oss-sec mailing list archives
Linux kernel < 4.8 local generic ASLR bypass for setuid binaries
From: Federico Manuel Bento <up201407890 () fc up pt>
Date: Wed, 03 Apr 2019 16:15:21 +0100
Hi list,As far as I know, commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 wasn't backported to earlier kernels, which fixed a vulnerability (unknown at the time?) that allows local attackers to derandomize the base address of .text and stack generically for all setuid binaries. My guess is that such change was done as a later response to one of Jann Horn's reports (https://bugs.chromium.org/p/project-zero/issues/detail?id=807) that was fixed in commit 79c9ce57eb2d5f1497546a3946b4ae21b6fdc438. In any case, the vulnerable code is still present in other binary formats (if they're still relevant), e.g., in fs/binfmt_aout.c (and others).
If my assumptions are incorrect, please let me know :) I've also attached a PoC exploit code. Thanks, Federico.
Attachment:
aslrip.c
Description:
Current thread:
- Linux kernel < 4.8 local generic ASLR bypass for setuid binaries Federico Manuel Bento (Apr 03)
- Re: Linux kernel < 4.8 local generic ASLR - CVE-ID Vladis Dronov (Apr 15)
- Re: Linux kernel < 4.8 local generic ASLR - another CVE-ID Vladis Dronov (Apr 18)
- Re: Linux kernel < 4.8 local generic ASLR - another CVE-ID Solar Designer (May 22)
- Re: Linux kernel < 4.8 local generic ASLR - another CVE-ID Vladis Dronov (Apr 18)
- Re: Linux kernel < 4.8 local generic ASLR - CVE-ID Vladis Dronov (Apr 15)