Re: Hotfix for new mremap vulnerability

From: Marc-Christian Petersen (m.c.p_at_gmx.net)
Date: 02/21/04

  • Next message: Ari Gordon-Schlosberg: "Re: Remote Administrator 2.x: highly possible remote hole or back door"
    To: bugtraq@securityfocus.com
    Date: Sat, 21 Feb 2004 04:14:54 +0100
    
    

    On Thursday 19 February 2004 17:32, Pavel harry_x Palát wrote:

    Hi Pavel,

    > Greetings,
    >
    > Here (http://wizard.ath.cx/fixmremap2.tar.gz) is small hotfix for newly
    > discovered mremap() vulnerability. It
    > doesn't directly change do_mremap() code, it just overwrites syscall
    > handler with LKM. In my opinion it is enough to fix just mremap() syscall
    > because at least on x86 there are no other functions which would use
    > do_mremap directly. But this may not be true on others platforms (for
    > example ia64)...
    > The package contains the hotfix and a small proof of concept program which
    > can be used to see if kernel is vulnerable.
    > Use at your own risk.

    - call the POC exploit on a vulnerable system
    - echo "1000000" > /proc/sys/vm/max_map_count
    - call the POC exploit again
    - see the difference

    Well, at least it prevents the POC exploit, maybe there's more though.

    Kudos to the PaX team :)

    -- 
    ciao, Marc
    

  • Next message: Ari Gordon-Schlosberg: "Re: Remote Administrator 2.x: highly possible remote hole or back door"