oss-sec mailing list archives

Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038)

From: mancha <mancha1 () hush com>
Date: Mon, 3 Feb 2014 03:16:13 +0000 (UTC)

On Sun, 02 Feb 2014 08:14:44 +0400, Solar Designer wrote:

On Fri, Jan 31, 2014 at 04:11:16AM +0400, Solar Designer wrote:

<grsecurity> I would not be surprised to see an exploit for this within the next few days


Just off Twitter:

<noptrix> recvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y) expl0it - http://pastebin.com/DH3Lbg54

SHA-256(recvmmsg.c.txt) = 4603acf96e845cecd2c5877a68fa5b5c591ba00c52859ded2a31a9daf48a457d

for the version I just downloaded (but did not review, although it looks
sane at first glance).  The exploit includes offsets for 3 Ubuntu kernels.

Alexander


The exploit by Rebel works as advertised. I've confirmed on a non-Ubuntu box 
after making some changes.

Attached find a kernel module I've authored that protects from the attack.

I'm sharing it for folks currently on vulnerable systems still waiting on
patches from their upstream.

 # make
 # insmod nox32recvmmsg.ko

note: rmmod'ing restores original (vulnerable) state.

--mancha

Current thread:

Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038), (continued)
- - Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) Kurt Seifried (Jan 31)
- Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) Solar Designer (Jan 31)
  - Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) rf (Jan 31)
    - Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) Solar Designer (Jan 31)
    - Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) rf (Jan 31)
- Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) Matthew Daley (Jan 31)
  - Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) Solar Designer (Jan 31)
    - Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) PaX Team (Jan 31)
    - Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) Yves-Alexis Perez (Feb 01)
- Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) Solar Designer (Feb 01)
  - Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) mancha (Feb 02)
    - Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) Solar Designer (Feb 02)
    - Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) mancha (Feb 02)
  - Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) Solar Designer (Feb 02)
- Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) mancha (Feb 02)
  - Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) mancha (Feb 03)
    - Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) mancha (Feb 03)