You are not logged in.

#1 2012-01-23 18:45:23

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

[already fixed] Linux root exploit due to memory access

http://www.h-online.com/open/news/item/ … 19834.html

Are we affected? When will the update come out? Why does it take so long? ;-)

Last edited by karol (2012-01-23 19:51:29)

Offline

#2 2012-01-23 18:48:50

stronnag
Member
Registered: 2011-01-25
Posts: 60

Re: [already fixed] Linux root exploit due to memory access

The kernel in testing was updated today and is fixed. The core kernels have not been updated, but the widely publicised mempodipper fails to yield a root shell smile

$ ./mempodipper
===============================
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =
===============================

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/13550/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x401a60.
[+] Calculating su padding.
[+] Seeking to offset 0x401a52.
[+] Executing su with shellcode.
Segmentation fault
$

Offline

#3 2012-01-23 18:55:55

stronnag
Member
Registered: 2011-01-25
Posts: 60

Re: [already fixed] Linux root exploit due to memory access

I stand corrected, guess what's just appeared.

Offline

#4 2012-01-23 19:02:01

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: [already fixed] Linux root exploit due to memory access

A smiley?
A pony?
A root prompt?

Offline

#5 2012-01-23 19:07:41

c00kiemon5ter
Member
From: Greece
Registered: 2010-06-01
Posts: 562
Website

Re: [already fixed] Linux root exploit due to memory access

a cookie ?


.:[ git me! ] :.

Offline

#6 2012-01-23 19:11:26

wonder
Developer
From: Bucharest, Romania
Registered: 2006-07-05
Posts: 5,941
Website

Re: [already fixed] Linux root exploit due to memory access

an elephant


Give what you have. To someone, it may be better than you dare to think.

Offline

#7 2012-01-23 19:17:16

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: [already fixed] Linux root exploit due to memory access

A developer? ;P

I see that linux 3.2.1-2 has been moved to [core]. stronnag, is this the fixed version?

Last edited by karol (2012-01-23 19:18:01)

Offline

#8 2012-01-23 19:37:25

stronnag
Member
Registered: 2011-01-25
Posts: 60

Re: [already fixed] Linux root exploit due to memory access

It looks like it. On two machines (ia-32, x86_64) mempodipper now terminates without the segfault.

Offline

#9 2012-01-23 19:50:53

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: [already fixed] Linux root exploit due to memory access

Thanks :-)
Marking the thread as solved.

Offline

#10 2012-01-23 20:03:59

Pierre
Developer
From: Bonn
Registered: 2004-07-05
Posts: 1,964
Website

Re: [already fixed] Linux root exploit due to memory access

The patched kernel was in the repo about 5 hours before this thread was started.

Offline

#11 2012-01-23 20:04:50

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,592
Website

Re: [already fixed] Linux root exploit due to memory access

Hate to cross post of sorts, but am I the only one who can't compile this with the new patch?


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#12 2012-01-23 20:18:18

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: [already fixed] Linux root exploit due to memory access

Pierre wrote:

The patched kernel was in the repo about 5 hours before this thread was started.

I did see http://projects.archlinux.org/svntogit/ … 24e137d008 but couldn't make much out of it. Maybe I should have googled a bit more, sorry.

Offline

#13 2012-01-23 21:30:57

lucke
Member
From: Poland
Registered: 2004-11-30
Posts: 4,018

Re: [already fixed] Linux root exploit due to memory access

Did anyone manage to elevate their privileges on their Arch box with mempodipper anyway? It doesn't seem to work on my 32-bit boxes with graysky's 3.2.1-3-ck, which shouldn't be patched.

Offline

#14 2012-01-23 21:32:09

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: [already fixed] Linux root exploit due to memory access

lucke wrote:

Did anyone manage to elevate their privileges on their Arch box with mempodipper anyway? It doesn't seem to work on my 32-bit boxes with graysky's 3.2.1-3-ck, which shouldn't be patched.

Supposedly stronnag managed to hack his box: https://bbs.archlinux.org/viewtopic.php … 8#p1046378

Offline

#15 2012-01-23 21:37:36

lucke
Member
From: Poland
Registered: 2004-11-30
Posts: 4,018

Re: [already fixed] Linux root exploit due to memory access

His post shows "segmentation fault" and then "$", and he says it fails to yield a root shell, so it doesn't seem like a successful privilege elevation. I don't get a segmentation fault, though - I'm simply still (good?) old lucke, not root.

Offline

#16 2012-01-23 21:57:21

stronnag
Member
Registered: 2011-01-25
Posts: 60

Re: [already fixed] Linux root exploit due to memory access

I did not succeed in rooting any of my previously unpatched Arch boxen. A different story on Ubuntu though, prior to their updated kernel release.

Offline

#17 2012-01-23 22:09:01

lucke
Member
From: Poland
Registered: 2004-11-30
Posts: 4,018

Re: [already fixed] Linux root exploit due to memory access

According to this blog post, the exploit takes advantage of the string written by su to stderr, and it is different on my Arch boxes than the one shown in the blog. Perhaps that is "saving" Arch? I don't have other distros to check what string they output and if they're exploitable, and I can't figure out from the code if the string really matters.

Offline

#18 2012-01-23 22:14:51

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: [already fixed] Linux root exploit due to memory access

I've tried several previous kernels on my 32-bit Arch and none of them could be hacked.

Offline

#19 2012-01-23 22:27:00

jjacky
Member
Registered: 2011-11-09
Posts: 347
Website

Re: [already fixed] Linux root exploit due to memory access

Yeah seems it doesn't work with su on Arch, much like on Fedora :

as it turns out, Fedora very aptly compiles their su with PIE, which defeats this attack. They do not, unfortunately, compile all their SUID binaries with PIE, and so this attack is still possible with, for example, gpasswd.

Just tried using this version (using gpasswd), and I do get a root shell. If you wanna try too, use this: http://git.zx2c4.com/CVE-2012-0056/plai … c?h=fedora

Offline

#20 2012-01-23 22:35:19

lucke
Member
From: Poland
Registered: 2004-11-30
Posts: 4,018

Re: [already fixed] Linux root exploit due to memory access

Yeah, I've just tried it, jjacky (before reading your post) - an exploit crafted for Fedora works indeed on Arch.

Offline

#21 2012-01-24 08:24:11

ghen
Member
From: Belgium
Registered: 2010-08-31
Posts: 121

Re: [already fixed] Linux root exploit due to memory access

The mempodipper code doesn't work on our /bin/su, but it does on other setuid binaries eg. /usr/bin/chfn, I can get a root shell with that on both i686 and x86_64.

Offline

#22 2012-01-24 10:00:43

darnir
Member
Registered: 2011-12-21
Posts: 47

Re: [already fixed] Linux root exploit due to memory access

@ghen: What exactly did you change in the code to get the exploit working? I doubt it still works after the patch released earlier today.

Yet, I'd like to know.

Offline

#23 2012-01-24 12:02:19

jelly
Administrator
From: /dev/null
Registered: 2008-06-10
Posts: 714

Re: [already fixed] Linux root exploit due to memory access

The exploit works perfectly fine on arch.

[jelle@P8][~]%./a.out -o 404e40
===============================
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =
===============================

[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/10011/mem in child.
[+] Sending fd 3 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Calculating su padding.
[+] Seeking to offset 0x404e37.
[+] Executing su with shellcode.
sh-4.2# whoami
root
sh-4.2# exit
exit

64 bit btw
And i didn't update to -2 yet.

Offline

#24 2012-01-24 17:07:42

phects
Member
Registered: 2010-08-31
Posts: 10

Re: [already fixed] Linux root exploit due to memory access

Just for propaganda:

I run Linux 3.2 with PaX patches on several machines and the exploit did not work on any of them. This would be probably true for the next few local root exploits, too wink.

https://aur.archlinux.org/packages.php?ID=55491

Offline

Board footer

Powered by FluxBB