I try to. Most of the time if you see a #define that is not a simple constant in an exploit, it should be at least preprocessed... There are a lot of "ssh exploits" that are really `rm -rf /` wrappers with some interesting preprocessor abuse.
That's what I do, I run it through cpp first and read the code from where the include files end, just to make sure someone isn't social engineering me into doing something stupid.
In case anybody wants to read the code preprocessed it's here:
In this case, an evil system administrator could change the text of /proc/kallsyms (probably via a hacked libc and LD_PRELOAD, or just the hacked libc) and then execute arbitrary code as you, because the exploit code uses an unchecked write into a stack variable (and who compiles their exploit code with a stack protector).
I am almost tempted to do this, use the exploit to get root on my work machines, and then replace the libc... just to see if anyone else tries the exploit. (Note to the literal: not really.)
execv("/bin/sh -c 'for i in `find $HOME`; do echo "rm -f $i"; done', 0);
Which exploit are you running? The one that was posted on full disclosure: http://seclists.org/fulldisclosure/2010/Sep/268 includes bypasses for selinunx, and used to include code to bypass grsec.
That's not a problem to read, and it's really easy to recognize since everyone's been sent it at some point in their life.
For those having trouble:
bomb() {
bomb | bomb & # spawns two subprocesses, each running bomb
# on one end of a pipe, neither will die
# so long as the other exists
}
bomb # kick off the bomb
Hm? Though on Linux I'm sure it varies from distro to distro, my Fedora 10 box has ulimit -u at 1024, and my OSX 10.6 install has it at 266 (2^8 + 10? Wonder how they decided on that number).
(And yes, I tried forkbombing them for the hell of it, both systems took it entirely in stride, as would be expected.)
Does anyone know of any current distros that don't set a sensible process limit in the default install?
From that file, this guy http://swiecki.net/index.html is mentioned a few times in the comments, I'd guess it's him (perhaps this is what the other reply to this thread meant).
Anyone would like to explain why stuff like this is not automatically tested? Introducing tests into the kernel source tree would actually help its development and prevent incidents like this, wouldn't it?
I understand device drivers cannot be easily tested (unless we write accurate hardware simulators, which can be done with a lot of effort), and the same happens with time-critical stuff (that could be solved with even more hardware emulation) but this kind of stuff (checking if a known exploit fails) could and should be tested in automated fashion.
Not everything can be tested reliably and automatically, but what can, should.
Oh, you're talking about regression testing. While you have a point, I'd like to point out a recent vulnerability [1] that would likely fail many a test for two reasons:
- The bug is not concrete. It's not entirely in the kernel, and it's not entirely in userspace.
- The developers have a poor understanding of the bug. The current "fix" only mitigates the problem. There are system configurations where it can still be exploited. There are other issues [2] that arise from large address space management that are waiting to be fixed because of this.
But I agree that regression testing for the whole kernel tree should probably be implemented. (for the various subsystems, many developers develop their own test suites)
I tried the exploit on all our 64 bit boxes and it seems to fail on every one of them.
Here are the uname -a strings from a representative sample:
Linux c01_04.ttc.com 2.6.17.11 #3 SMP Wed Oct 10 06:16:52 EDT 2007 x86_64 GNU/Linux
Linux root-desktop 2.6.31-16-generic #53-Ubuntu SMP Tue Dec 8 04:02:15 UTC 2009 x86_64 GNU/Linux
Linux eleven.ttc.com 2.6.15 #2 SMP Thu Mar 9 09:06:54 EST 2006 x86_64 GNU/Linux
Linux backup01.ttc.com 2.6.25-14.fc9.x86_64 #1 SMP Thu May 1 06:06:21 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux
On the last one it exits with 'symbol table not available, aborting!'.
Off-topic, how many of you actually review a program like this before running it?