grsecurity forums

by **grsecuser** » Thu Jan 11, 2007 5:09 pm

http://www.digitalarmaments.com/pre2007-00018659.html just got sent to bugtraq. Anyone got an exploit?

by **ralphy** » Thu Jan 11, 2007 10:05 pm

There's supposedly a remote vulnerability as well.

>> 01.08.2007: Linux Grsecurity Remote Vulnerability available to the Platinum Customers. . http://www.digitalarmaments.com/news_news.shtml#

by **Jason** » Fri Jan 12, 2007 6:23 am

Hi,

is there any update today on this?

Jason

by **Oscon** » Fri Jan 12, 2007 7:23 am

grsecuser wrote:http://www.digitalarmaments.com/pre2007-00018659.html just got sent to bugtraq. Anyone got an exploit?

Have you got 80.000 USD ? :wink:

D.A Platinum subscr. :roll:

"exploit avaiable only to Platinum Subscriptors" :wink:

"The annual Platinum Subscription fee is 80,000 $ (US Dollars)" :oops:

by **tosh** » Sat Jan 20, 2007 12:43 pm

Just found this: http://www.securityfocus.com/archive/1/457509 . Testers?

by **ralphy** » Sat Jan 20, 2007 1:09 pm

if( mprotect( (void *) MAP1_BASE, PAGE_SIZE,
PROT_READ | PROT_WRITE | PROT_EXEC ) < 0 )
{
perror( "mprotect map1 base" );
fprintf( stderr, "run chpax -m on this executable\n" );
return( 1 );
}

$ ls -al /sbin/chpax
-rwx--x--- 1 root root 14344 Aug 1 10:50 /sbin/chpax
$

by **aldee** » Sat Jan 20, 2007 2:37 pm

ralphy wrote:$ ls -al /sbin/chpax
-rwx--x--- 1 root root 14344 Aug 1 10:50 /sbin/chpax
$

Are you serious?

Checked it out:

Code: Select all: Jan 20 20:39:37 xena kernel: grsec: From a.b.c.d: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /chroot/.../a.out[a.out:12532] uid/euid:1000/1000 gid/egid:100/100, parent /chroot/bin/bash[bash:12383] uid/euid:1000/1000 gid/egid:100/100 Jan 20 20:39:37 xena kernel: ------------[ cut here ]------------ Jan 20 20:39:37 xena kernel: kernel BUG at mm/mmap.c:2240! Jan 20 20:39:37 xena kernel: invalid opcode: 0000 [#13] Jan 20 20:39:37 xena kernel: Modules linked in: raid1 md_mod dm_mod r8169 crc32 Jan 20 20:39:37 xena kernel: CPU: 0 Jan 20 20:39:37 xena kernel: EIP: 0060:[<00035bca>] Not tainted VLI Jan 20 20:39:37 xena kernel: EFLAGS: 00010202 (2.6.19.2-grsec #1) Jan 20 20:39:37 xena kernel: eax: 00000000 ebx: e70f1e50 ecx: c18d7c40 edx: c12c96a0 Jan 20 20:39:37 xena kernel: esi: 00000000 edi: f7589040 ebp: 00000001 esp: e70f1e40 Jan 20 20:39:37 xena kernel: ds: 0068 es: 0068 ss: 0068 Jan 20 20:39:37 xena kernel: Process a.out (pid: 12532, ti=e70f0000 task=f75cf560 task.ti=e70f0000) Jan 20 20:39:37 xena kernel: Stack: 00000000 e70f1e4c 00000000 00000042 c0c25bbc f7589040 f75cf560 0000000b Jan 20 20:39:37 xena kernel: 00010c6d 0000000b 00014a11 e70f1f0c 0001a0f0 0000000b 0000000b 0000000a Jan 20 20:39:37 xena kernel: 00000000 00000000 e70f1e88 00000000 0000000b f794f11c f794f10c e70f1eec Jan 20 20:39:37 xena kernel: Call Trace: Jan 20 20:39:37 xena kernel: ======================= Jan 20 20:39:37 xena kernel: Code: 00 e0 ff ff 8b 00 8b 80 84 00 00 00 39 02 75 11 0f 20 d8 0f 22 d8 eb 09 89 f0 e8 1a ff ff ff 89 c6 85 f6 75 f3 83 7f 74 00 74 09 <0f> 0b ea be dc 54 c0 c0 08 83 c4 14 5b 5e 5f c3 55 89 cd 57 56 Jan 20 20:39:37 xena kernel: EIP: [<00035bca>] SS:ESP 0068:e70f1e40 Jan 20 20:39:37 xena kernel: <1>Fixing recursive fault but reboot is needed!

That doesn't look too healthy indeed, from what I can tell.

Edit: Looks like a preliminary fix is available: http://grsecurity.net/pipermail/grsecur ... 00829.html

by **specs** » Sun Jan 21, 2007 5:22 pm

I did not get such a warning when trying to run the exploit on a C3 (CONFIG_MCYRIXIII=y).
With an AMD64 I got a minimal message.

Might be just some missing debugging options in the kernel though.

by **crespowu** » Fri Jan 18, 2008 2:52 am

I also think it's related with debugging.

by **danielrigano** » Sat Feb 23, 2008 7:01 am

Have you got 80.000 USD ?

Too expensive!

grsecurity forums

Local root in expand_stack()?

Local root in expand_stack()?

Re: Local root in expand_stack()?

Re: Local root in expand_stack()?

Re: Local root in expand_stack()?