[already fixed] Linux root exploit due to memory access

karol · 2012-01-23 18:45:23

http://www.h-online.com/open/news/item/ … 19834.html

Are we affected? When will the update come out? Why does it take so long? ;-)

Last edited by karol (2012-01-23 19:51:29)

stronnag · 2012-01-23 18:48:50

The kernel in testing was updated today and is fixed. The core kernels have not been updated, but the widely publicised mempodipper fails to yield a root shell

$ ./mempodipper
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/13550/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x401a60.
[+] Calculating su padding.
[+] Seeking to offset 0x401a52.
[+] Executing su with shellcode.
Segmentation fault
$

stronnag · 2012-01-23 18:55:55

I stand corrected, guess what's just appeared.

karol · 2012-01-23 19:02:01

A smiley?
A pony?
A root prompt?

c00kiemon5ter · 2012-01-23 19:07:41

a cookie ?

wonder · 2012-01-23 19:11:26

an elephant

karol · 2012-01-23 19:17:16

A developer? ;P

I see that linux 3.2.1-2 has been moved to [core]. stronnag, is this the fixed version?

Last edited by karol (2012-01-23 19:18:01)

stronnag · 2012-01-23 19:37:25

It looks like it. On two machines (ia-32, x86_64) mempodipper now terminates without the segfault.

karol · 2012-01-23 19:50:53

Thanks :-)
Marking the thread as solved.

Pierre · 2012-01-23 20:03:59

The patched kernel was in the repo about 5 hours before this thread was started.

graysky · 2012-01-23 20:04:50

Hate to cross post of sorts, but am I the only one who can't compile this with the new patch?

karol · 2012-01-23 20:18:18

Pierre wrote:

The patched kernel was in the repo about 5 hours before this thread was started.

I did see http://projects.archlinux.org/svntogit/ … 24e137d008 but couldn't make much out of it. Maybe I should have googled a bit more, sorry.

lucke · 2012-01-23 21:30:57

Did anyone manage to elevate their privileges on their Arch box with mempodipper anyway? It doesn't seem to work on my 32-bit boxes with graysky's 3.2.1-3-ck, which shouldn't be patched.

karol · 2012-01-23 21:32:09

lucke wrote:

Did anyone manage to elevate their privileges on their Arch box with mempodipper anyway? It doesn't seem to work on my 32-bit boxes with graysky's 3.2.1-3-ck, which shouldn't be patched.

Supposedly stronnag managed to hack his box: https://bbs.archlinux.org/viewtopic.php … 8#p1046378

lucke · 2012-01-23 21:37:36

His post shows "segmentation fault" and then "$", and he says it fails to yield a root shell, so it doesn't seem like a successful privilege elevation. I don't get a segmentation fault, though - I'm simply still (good?) old lucke, not root.

stronnag · 2012-01-23 21:57:21

I did not succeed in rooting any of my previously unpatched Arch boxen. A different story on Ubuntu though, prior to their updated kernel release.

lucke · 2012-01-23 22:09:01

According to this blog post, the exploit takes advantage of the string written by su to stderr, and it is different on my Arch boxes than the one shown in the blog. Perhaps that is "saving" Arch? I don't have other distros to check what string they output and if they're exploitable, and I can't figure out from the code if the string really matters.

karol · 2012-01-23 22:14:51

I've tried several previous kernels on my 32-bit Arch and none of them could be hacked.

jjacky · 2012-01-23 22:27:00

Yeah seems it doesn't work with su on Arch, much like on Fedora :

as it turns out, Fedora very aptly compiles their su with PIE, which defeats this attack. They do not, unfortunately, compile all their SUID binaries with PIE, and so this attack is still possible with, for example, gpasswd.

Just tried using this version (using gpasswd), and I do get a root shell. If you wanna try too, use this: http://git.zx2c4.com/CVE-2012-0056/plai … c?h=fedora

lucke · 2012-01-23 22:35:19

Yeah, I've just tried it, jjacky (before reading your post) - an exploit crafted for Fedora works indeed on Arch.

ghen · 2012-01-24 08:24:11

The mempodipper code doesn't work on our /bin/su, but it does on other setuid binaries eg. /usr/bin/chfn, I can get a root shell with that on both i686 and x86_64.

darnir · 2012-01-24 10:00:43

@ghen: What exactly did you change in the code to get the exploit working? I doubt it still works after the patch released earlier today.

Yet, I'd like to know.

jelly · 2012-01-24 12:02:19

The exploit works perfectly fine on arch.

[jelle@P8][~]%./a.out -o 404e40
===============================
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =
===============================

[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/10011/mem in child.
[+] Sending fd 3 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Calculating su padding.
[+] Seeking to offset 0x404e37.
[+] Executing su with shellcode.
sh-4.2# whoami
root
sh-4.2# exit
exit

64 bit btw
And i didn't update to -2 yet.

phects · 2012-01-24 17:07:42

Just for propaganda:

I run Linux 3.2 with PaX patches on several machines and the exploit did not work on any of them. This would be probably true for the next few local root exploits, too .

https://aur.archlinux.org/packages.php?ID=55491

Arch Linux

#1 2012-01-23 18:45:23

[already fixed] Linux root exploit due to memory access

#2 2012-01-23 18:48:50

Re: [already fixed] Linux root exploit due to memory access

#3 2012-01-23 18:55:55

Re: [already fixed] Linux root exploit due to memory access

#4 2012-01-23 19:02:01

Re: [already fixed] Linux root exploit due to memory access

#5 2012-01-23 19:07:41

Re: [already fixed] Linux root exploit due to memory access

#6 2012-01-23 19:11:26

Re: [already fixed] Linux root exploit due to memory access

#7 2012-01-23 19:17:16

Re: [already fixed] Linux root exploit due to memory access

#8 2012-01-23 19:37:25

Re: [already fixed] Linux root exploit due to memory access

#9 2012-01-23 19:50:53

Re: [already fixed] Linux root exploit due to memory access

#10 2012-01-23 20:03:59

Re: [already fixed] Linux root exploit due to memory access

#11 2012-01-23 20:04:50

Re: [already fixed] Linux root exploit due to memory access

#12 2012-01-23 20:18:18

Re: [already fixed] Linux root exploit due to memory access

#13 2012-01-23 21:30:57

Re: [already fixed] Linux root exploit due to memory access

#14 2012-01-23 21:32:09

Re: [already fixed] Linux root exploit due to memory access

#15 2012-01-23 21:37:36

Re: [already fixed] Linux root exploit due to memory access

#16 2012-01-23 21:57:21

Re: [already fixed] Linux root exploit due to memory access

#17 2012-01-23 22:09:01

Re: [already fixed] Linux root exploit due to memory access

#18 2012-01-23 22:14:51

Re: [already fixed] Linux root exploit due to memory access

#19 2012-01-23 22:27:00

Re: [already fixed] Linux root exploit due to memory access

#20 2012-01-23 22:35:19

Re: [already fixed] Linux root exploit due to memory access

#21 2012-01-24 08:24:11

Re: [already fixed] Linux root exploit due to memory access

#22 2012-01-24 10:00:43

Re: [already fixed] Linux root exploit due to memory access

#23 2012-01-24 12:02:19

Re: [already fixed] Linux root exploit due to memory access

#24 2012-01-24 17:07:42

Re: [already fixed] Linux root exploit due to memory access

Board footer