Re: Backport of the integer overflow in the brk system call

To: debian-devel@lists.debian.org
Subject: Re: Backport of the integer overflow in the brk system call
From: Isaac To <kkto@csis.hku.hk>
Date: Tue, 02 Dec 2003 23:06:44 +0800
Message-id: <[🔎] 7ir7zn45tn.fsf@enark.csis.hku.hk>
In-reply-to: <[🔎] 20031202141451.GC6613@compsoc.dur.ac.uk> (Jonathan Dowland's message of "Tue, 2 Dec 2003 14:14:51 +0000")
References: <[🔎] 3FCBCF99.3000907@sentinel.dk> <[🔎] E1AR6Vn-0001YY-Vx@mid.downhill.at.eu.org> <[🔎] 20031202102343.GA7743@comcast.net> <[🔎] E1AR8O9-0002Pi-7j@mid.downhill.at.eu.org> <[🔎] 20031202141451.GC6613@compsoc.dur.ac.uk>

>>>>> "Jonathan" == Jonathan Dowland <jmtd@bylands.dur.ac.uk> writes:

    Jonathan> On Tue, Dec 02, 2003 at 12:08:17PM +0100, Andreas Metzler
    Jonathan> wrote:
    >> Afaik: 2.4.23 contains literally 100s of changes, one of these was a
    >> small change to do_brk(), which looked like a normal non-critical
    >> bugfix to everybody involved. Some time later Debian was hacked and
    >> backtracing how the intruder got superuser privileges revealed that
    >> that the do_brk() without the "small change" was guilty, it had been
    >> no simple bug but a local privilege escalation issue.

    Jonathan> My understanding is that the do_brk vulnerability allowed
    Jonathan> access to kernel address space. It seems a lot of work is
    Jonathan> needed to move from that freedoom to spawning a root
    Jonathan> shell. I'd be interested in seeing a worked example.

Actually I'm staring at the code for hours without much success about how to
write anything in the kernel.  It does not literally allow access to the
kernel address space: if it does so, all you need to do is to traverse the
kernel data structures to find where is the task_struct for the process
itself and change the EUID to 0 in order to get root.  What the bug gives is
a memory region that extends through the kernel memory.  The process cannot
access that region: it is protected, and you can read it only in kernel
mode.  You cannot try to pass that as an address buffer to a system call
either: system calls check whether address is past the end of process
address space.  So the program must somehow trick the kernel into accessing
the region by itself, and since the kernel believes the correctness of the
region it will not do any further checking.  The only way that readily comes
to mind is to let the program core dump: the kernel will most likely happily
read all the kernel memory and save it into the core file.  But it is still
rather far from changing anything in the kernel memory.  Andreas is
definitely right that the hole doesn't look like that it is that dangerous.

Regards,
Isaac.

Reply to:

Follow-Ups:
- Re: Backport of the integer overflow in the brk system call
  - From: Tom <tb.31123.nospam@comcast.net>

References:
- Backport of the integer overflow in the brk system call
  - From: Frederik Dannemare <tux@sentinel.dk>
- Re: Backport of the integer overflow in the brk system call
  - From: Andreas Metzler <ametzler@downhill.at.eu.org>
- Re: Backport of the integer overflow in the brk system call
  - From: Tom <tb.31123.nospam@comcast.net>
- Re: Backport of the integer overflow in the brk system call
  - From: Andreas Metzler <ametzler@downhill.at.eu.org>
- Re: Backport of the integer overflow in the brk system call
  - From: Jonathan Dowland <jmtd@compsoc.dur.ac.uk>

Prev by Date: Re: Revival of the signed debs discussion
Next by Date: Re: Revival of the signed debs discussion
Previous by thread: Re: Backport of the integer overflow in the brk system call
Next by thread: Re: Backport of the integer overflow in the brk system call
Index(es):
- Date
- Thread