Re: Linux kernel do_mremap() proof-of-concept exploit code

[Ariel Biener <ariel () fireball tau ac il>]

On Mon, 5 Jan 2004, Christophe Devine wrote:


 Hi,


   I tested it on various machines, including single/dual pIII,
single/dual Xeon P4, etc.

   I only managed to either freeze the machine or reboot it.

   However, since this compiled binary needs to special permissions to be
affective, I have found out that on any mail server where the user can
edit his .procmailrc or .forward in this home directory (typical
deparmental or even campus Linux mail servers at academic institutes), and
do the following:

:0
* ^Subject: reboot
| /path/to/homedir/do_remap

   Then, at his convenience, all he/she needs to do is send an e-mail to
themselves with the subject reboot, and voilla, either the mail servers
reboots or goes caput (freezes). Nasty.

--Ariel

> The following program can be used to test if a x86 Linux system
> is vulnerable to the do_mremap() exploit; use at your own risk.

--
Ariel Biener
e-mail: ariel () post tau ac il
PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html