E-Book Content
Kernel Level Vulnerabilities Behind the Scenes of the 5th Argus Hacking Challenge by Last Stage of Delirium Research Group http://lsd-pl.net Version: 1.0.2 Updated: November 22nd, 2001 Copyright c 2001 The Last Stage of Delirium Research Group, Poland c The Last Stage of Delirium Research Group 1996-2001. All rights reserved. The authors reserve the right not to be responsible for the topicality, correctness, completeness or quality of the information provided in this document. Liability claims regarding damage caused by the use of any information provided, including any kind of information which is incomplete or incorrect, will therefore be rejected. The Last Stage of Delirium Research Group reserves the right to change or discontinue this document without notice. 1 Table of content 1 Introduction 4 2 The ldt x86 bug 6 2.1 Problem description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2 Solaris 2.7 2.8 x86 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2.1 Installation of call gate descriptor . . . . . . . . . . . . . . . . . . . . . . . 8 2.2.2 Jumping through new call gate . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.2.3 Executing code on the kernel stack . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.4 Increasing process privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.3 NetBSD 1.4 1.4.x 1.5 x86 / OpenBSD 2.6-2.8 x86 . . . . . . . . . . . . . . . . . . . 23 2.4 SCO Unixware 7.0.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.5 SCO OpenServer