Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Re: Hot fix for do_brk bug

Re: Hot fix for do_brk bug

From: Goetz Babin-Ebell <babin-ebell_at_trustcenter.de>
Date: Fri, 05 Dec 2003 22:31:27 +0100

Hello Shane,

canon_at_nersc.gov wrote:
> I've written a linux kernel module that can be used to hot fix a
> Linux system for the bug in do_brk. It scans the
> kernel space and replaces jmp and calls to do_brk
> to point to a wrapper routine instead. It also maps
> the symbol table to point to the wrapper. This only
> works on x86 and it has only been tested with RH kernels
> 2.4.18-27.7.xsmp and 2.4.20-20.7smp. It is quite possible
> this could crash or screw-up a system, so use at your own
> risk. I've tested the module against the proof of concept code
> written and posted by Christophe Devine. The module catches
> the exploit and logs the attempt.

It would be less intrusive to the kernel to supply a fixed do_brk()
and replace the do_brk with a jump to your version.

This way you only have to touch one place
in the kernel space (and no guesswork, no modify
of kernel data that might look like a pointer to do_brk()
but is really something else...)

Bye

Goetz 

-- 
Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0,  Fax: +49-(0)40 80 80 26 -126

Received on Dec 05 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]