| 1 |
On 13/5/2005 16:09:23, Pedro Venda (pjvenda@××××××××××××.org) wrote: |
| 2 |
|
| 3 |
> On a PaX+grsecurity hardened server, it outputs: |
| 4 |
> ... |
| 5 |
> [+] phase2, <RET> to crash Killed |
| 6 |
What kernel version? |
| 7 |
|
| 8 |
The hardened 2.6.11.1 kernel is not vulnerable to the exploit as described, because the bug used to trigger the feature is not present. If you read all the way through http://isec.pl/vulnerabilities/isec-0023-coredump.txt and compare it with the 2.6.11 kernel source, you'll see that although the arithmetic error is present (see fill_psinfo()), the bug used to get to it is not. See https://bugs.gentoo.org/show_bug.cgi?id=92264 |
| 9 |
|
| 10 |
This doesn't mean necessarily that there is not another way to exploit it. Exercise for the reader to find one ;) |
| 11 |
|
| 12 |
> On my laptop, a test server and 2 other workstations (standard 2.6.11.5-8 |
| 13 |
> kernels) [...] |
| 14 |
> [+] phase 2, <RET> to crash Segmentation fault (core dumped) |
| 15 |
|
| 16 |
I haven't checked all kernel versions, but the vanilla 2.6.11.7 prevents the exploit in the same way as the hardened kernel. The difference between killed and core dump may be due to the grsecurity/pax patches, or could simply be differences between 2.6.11.1 and 2.6.11.7 (i.e. nothing to do with hardened). Either way, the exploit fails - not because of anything particular in the hardened kernel, but due to better written upstream code in create_elf_tables(). |
| 17 |
|
| 18 |
Kev. |
| 19 |
|
| 20 |
(removed cc to security@, since they've already seen this argument on bug #92264) |
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
-- |
| 25 |
gentoo-hardened@g.o mailing list |
Archives