Page 1 of 2

New kernel vulnerability

PostPosted: Wed Feb 18, 2004 10:07 am
by devastor
Another critical kernel vulnerability in mremap(3) system call was announced today..

http://isec.pl/vulnerabilities/isec-001 ... -unmap.txt

Kernel 2.4.25 has been released and fixes this issue.
However grsecurity for 2.4.24 won't patch cleanly to .25 so some changes are required.

Hopefully spender will make a new patch for it soon 8)

PostPosted: Wed Feb 18, 2004 1:57 pm
by miha
2.4.24-grsec is not affected (at least I tried):

Code: Select all
mmap: Cannot allocate memory
created ~5346 VMAs
now mremapping 0x05385000 at 0x05381000
kernel may not be vulnerable


regards,
M.

PostPosted: Wed Feb 18, 2004 2:33 pm
by devastor
I wouldn't count on that.
2.4.24 with grsec 1.9.13

mmap: Cannot allocate memory
created ~65865 VMAs
now mremapping 0x40521000 at 0x4051D000
zsh: 6170 segmentation fault ./poc

dmesg:

kernel BUG at mmap.c:1424!
invalid operand: 0000
CPU: 0
EIP: 0010:[<c01b0a85>] Not tainted
EFLAGS: 00010287
eax: 4051e000 ebx: 00000001 ecx: c129bf38 edx: c129bf20
esi: c129bfc4 edi: c1306104 ebp: c13060c0 esp: c12abecc
ds: 0018 es: 0018 ss: 0018
Process poc (pid: 6170, stackpage=c12ab000)
Stack: 00000001 c129bfc4 c1306104 00001000 00001000 c01b6210 c10ba300 c01b62a0
c10ba300 c13060c0 c12aa000 00001000 c10ba31c ffff0001 00000002 00000000
c13060c0 c129bf80 c129bec0 c01b637a 40521000 00001000 00001000 00000003
Call Trace: [<c01b6210>] [<c01b62a0>] [<c01b637a>] [<c0192e93>]

Code: 0f 0b 90 05 e1 66 2f c0 8b 7c 24 10 8b 74 24 14 8b 5c 24 18

:)

PostPosted: Wed Feb 18, 2004 2:43 pm
by mar
How long time do grsec usally use to release an update?
I dont like to have my servers standing exposed :roll:

PostPosted: Wed Feb 18, 2004 3:08 pm
by spender
I've just put a pre-release 1.9.14 patch up on http://grsecurity.net/~spender/ for testing. It's against 2.4.25. Let me know about any problems. It has the latest PaX code in it also.

-Brad

PostPosted: Wed Feb 18, 2004 3:09 pm
by jagdfalke
http://linux.bkbits.net:8080/linux-2.4/ ... set@1.1323

that is the fix for the most important vulnerability if I don't err

but I'd like to see patches for new versions asap nevertheless :)

cu
jagdfalke

PostPosted: Wed Feb 18, 2004 3:21 pm
by miha
devastor wrote:I wouldn't count on that.
2.4.24 with grsec 1.9.13

mmap: Cannot allocate memory
created ~65865 VMAs
now mremapping 0x40521000 at 0x4051D000
zsh: 6170 segmentation fault ./poc

dmesg:

kernel BUG at mmap.c:1424!
invalid operand: 0000
CPU: 0
EIP: 0010:[<c01b0a85>] Not tainted
EFLAGS: 00010287
eax: 4051e000 ebx: 00000001 ecx: c129bf38 edx: c129bf20
esi: c129bfc4 edi: c1306104 ebp: c13060c0 esp: c12abecc
ds: 0018 es: 0018 ss: 0018
Process poc (pid: 6170, stackpage=c12ab000)
Stack: 00000001 c129bfc4 c1306104 00001000 00001000 c01b6210 c10ba300 c01b62a0
c10ba300 c13060c0 c12aa000 00001000 c10ba31c ffff0001 00000002 00000000
c13060c0 c129bf80 c129bec0 c01b637a 40521000 00001000 00001000 00000003
Call Trace: [<c01b6210>] [<c01b62a0>] [<c01b637a>] [<c0192e93>]

Code: 0f 0b 90 05 e1 66 2f c0 8b 7c 24 10 8b 74 24 14 8b 5c 24 18


ok, here's another one:

Code: Select all
miha@devil [~]# ./p2
mmap: Cannot allocate memory
created ~16558 VMAs
now mremapping 0x102B5000 at 0x102B1000
kernel may not be vulnerable
miha@devil [~]# uname -a
Linux devil 2.4.24-grsec #1 SMP Fri Jan 9 10:57:24 EST 2004 i686 unknown


and dmesg:

Code: Select all
grsec: From xxx.xxx.xxx.xxx: attempted resource overstep by requesting 204804096 for RLIMIT_AS against limit 204800000 by (p2:26341) UID(32008) EUID(32008), parent (bash:15448) UID(32008) EUID(32008)


tested on 5 machines, and so far all of them showed the same result (as above)..

PostPosted: Wed Feb 18, 2004 3:38 pm
by exci
For those with the "kernel may not be vulnerable", what option/acl is it that stopped it?

It 'crashed' me (2.4.24-grsec-1.9.13), I can't use things like top/ps/w etc. but I can still compile my new kernel on it and use the services that I have running.
It isn't that 'critical' to me :P (edit: oe, just read that you could get root access out of it, so critical++ ;) )

Code: Select all
make[1]: Entering directory `/usr/src/linux-2.4.25/kernel'
make all_targets
make[2]: Entering directory `/usr/src/linux-2.4.25/kernel'
gcc -D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=athlon   -nostdinc -iwithprefix include -DKBUILD_BASENAME=sched  -fno-omit-frame-pointer -c -o sched.o sched.c
In file included from /usr/src/linux-2.4.25/include/asm/mmu_context.h:5,
                 from sched.c:36:
/usr/src/linux-2.4.25/include/asm/desc.h: In function `load_LDT':
/usr/src/linux-2.4.25/include/asm/desc.h:92: warning: assignment discards qualifiers from pointer target type
/usr/src/linux-2.4.25/include/asm/desc.h: In function `_load_LDT':
/usr/src/linux-2.4.25/include/asm/desc.h:103: error: structure has no member named `segments'
make[2]: *** [sched.o] Error 1
make[2]: Leaving directory `/usr/src/linux-2.4.25/kernel'
make[1]: *** [first_rule] Error 2
make[1]: Leaving directory `/usr/src/linux-2.4.25/kernel'
make: *** [_dir_kernel] Error 2


the kernel can't compile with the new grsec patch

PostPosted: Wed Feb 18, 2004 3:42 pm
by drixter
spender wrote:I've just put a pre-release 1.9.14 patch up on http://grsecurity.net/~spender/ for testing. It's against 2.4.25. Let me know about any problems. It has the latest PaX code in it also.

-Brad


Problem with compile, blank kernel compile good, with this grsec patch doesn't

Code: Select all
[root@fido linux]# make bzImage
scripts/split-include include/linux/autoconf.h include/config
gcc -D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=athlon   -DKBUILD_BASENAME=main -c -o init/main.o init/main.c
. scripts/mkversion > .tmpversion
gcc -D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=athlon  -DUTS_MACHINE='"i386"' -DKBUILD_BASENAME=version -c -o init/version.o init/version.c
gcc -D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=athlon   -DKBUILD_BASENAME=do_mounts -c -o init/do_mounts.o init/do_mounts.c
make CFLAGS="-D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=athlon " -C  kernel
make[1]: Entering directory `/usr/src/linux-2.4.25/kernel'
make all_targets
make[2]: Entering directory `/usr/src/linux-2.4.25/kernel'
gcc -D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=athlon   -nostdinc -iwithprefix include -DKBUILD_BASENAME=sched  -fno-omit-frame-pointer -c -o sched.o sched.c
In file included from /usr/src/linux-2.4.25/include/asm/mmu_context.h:5,
                 from sched.c:36:
/usr/src/linux-2.4.25/include/asm/desc.h: In function `load_LDT':
/usr/src/linux-2.4.25/include/asm/desc.h:92: warning: assignment discards qualifiers from pointer target type
/usr/src/linux-2.4.25/include/asm/desc.h: In function `_load_LDT':
/usr/src/linux-2.4.25/include/asm/desc.h:103: error: structure has no member named `segments'
make[2]: *** [sched.o] Błąd 1
make[2]: Leaving directory `/usr/src/linux-2.4.25/kernel'
make[1]: *** [first_rule] Błąd 2
make[1]: Leaving directory `/usr/src/linux-2.4.25/kernel'
make: *** [_dir_kernel] Błąd 2


Code: Select all
[root@fido root]# ./ver_linux
If some fields are empty or look unusual you may have an old version.
Compare to the current minimal requirements in Documentation/Changes.

Linux fido.e-utp.net 2.4.24-grsec #4 sob lut 7 11:17:50 CET 2004 i686 AMD Duron(tm) Processor

Gnu C                  3.3.2
Gnu make               3.80
util-linux             2.11x
mount                  2.11x
modutils               2.4.22
e2fsprogs              1.32
jfsutils               1.0.24
Linux C Library        2.3.1
Dynamic linker (ldd)   2.3.1
Procps                 3.1.14
Net-tools              1.60
Console-tools          0.2.3
Sh-utils               5.1.2
Modules Loaded         nvidia cls_fw cls_u32 sch_sfq sch_htb ipt_LOG ipt_unclean ipt_MARK ipt_multiport ipt_state ipt_REJECT iptable_mangle iptable_nat ip_conntrack iptable_filter ip_tables 8139too mii crc32 nls_iso8859-2

PostPosted: Wed Feb 18, 2004 3:42 pm
by devastor
That's strange. Limitting users's virtual memory shouldn't help in this case..

testing with this PoC?

http://www.derkeiler.com/Mailing-Lists/ ... /0052.html

PostPosted: Wed Feb 18, 2004 4:06 pm
by miha
yes, using http://www.derkeiler.com/Mailing-Lists/ ... /0052.html
It does not work on both with enabled and disabled ACLs..
Using custom grsecurity config in kernel.

regards,
M.

2.4.25 patch error

PostPosted: Wed Feb 18, 2004 4:35 pm
by underattack
on 'make bzImage', I get the following error:

cc -D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=i686 -nostdinc -iwithprefix include -DKBUILD_BASENAME=sched -fno-omit-frame-pointer -c -o sched.o sched.c
In file included from /usr/src/linux-2.4.25/include/asm/mmu_context.h:5,
from sched.c:36:
/usr/src/linux-2.4.25/include/asm/desc.h: In function `load_LDT':
/usr/src/linux-2.4.25/include/asm/desc.h:92: warning: assignment discards qualifiers from pointer target type
/usr/src/linux-2.4.25/include/asm/desc.h: In function `_load_LDT':
/usr/src/linux-2.4.25/include/asm/desc.h:103: structure has no member named `segments'

PostPosted: Wed Feb 18, 2004 4:51 pm
by devastor
Odd, so far it has caused a DoS or an oops on all systems i've tested it on..
maybe some memory limit stops that specific exploit from working..
but it really doesn't mean you wouldn't be vulnerable.. as the exploit also says :)

PostPosted: Wed Feb 18, 2004 5:00 pm
by mar
Code: Select all
gcc -D__KERNEL__ -I/usr/src/linux-2.4.25/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=i686   -nostdinc -iwithprefix include -DKBUILD_BASENAME=sched  -fno-omit-frame-pointer -c -o sched.o sched.c
In file included from /usr/src/linux-2.4.25/include/asm/mmu_context.h:5,
                 from sched.c:36:
/usr/src/linux-2.4.25/include/asm/desc.h: In function `load_LDT':
/usr/src/linux-2.4.25/include/asm/desc.h:92: warning: assignment discards qualifiers from pointer target type
/usr/src/linux-2.4.25/include/asm/desc.h: In function `_load_LDT':
/usr/src/linux-2.4.25/include/asm/desc.h:103: structure has no member named `segments'
make[2]: *** [sched.o] Error 1
make[2]: Leaving directory `/usr/src/linux-2.4.25/kernel'
make[1]: *** [first_rule] Error 2
make[1]: Leaving directory `/usr/src/linux-2.4.25/kernel'
make: *** [_dir_kernel] Error 2


This error do I get when trying to compile 2.4.25 with pre-release of grsec 1.9.14.

PostPosted: Wed Feb 18, 2004 5:29 pm
by devastor
This patch should fix that:

http://silen.fi/usr/grsec.patch