lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1251721922.7495.5.camel@logos>
Date: Mon, 31 Aug 2009 09:32:02 -0300
From: Ramon de Carvalho Valle <ramon@...esecurity.org>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Illustrating the Linux sock_sendpage() NULL pointer dereference on
 Power/Cell BE Architecture

I've released an exploit for the Linux sock_sendpage() NULL pointer
dereference[1], discovered by Tavis Ormandy and Julien Tinnes. This exploit
was written to illustrate the exploitability of this vulnerability on
Power/Cell BE architecture.

The exploit makes use of the SELinux and the mmap_min_addr problem to exploit
this vulnerability on Red Hat Enterprise Linux 5.3 and CentOS 5.3. The
problem, first noticed by Brad Spengler, was described by Red Hat in Red Hat
Knowledgebase article: Security-Enhanced Linux (SELinux) policy and the
mmap_min_addr protection[2].

Support for i386 and x86_64 was added for completeness. For a more complete
implementation, refer to Brad Spengler's exploit[3], which also implements
the personality trick[4] published by Tavis Ormandy and Julien Tinnes.

Linux kernel versions from 2.4.4 to 2.4.37.4, and from 2.6.0 to 2.6.30.4
are vulnerable.

The exploit was tested on:

 * CentOS 5.3 (2.6.18-128.7.1.el5) is not vulnerable
 * CentOS 5.3 (2.6.18-128.4.1.el5)
 * CentOS 5.3 (2.6.18-128.2.1.el5)
 * CentOS 5.3 (2.6.18-128.1.16.el5)
 * CentOS 5.3 (2.6.18-128.1.14.el5)
 * CentOS 5.3 (2.6.18-128.1.10.el5)
 * CentOS 5.3 (2.6.18-128.1.6.el5)
 * CentOS 5.3 (2.6.18-128.1.1.el5)
 * CentOS 5.3 (2.6.18-128.el5)
 * CentOS 4.8 (2.6.9-89.0.9.EL) is not vulnerable
 * CentOS 4.8 (2.6.9-89.0.7.EL)
 * CentOS 4.8 (2.6.9-89.0.3.EL)
 * CentOS 4.8 (2.6.9-89.EL)
 * Red Hat Enterprise Linux 5.3 (2.6.18-128.7.1.el5) is not vulnerable
 * Red Hat Enterprise Linux 5.3 (2.6.18-128.4.1.el5)
 * Red Hat Enterprise Linux 5.3 (2.6.18-128.2.1.el5)
 * Red Hat Enterprise Linux 5.3 (2.6.18-128.1.16.el5)
 * Red Hat Enterprise Linux 5.3 (2.6.18-128.1.14.el5)
 * Red Hat Enterprise Linux 5.3 (2.6.18-128.1.10.el5)
 * Red Hat Enterprise Linux 5.3 (2.6.18-128.1.6.el5)
 * Red Hat Enterprise Linux 5.3 (2.6.18-128.1.1.el5)
 * Red Hat Enterprise Linux 5.3 (2.6.18-128.el5)
 * Red Hat Enterprise Linux 4.8 (2.6.9-89.0.9.EL) is not vulnerable
 * Red Hat Enterprise Linux 4.8 (2.6.9-89.0.7.EL)
 * Red Hat Enterprise Linux 4.8 (2.6.9-89.0.3.EL)
 * Red Hat Enterprise Linux 4.8 (2.6.9-89.EL)
 * SUSE Linux Enterprise Server 11 (2.6.27.19-5)
 * SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.21)
 * Ubuntu 8.10 (2.6.27-14) is not vulnerable
 * Ubuntu 8.10 (2.6.27-11)
 * Ubuntu 8.10 (2.6.27-9)
 * Ubuntu 8.10 (2.6.27-7)
 
The exploit is available at our exploits section or directly at the following
address:
http://www.risesecurity.org/exploits/linux-sendpage.c

Please, let me know if you have any questions or comments.

Also, feel free to leave a comment at:
http://www.risesecurity.org/entry/illustrating-linux-sock_sendpage-null-pointer/

[1] http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html
[2] http://kbase.redhat.com/faq/docs/DOC-18042
[3] http://www.grsecurity.net/~spender/wunderbar_emporium2.tgz
[4] http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html

Best regards,
Ramon


Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ