Re: amd remote root exploit code

[crispin () CSE OGI EDU (Crispin Cowan)]

Taeho Oh wrote:

>  This is amd remote exploit code. This is well known bug in the internet.
>  It's very critical bug, please upgrade am-utils or remove it.
> begin amd-ex.c
> ----------------------------------------------------------------------
> /*        Amd Buffer Overflow for x86 linux
>
>         Remote user can gain root access.
>
>         Tested redhat linux : 4.0, 5.1, 6.0
>         Tested am-utils version : 6.0

We finally got around to testing this exploit against a StackGuarded amd.  StackGuard stopped it,
producing this intrusion detection alert in syslog:

Oct 20 01:40:47 kryten amd[326]: Immunix type 1 Canary[0] = aff0d died with cadaver bffff34d in
procedure real_plog.

For clarification, this test was performed against am-utils-6.0a16-4, which was NOT patched against
the bug that this exploit attacks.  This is the general point of StackGuard protection: to defend you
against bugs that you do *not* know about or have *not* patched.  You can get the StackGuarded amd
here:   http://immunix.org/StackGuard/RH52/RPMS/am-utils-6.0a16-4_SG12.i386.rpm

As usual, you can get StackGuard compiler and StackGuarded Linux systems at http://immunix.org

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org