Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns

[Michal Zalewski <lcamtuf () dione ids pl>]

On Mon, 5 Mar 2007, TINNES Julien RD-MAPS-ISS wrote:

> So, to exploit "to-userland pointer dereference" class of kernel flaws,
> you just have to mmap() the page at the correct address (and mmap at 0
> is perfectly allowed).
> [...]
> I don't understand you here. The bug spender has mentioned is afair,
> exactly a null pointer dereference.

You're not exploiting any userland application (the code being run is your
own program, you already have a full control of it), correct? You're
attacking the kernel. The flaw in kernel is not caused by a null pointer
dereference (the kernel is not vulnerable because of trying to read or
write *0x0 - that's what a dereference is).

The flaw is caused by a missing check that allows you to gain access to
the first physical page of memory, which you can then read or write. So a
proper title would be "on exploiting missing checks" or "on gaining access
to *0x0". Note that Brad's exploit doesn't even get to access 0x0 in
process's address space - he just gets an instance of physical page 0
mapped to some sane address.

Yeah, it's just semantics, but the issue is important in that we do not
want crashes caused as userland NULL pointer dereferences to be considered
exploitable by those who misinterpret the nature of this flaw.

> http://cansecwest.com/core05/memory_vulns_delalleau.pdf

Yeah, seen that presentation in person. That's a wholly different class of
problems, and I did mention it in my initial response (some architectures,
and some large-offset operations on NULL ptr tables or structures, are
vulnerable; NULL ptr derefs as such usually aren't).

/mz
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave