lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 07 Jan 2014 23:25:27 +0000
From: halfdog <me@...fdog.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: FPU-state NULL-deref exploitation (was vm86
 syscall kernel-panic and some more goodies waiting to be analyzed)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

After closer examination, I found out, that the FPU-state handling
errors were not specific to vm86-syscall, also normal 32-bit userspace
code could bring the FPU/CPU into the same state.

Just for fun, I wrote a local-root privilege escalation POC. It
requires mmap_min_addr=0 on modern kernels, which should NOT be the
default, unless you are are using Linux to play DOS-games from the 90'
via dos-emu.

I tried to do some nice tricks, e.g. use just two kernel-land writes
for privilege escalation: one just adds the value 0xffff0001
(semaphore down_write), the other one changes 4 bytes in
modprobe_path. Hence the POC just contains 12 bytes of binary code.

The POC code with a little more explanation can be found here:

http://www.halfdog.net/Security/2013/Vm86SyscallTaskSwitchKernelPanic/

The exact analysis of the kernel bug is not yet complete, currently it
is only proven to work on AMD E-350 processor, both in VirtualBox and
on bare hardware. So if you were lucky to trigger at least an OOPS on
another hardware, I would be interested about it.

hd


PS: It uses the address values from current debian-sid kernel (see
System.map) and runs only on 32bit kernel, so don't ask why it won't
work on your 64-bit RedHat.

- -- 
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlLMjNkACgkQxFmThv7tq+4sMACfYVbFo2HjEdbgy/KDouxY90+q
9iQAmwSN4IrAYaxlk85f9vHmCD0EwCVk
=XIwO
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists