Ptrace hole in 2.4

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Ptrace hole in 2.4

Postby Cyrus » Mon Mar 17, 2003 3:38 pm

Read more from
http://marc.theaimsgroup.com/?l=linux-kernel&m=104791735604202&w=2

make-kpkg produces this error:

i386_ksyms.c:70: `kernel_thread' undeclared here (not in a function)
i386_ksyms.c:70: initializer element is not constant
i386_ksyms.c:70: (near initialization for `__ksymtab_kernel_thread.value')
make[2]: *** [i386_ksyms.o] Error 1
make[2]: Leaving directory `/usr/src/linux-2.4.20/arch/i386/kernel'
make[1]: *** [_dir_arch/i386/kernel] Error 2
make[1]: Leaving directory `/usr/src/linux-2.4.20'
make: *** [stamp-build] Error 2

Any fixes/ideas?
Cyrus
 
Posts: 7
Joined: Mon Mar 17, 2003 3:31 pm

Postby spender » Mon Mar 17, 2003 9:34 pm

You didn't patch the failed hunk in include/linux/sched.h

We'll be releasing 1.9.9d soon (tonight or tomorrow) that fixes this ptrace bug (btw people using the ACL system were not affected), and adds in the new PaX ports for several new archs.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby miha » Tue Mar 18, 2003 6:27 pm

stange.. 2.4.19 with grsec isn't affected, however 2.4.20 with grsec with the same settings is affected..
really waiting for new version of grsec, Brad.
miha
 
Posts: 28
Joined: Sat Nov 30, 2002 9:09 am

Postby spender » Tue Mar 18, 2003 6:36 pm

How have you been able to verify that? I've not seen an exploit released for the hole yet. I would imagine it would be difficult to exploit on a grsec system even without the ACL system. PaX would keep them from injecting arbitrary code into the task via ptrace, and randomized PIDs would make it difficult for the attacker to find the pid of the process spawned by the kernel.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby spender » Tue Mar 18, 2003 8:27 pm

I just tested the exploit. It won't work if PaX is enabled on the system. It would work, however, if someone wrote a ret2libc exploit for it. Of course, if you had an ACL on modprobe in the ACL system, not even that attack would work.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby h4x0r » Wed Mar 19, 2003 3:53 am

I'm assuming this exploit has no bearing on 2.4.x kernels compiled without loadable module support?

cat: /proc/sys/kernel/modprobe: No such file or directory :)
h4x0r
 
Posts: 14
Joined: Sat Jan 11, 2003 5:46 pm

Postby spender » Wed Mar 19, 2003 8:07 am

This exploit, yes, but it would still be possible I think to exploit the hole if you have hotplug support built in (it's enabled by default).

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby miha » Wed Mar 19, 2003 10:31 am

spender wrote:How have you been able to verify that? I've not seen an exploit released for the hole yet. I would imagine it would be difficult to exploit on a grsec system even without the ACL system. PaX would keep them from injecting arbitrary code into the task via ptrace, and randomized PIDs would make it difficult for the attacker to find the pid of the process spawned by the kernel.

-Brad


Brad, which exploit have you tried? I used isec-ptrace-kmod-exploit.c
On machine running 2.4.19-grsec it doesn't work, however it works with 2.4.20-grsec which has the same ACL/grsec settings as 2.4.19-grsec :(
miha
 
Posts: 28
Joined: Sat Nov 30, 2002 9:09 am

Postby spender » Wed Mar 19, 2003 11:38 am

You must not have PaX enabled on modprobe. I tried the same exploit as you.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby h4x0r » Wed Mar 19, 2003 7:04 pm

Can the possibility of using the vulnerablility through hotplug be eliminated if sbin/hotplug is renamed or /proc/sys/kernel/hotplug is pointed to a non-existant binary?
h4x0r
 
Posts: 14
Joined: Sat Jan 11, 2003 5:46 pm

Postby spender » Wed Mar 19, 2003 7:48 pm

Yes. I think /sbin/loader can be used for the exploit as well, if misc binary support is compiled in.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby humpback » Thu Mar 20, 2003 12:11 pm

I ma running gentoo. The kernel i use is gentoo-sources-2.4.19-r10.
This kernel comes with grsecurity-1.9.7 .
In this system and using the exploit available at http://hack.co.za the exploit just eats cpu.
If you want to see my grsec options please take a look at http://student.dec.uc.pt/~humpback/grsec.txt
humpback
 
Posts: 1
Joined: Thu Mar 20, 2003 11:50 am

Postby AverageUser » Fri Apr 04, 2003 5:34 pm

In case you aren't aware, this patch reportedly causes system crashes under heavy load:

http://groups.google.com/groups?threadm ... at.bofh.it

A fix is proposed.
AverageUser
 
Posts: 7
Joined: Sun Aug 25, 2002 1:58 pm

Postby spender » Fri Apr 04, 2003 6:02 pm

Thanks for the link. I've committed the change to current CVS. It will be included in grsec 1.9.9f.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support

cron