Thursday, Sep 11th, 2014
File Clobbering in Ubuntu Linux Kernel 3.16 (Utopic) versus 3.13 (Trusty)
by Angelo Plus+

As pointed out in https://twitter.com/grsecurity/status/508354758940581888, there is some new fun in overwriting running executables in the upcoming Ubuntu release. It’s a kernel thing, so other distros are affected, but I’m going with the old standby Ubuntu. (thank you, sadbox for the inotify stuff)

I’m just going to post findings, because they mostly speak for themselves. For the sake of simplicity the ELF bin running is named test, and the text file used for the overwrite is test_test.txt

 

=======14.10=======

 

vesh@utopical:~$ inotifywait -rme modify,attrib,move,close_write,create,delete,delete_self /home/vesh/test
Setting up watches. Beware: since -r was given, this may take a while!
Watches established.
/home/vesh/test ATTRIB
/home/vesh/test DELETE_SELF

 

=======14.04=======

 

root@trustyRusty:~# inotifywait -rme modify,attrib,move,close_write,create,delete,delete_self test
Setting up watches. Beware: since -r was given, this may take a while!
Watches established.
test ATTRIB

 

=======14.10=======

 

vesh@utopical:~# exit
exit
vesh@utopical:~$ gcc test.cpp -o test
vesh@utopical:~$ ./test &
[1] 11567
vesh@utopical:~$ cat /proc/11567/maps
00400000-00401000 r-xp 00000000 08:01 921270 /home/vesh/test
00600000-00601000 r--p 00000000 08:01 921270 /home/vesh/test
00601000-00602000 rw-p 00001000 08:01 921270 /home/vesh/test

7f35d00bd000-7f35d0277000 r-xp 00000000 08:01 529290 /lib/x86_64-linux-gnu/libc-2.19.so
7f35d0277000-7f35d0477000 ---p 001ba000 08:01 529290 /lib/x86_64-linux-gnu/libc-2.19.so
7f35d0477000-7f35d047b000 r--p 001ba000 08:01 529290 /lib/x86_64-linux-gnu/libc-2.19.so
7f35d047b000-7f35d047d000 rw-p 001be000 08:01 529290 /lib/x86_64-linux-gnu/libc-2.19.so

vesh@utopical:~$ echo “this is sparta” > test
bash: test: Text file busy
vesh@utopical:~$ echo “this is sparta” > test_test
vesh@utopical:~$ mv test_test test
vesh@utopical:~$ ls
Desktop Downloads Music Public sshd_config test Videos
Documents examples.desktop Pictures results.txt Templates test.cpp
vesh@utopical:~$ ls -la
total 148

-rw-rw-r– 1 vesh vesh 15 Sep 8 16:11 test
-rw-r–r– 1 root root 137 Sep 8 15:25 test.cpp

vesh@utopical:~$ cat /proc/11567/maps
00400000-00401000 r-xp 00000000 08:01 921270 /home/vesh/test_test (deleted)
00600000-00601000 r–p 00000000 08:01 921270 /home/vesh/test_test (deleted)
00601000-00602000 rw-p 00001000 08:01 921270 /home/vesh/test_test (deleted)

7f35d00bd000-7f35d0277000 r-xp 00000000 08:01 529290 /lib/x86_64-linux-gnu/libc-2.19.so
7f35d0277000-7f35d0477000 —p 001ba000 08:01 529290 /lib/x86_64-linux-gnu/libc-2.19.so
7f35d0477000-7f35d047b000 r–p 001ba000 08:01 529290 /lib/x86_64-linux-gnu/libc-2.19.so
7f35d047b000-7f35d047d000 rw-p 001be000 08:01 529290 /lib/x86_64-linux-gnu/libc-2.19.so

vesh@utopical:~$ shred test

vesh@utopical:~$ head -n 2 test | xxd
0000000: e4ac 1984 b82d fabf c6eb 6884 04c5 219b …..-….h…!.
0000010: a8e2 8ca1 dd13 8a32 7f3a aea4 8a2f 7102 …….2.:…/q.
0000020: 5abc f901 8a9c 06e2 02c5 56db 9fb9 a260 Z………V….`

 

=======14.04=======


vesh@trustyrusty:~$ ls
test test.cpp
vesh@trustyrusty:~$ gcc test.cpp -o test
test.cpp: In function ‘int main()’:
test.cpp:12:27: warning: integer overflow in expression [-Woverflow]
if(counter == 5000*5000*5000*5000)
^
vesh@trustyrusty:~$ ./test &
[1] 26383
vesh@trustyrusty:~$ ls -la
total 64

-rwxrwxr-x 1 vesh vesh 8565 Sep 8 09:08 test
-rw-rw-r– 1 vesh vesh 220 Sep 8 06:33 test.cpp

vesh@trustyrusty:~$ cat /proc/26383/maps
00400000-00401000 r-xp 00000000 08:01 662418 /home/vesh/test
00600000-00601000 r–p 00000000 08:01 662418 /home/vesh/test
00601000-00602000 rw-p 00001000 08:01 662418 /home/vesh/test

7f5c845ef000-7f5c847ab000 r-xp 00000000 08:01 262313 /lib/x86_64-linux-gnu/libc-2.19.so
7f5c847ab000-7f5c849aa000 —p 001bc000 08:01 262313 /lib/x86_64-linux-gnu/libc-2.19.so
7f5c849aa000-7f5c849ae000 r–p 001bb000 08:01 262313 /lib/x86_64-linux-gnu/libc-2.19.so
7f5c849ae000-7f5c849b0000 rw-p 001bf000 08:01 262313 /lib/x86_64-linux-gnu/libc-2.19.so

vesh@trustyrusty:~$ echo “this is sparta” > test
-bash: test: Text file busy

vesh@trustyrusty:~$ echo “this is sparta” > test_test

vesh@trustyrusty:~$ cat /proc/26383/maps
00400000-00401000 r-xp 00000000 08:01 662418 /home/vesh/test
00600000-00601000 r–p 00000000 08:01 662418 /home/vesh/test
00601000-00602000 rw-p 00001000 08:01 662418 /home/vesh/test

7f5c845ef000-7f5c847ab000 r-xp 00000000 08:01 262313 /lib/x86_64-linux-gnu/libc-2.19.so
7f5c847ab000-7f5c849aa000 —p 001bc000 08:01 262313 /lib/x86_64-linux-gnu/libc-2.19.so
7f5c849aa000-7f5c849ae000 r–p 001bb000 08:01 262313 /lib/x86_64-linux-gnu/libc-2.19.so
7f5c849ae000-7f5c849b0000 rw-p 001bf000 08:01 262313 /lib/x86_64-linux-gnu/libc-2.19.so

vesh@trustyrusty:~$ mv test_test test

vesh@trustyrusty:~$ cat /proc/26383/maps
00400000-00401000 r-xp 00000000 08:01 662418 /home/vesh/test (deleted)
00600000-00601000 r–p 00000000 08:01 662418 /home/vesh/test (deleted)
00601000-00602000 rw-p 00001000 08:01 662418 /home/vesh/test (deleted)

7f5c845ef000-7f5c847ab000 r-xp 00000000 08:01 262313 /lib/x86_64-linux-gnu/libc-2.19.so
7f5c847ab000-7f5c849aa000 —p 001bc000 08:01 262313 /lib/x86_64-linux-gnu/libc-2.19.so
7f5c849aa000-7f5c849ae000 r–p 001bb000 08:01 262313 /lib/x86_64-linux-gnu/libc-2.19.so
7f5c849ae000-7f5c849b0000 rw-p 001bf000 08:01 262313 /lib/x86_64-linux-gnu/libc-2.19.so

vesh@trustyrusty:~$ ls -la
total 56

-rw-rw-r– 1 vesh vesh 15 Sep 8 09:09 test
-rw-rw-r– 1 vesh vesh 220 Sep 8 06:33 test.cpp

vesh@trustyrusty:~$ shred test

vesh@trustyrusty:~$ head -n 2 test | xxd
0000000: bb7d 4a4a ba74 5b0a 10fc 456a d93d 22a9 .}JJ.t[…Ej.=”.
0000010: f4c5 68e9 20d6 1b85 089b 52b0 e859 a2d0 ..h. …..R..Y..