Subject: | |
From: | |
Reply To: | |
Date: | Tue, 25 Oct 2016 09:48:43 +0200 |
Content-Type: | multipart/signed |
Parts/Attachments: |
|
|
Hi Akemi,
The fix allows me to run the cow vulnerability but it blocks which is good.
See the following:
DirtyCow root privilege escalation
Backing up /usr/bin/passwd to /tmp/bak
Size of binary: 27832
Racing, this may take a while..
thread stopped
thread stopped
Based on the following bug report
https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13
, I had compiled a similar module which does the same
1) Download kernel-debuginfo and kernel-debuginfo-common
yum install kernel-debuginfo kernel-debuginfo-common --enablerepo=*
2) Create a file mitigation.stp with the following content:
probe kernel.function("mem_write").call ? {
$count = 0
}
probe syscall.ptrace { // includes compat ptrace as well
$request = 0xfff
}
probe begin {
printk(0, "CVE-2016-5195 mitigation loaded")
}
probe end {
printk(0, "CVE-2016-5195 mitigation unloaded")
}
3) Build the module
stap -g -p 4 mitigation.stp
4) module file is placed in the following location
/root/.systemtap/cache/f4/stap_f4efcb030069a07d7cacae195d59169a_65631.ko
5)
staprun -L stap_f4efcb030069a07d7cacae195d59169a_65631.ko
6) Deploy and run the module on all affected machines.
So my question is, what has been exactly patched to the recently upstream kernel.
Valentin
On 10/25/2016 02:04 AM, Akemi Yagi wrote:
> Hi Valentin,
>
> On Mon, Oct 24, 2016 at 1:13 PM, Valentin B <[log in to unmask]> wrote:
>> Hi Pat,
>>
>> If this patch / fix was applied to kernel 3.10.0-327.36.3.el7.x86_64
>> then it seems to me more of a mitigation / blocker instead.
> Which "patch / fix" are you referring to? Could you elaborate?
>
> I believe the patch applied to the 7.2 kernel is in principle the same
> as what appeared in the upstream kernels at kernel.org. The two
> patches are not identical due to rather heavy modifications done to
> the RHEL kernel.
>
>> The patch applied to 4.7.9-200.fc24.x86_64 on Fedora 24 seems more of a
>> proper fix. The cowroot vulnerability doesn't get the chance to be
>> executed at all.
>>
>> Best regards,
>> Valentin
> Akemi
--
Valentin Bajrami
Kapteyn Astronomical Institute
University of Groningen
Postbus 800
NL-9700 AV Groningen
The Netherlands
Phone: +31-(0)50-3634068
PGP Fingerprint: 50D7 E233 C2E0 1C81 BB7F F8D8 E51B CF89 A52E 5271
--caOsQBL6huKbQJnXFMbuWHMkoTNEXvcGc
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBAgAGBQJYDw5bAAoJEOUbz4mlLlJxDkYP/3hfFwroJBykHuZTad3dDBdb
zESCFr63RqZE0cpekQX/iIU0LXd+te51ixtl7qFIBBRuVqH9C+S+4r+ci4WHXGUn
Rp5w1qqtfTgUOnDhYfLmQM4IrSnLp+8jmDDP3CAc0+lxaeLwaJh46XrLVNf/oEdE
9eyNJgPBESfQie+KqyZpE8E2pv/v3B3S7n2clNqdLVJx1o7S5EyR2zt2KyPozDz0
x1RswpHTBnFH5j9i9W0Hr+qvK78WaMkJaBs9eImHxdJRroUvCftdaO1Wp1PFhODT
lahm4VOd+zH9Bgfi3lcnRe7rUm5T7pPr/paDqLCB4YWEtoU/hM5x/ppFCVOli0kX
qvETmw+OX2oY5i0SJoNciVTRmKYNrnmBzho8dBN0zTU9StzaDrxtPf3wm/BemPfC
oFOn1u/laIhnMwWqiCHs499HAR2pDKx8AAns6sw2GxBzJbnxz4xNtXOnh7vByNEC
v8xsLQKrnCqAe54ZvFqy9C7Je1MMZSt9LyI2qH8mepmgfrllTZf+DdfKix6V015x
ClV5bBDw/iDCTpHQKWuNRZHhcxzrFCnNhBcuxuYA5GZ7BTQL/4EjGHfSg5jfrI1Q
h5Em22gs9AIJoxcdyNPne54Fzcq0qBeuDZCHtW96/9u8vV7XMeit3g6pEPSE7Wx2
x2xoiXJdSd8R+v1XZKcn
=g2JX
-----END PGP SIGNATURE-----
--caOsQBL6huKbQJnXFMbuWHMkoTNEXvcGc--
|
|
|