Lucene search

K
seebugRootSSV:12593
HistoryNov 08, 2009 - 12:00 a.m.

Linux 2.6.x fs/pipe.c local root exploit

2009-11-0800:00:00
Root
www.seebug.org
126

EPSS

0

Percentile

5.2%

No description provided by source.


                                                For those who were not yet aware, there is at least 3 public exploits 
since 11/05/2009 for CVE-2009-3547 targeting *all* linux kernels from 
2.6.0 to 2.6.31 included. Since spender and fotis have already release 
their own, there is not need for us to keep this on our hd. 
ImpelDown.c is a poc trying to exploit null ptr dereference in fs/pipe.c 
for *all* linux kernel from 2.6.0 to 2.6.31 and ImpelDown-2.6.31only.c 
target only linux kernel version 2.6.31 (tested and approuved with 
mmap_min_addr at 0). 
If you were writing your own, you have already noticed that there is a 
subtle difference in the way you can own kernels 2.6.0 up to 2.6.10 and 
kernels 2.6.11 up to 2.6.31: in the first one the null ptr deref leads 
to an arbitrary write to everywhere in the kernel since you have control 
over the destination address of 

linux2.6.9/fs/pipe.c 

... 
219 if (pipe_iov_copy_from_user(pipebuf, iov, chars)) { 
... 
In such case, we try to exploit this by overwriting and old and obsolete 
syscall address in the sys_call_table by our privilege escalator function 
address (hehe old school trickz are always the best). 

In kernels 2.6.11 up to 2.6.31, exploitation simply resume in mapping the correct 
struct pipe_inode_info at NULL and the kernel will call a fptr under our control 
at inode->i_pipe->bufs[1-16].ops->something() 

You can find exploits at 
http://www.vxhell.org/~teach/exploits/ImpelDown.c 
and 
http://www.vxhell.org/~teach/exploits/ImpelDown-2.6.31only.c 
The first one wasn't tested but the second would work for the given kernel 
(according to your mmap_min_addr) 

We highly recommand to apply grsecurity patch ([1]) since UDEREF will preserve 
you from all this bug class, 
or at least have a kernel which correctly implement mmap_min_addr, but 
Julien and Tavis [2] have already showed you how this can be easily bypassed. 
Regards 

[1] http://grsecurity.net 
[2] http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html 


teach[at]blackpearl$ head -n 18 exploits/ImpelDown-2.6.31only.c 
/****************************************************************************** 
* .:: Impel Down ::. 
* 
* Linux 2.6.x fs/pipe.c local kernel root(kit?) exploit (x86) 
* by teach & xipe 
* Greetz goes to all our mates from #nibbles, #oldschool and 
#carib0u 
* (hehe guyz, we would probably be high profile and mediatised el8 
if we 
* lost less time on trolling all day long, but we LOVE IT :))) 
* Special thanks to Ivanlef0u, j0rn & pouik for being such amazing 
(but i 
* promise ivan, one day i'll kill u :p) 
* 
* (C) COPYRIGHT teach & xipe, 2009 
* All Rights Reserved 
* 
* teach[at]vxhell.org 
* xipe[at]vxhell.org 
* 

*******************************************************************************/