Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Linux kernel ELF core dump privilege elevation (kernel module workar

from [Andrew Griffiths] Network Security [Permanent Link]
Subject: Re: Linux kernel ELF core dump privilege elevation (kernel module workaround)
Date: Thu, 12 May 2005 00:29:02 +0000 
On Wed, May 11, 2005 at 01:08:56PM +0200, Paul Starzetz wrote:


Impact:
=======

Unprivileged local users may gain elevated (root) privileges.  Code  may
be  executed  at  the kernel privilege level potentially breaking out of
Linux virtual machines. A hotfix for this vulnerability is  to  disallow
processes  to  drop  core.  This can be accomplished by setting the hard
core size limit to 0.




Some code for doing this in kernel space is at
http://felinemenace.org/~andrewg/safecore/ 

It loops over all processes and sets the soft limit and hard limit for
processes to 0. The limits.conf measure isn't entirely enough if people
have screen sessions, or you have various daemons running etc. 

Here is the output of the PoC code failing:

[+] Compiling...elfcd1.c: In function `main':
elfcd1.c:48: warning: implicit declaration of function
`strlen'
elfcd1.c:54: warning: implicit declaration of function
`memset'
elfcd1.c:60: warning: implicit declaration of function
`strcmp'
[+] ./elfcd1 argv_start=0xbffff791 argv_end=0xbffff799
ESP: 0xbffff5e0
setrlimit: Operation not permitted

This code has been tested twice so far, one on a non-production box, and
one of a production box. I'd like to thank mercy for doing the initial
test for me as I didn't have an test boxes nearby. It has been only
tested on 2.4 series kernels.

If it does break anything, I'd like to know. Granted, doesn't mean I can
do anything with it to make it work for you, as it works for me (tm).


Enjoy,
Andrew Griffiths
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] [DR018] Quartz Composer / QuickTime 7 information leakage, adf--at--Code511.com
Next by Date:  [Full-disclosure] Re: phpbb 2.0.15 released - patches high critical vuln, Paul Laudanski
Previous by Thread:  Re: Linux kernel ELF core dump privilege elevation, Paul Starzetz
Next by Thread:  Re: Linux kernel ELF core dump privilege elevation (kernel module workaround), chris
Indexes:  [Date] [Thread] [Top] [All Lists]