Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <d7f72dad06e6d0b63f8418529f265784@fc.up.pt>
Date: Wed, 03 Apr 2019 16:15:21 +0100
From: Federico Manuel Bento <up201407890@...up.pt>
To: oss-security@...ts.openwall.com
Subject: Linux kernel < 4.8 local generic ASLR bypass for setuid binaries

Hi list,

As far as I know, commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 wasn't 
backported to earlier kernels, which fixed a vulnerability (unknown at 
the time?) that allows local attackers to derandomize the base address 
of .text and stack generically for all setuid binaries. My guess is that 
such change was done as a later response to one of Jann Horn's reports 
(https://bugs.chromium.org/p/project-zero/issues/detail?id=807) that was 
fixed in commit 79c9ce57eb2d5f1497546a3946b4ae21b6fdc438. In any case, 
the vulnerable code is still present in other binary formats (if they're 
still relevant), e.g., in fs/binfmt_aout.c (and others).

If my assumptions are incorrect, please let me know :)

I've also attached a PoC exploit code.

Thanks,
Federico.
View attachment "aslrip.c" of type "text/x-c" (2694 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.