Re: Re: Linux kernel do_mremap() proof-of-concept exploit code

[Pierre BETOUIN <info16 () ifrance com>]

That's true. The piece of vulnerable code is here :

#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
                if (current->flags & PF_PAX_SEGMEXEC) {
                        if (new_len > SEGMEXEC_TASK_SIZE || new_addr
                                        > SEGMEXEC_TASK_SIZE-new_len)
                        goto out;
                } else
#endif  

The PoC can be easily adapted.

        Pierre

Le mar 06/01/2004 à 21:34, backblue a écrit :
> On Tue, 6 Jan 2004 11:47:26 -0700
> "Epic" <epic () hack3r com> wrote:
>
> > I too tested it on my 2.4.23 kernel with grsec, and nothing.
> >
> >
> > ----- Original Message ----- 
> > From: "Daniel Husand" <io () naiv us>
> > To: <full-disclosure () lists netsys com>
> > Sent: Tuesday, January 06, 2004 10:54 AM
> > Subject: [Full-disclosure] Re: Linux kernel do_mremap() proof-of-concept
> > exploit code
> >
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > Christophe Devine wrote:
> > >
> > > | The following program can be used to test if a x86 Linux system
> > > | is vulnerable to the do_mremap() exploit; use at your own risk.
> > > |
> > > | $ cat mremap_poc.c
> > > |
> > >
> > > This didnt do anything on my 2.4.23-grsec kernel.
> > >
> > > - --
> > > Daniel
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.2.3 (MingW32)
> > > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> > >
> > > iD8DBQE/+vZz1PIgHh6MkiIRAiqNAKCiuyxtA9rgaAS+eT3o9ATvLE7EuQCeJAZP
> > > Xf8JIDehgtGba4b1Eb2Qv0w=
> > > =xyYM
> > > -----END PGP SIGNATURE-----

-- 
Pierre BETOUIN
        http://securitech.homeunix.org
        http://www.challenge-securitech.com
GnuPG key : E7AD 29A1 7345 5BA0 9469  DE62 2CD5 9242 94D9 CB23
lynx -dump securitech.homeunix.org/pbetouin.asc | gpg --import

Attachment: signature.asc
Description: Ceci est une partie de message numériquement signée.