Re: ptrace/execve race condition exploit (non brute-force)

[Mariusz Woloszyn <emsi () IPARTNERS PL>]

On Tue, 27 Mar 2001, Wojciech Purczynski wrote:

> Hi,
>
> Here is exploit for ptrace/execve race condition bug in Linux kernels up
> to 2.2.18.

Hi!

I've seen a tool that works better than this, useing different aproach to
the same bug explits it on all platforms giving instant root without the
need for cat garbage files to clear disk cache!!!

Anyway: here is a fast way to fix the problem (but intoduces new one), the
kernel module that disables ptrace syscall.
It works for 2.0 and 2.2 kernel (I didn't tested it under 2.4).
All you need to do is:

emsi:~# gcc -c npt.c
emsi:~# insmod ./npt.o


And here is how it works:

[before installing module]
emsi:~/hack/ptrace> ./a.out /sbin/powerd
[*] Child exec...
[+] Waiting for disk sleep....  dunno why but that printf helps sometimes
;)
[OK]
[+] ATTACH: 0 : Success
[+] eip: 0x1109d0 -> 0x805a41b
[+] copy data from 0x805a3e0 to 0xbffff100
[...............]
[?] DETACH: 0 : Success
Status of 5342: R
bash#
[installing module[
bash# /sbin/insmod ./npt.o
bash# exit
emsi:~/hack/ptrace> ./a.out /sbin/reboot
[*] Child exec...
[+] Waiting for disk sleep....  dunno why but that printf helps sometimes
;)
[OK]
[--] ATTACH: Operation not permitted      <==== see this
Exiting...
emsi:~/hack/ptrace> Unknown id: ELF```


It removes the posibility to trace process, but gives instant shield
against hackers.


greets: nergal, Lam3rZ, teso brothers, nises, hert and others :)

--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners

Attachment: npt.c
Description: