miércoles, enero 09, 2008

prctl problems have been solved

In 2.6.22.* and prior we can do a prctl(PR_SET_DUMPABLE,2) then current->mm->dumpable value will be 2.

Let's see the bad check:

--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1983,7 +1983,7 @@ asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3,
error = current->mm->dumpable;
- if (arg2 < 0 || arg2 > 2) {
+ if (arg2 < 0 || arg2 > 1) {
error = -EINVAL;
current->mm->dumpable = arg2;

A non-root user can make an exploit like this and set PR_SET_DUMPABLE to two:

.global main
mov $172, %eax
mov $2, %ebx
int $0x80

Is possible to make a SIGSEGV sgnal to this process and make a core in a directory that the user doesnt have permissions.

One way to get root is make a file in cron.d or fill a disk when only root are quota free, RoManSoFt and Dreyer used this trick in their exploit, see rs-labs.

I estimate that the linux kernel have more bad-checks like that.