 cat /proc/1174/maps [+] exploit thread running pid=1175 [-] FAILED: try again (Cannot allocate memory) Way anticlimactic. Playing with RACEDELTA didn't obviously matter with a 2.4.18-3 or 2.4.18-3smp kernel. With 2.4.20-28.8 and whatever kernel SUSE 9.whatever has, gcc notices that multiply-defined old_esp and won't build as-is. "Fixing" old_esp yielded the same results as with 2.4.18. Anyway - that code, whatever it is, is beyond my attention span. I'm not begging for the real MAGIC value, (tho' that'd be fun to play with), but, sensei: wassup? Do I really have to update any box with shell access? Many thanks, Surreal _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- RE: Advisory 1/2005 - Linux Kernel arbitrary code execution vulnerability. surreal (Jan 08)
- Re: Advisory 1/2005 - Linux Kernel arbitrary code execution vulnerability. Dave Aitel (Jan 08)