Date: Wed, 03 Apr 2019 16:15:21 +0100 From: Federico Manuel Bento <up201407890@...up.pt> To: oss-security@...ts.openwall.com Subject: Linux kernel < 4.8 local generic ASLR bypass for setuid binaries Hi list, As far as I know, commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 wasn't backported to earlier kernels, which fixed a vulnerability (unknown at the time?) that allows local attackers to derandomize the base address of .text and stack generically for all setuid binaries. My guess is that such change was done as a later response to one of Jann Horn's reports (https://bugs.chromium.org/p/project-zero/issues/detail?id=807) that was fixed in commit 79c9ce57eb2d5f1497546a3946b4ae21b6fdc438. In any case, the vulnerable code is still present in other binary formats (if they're still relevant), e.g., in fs/binfmt_aout.c (and others). If my assumptions are incorrect, please let me know :) I've also attached a PoC exploit code. Thanks, Federico. View attachment "aslrip.c" of type "text/x-c" (2694 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.