mailing list archives
Re: Linux kernel ELF core dump privilege elevation (kernel module workaround)
From: Andrew Griffiths <andrewg () felinemenace org>
Date: Thu, 12 May 2005 00:29:02 +0000
On Wed, May 11, 2005 at 01:08:56PM +0200, Paul Starzetz wrote:
Unprivileged local users may gain elevated (root) privileges. Code may
be executed at the kernel privilege level potentially breaking out of
Linux virtual machines. A hotfix for this vulnerability is to disallow
processes to drop core. This can be accomplished by setting the hard
core size limit to 0.
Some code for doing this in kernel space is at
It loops over all processes and sets the soft limit and hard limit for
processes to 0. The limits.conf measure isn't entirely enough if people
have screen sessions, or you have various daemons running etc.
Here is the output of the PoC code failing:
[+] Compiling...elfcd1.c: In function `main':
elfcd1.c:48: warning: implicit declaration of function
elfcd1.c:54: warning: implicit declaration of function
elfcd1.c:60: warning: implicit declaration of function
[+] ./elfcd1 argv_start=0xbffff791 argv_end=0xbffff799
setrlimit: Operation not permitted
This code has been tested twice so far, one on a non-production box, and
one of a production box. I'd like to thank mercy for doing the initial
test for me as I didn't have an test boxes nearby. It has been only
tested on 2.4 series kernels.
If it does break anything, I'd like to know. Granted, doesn't mean I can
do anything with it to make it work for you, as it works for me (tm).