Discussion:
Another linux kernel NULL pointer vulnerability ( exploit here )
Itamar Reis Peixoto
2009-08-14 17:39:52 UTC
Permalink
Hello guy's

for the people who don't have updated the kernel.


http://grsecurity.net/%7Espender/wunderbar_emporium.tgz
--
------------

Itamar Reis Peixoto

e-mail/msn: itamar at ispbrasil.com.br
sip: itamar at ispbrasil.com.br
skype: itamarjp
icq: 81053601
+55 11 4063 5033
+55 34 3221 8599
Christoph Wickert
2009-08-14 19:23:49 UTC
Permalink
Post by Itamar Reis Peixoto
Hello guy's
for the people who don't have updated the kernel.
I'm running kernel-2.6.29.6-217.2.3.fc11.x86_64 and this one is not
supposed to be fixed, however...
Post by Itamar Reis Peixoto
http://grsecurity.net/%7Espender/wunderbar_emporium.tgz
... it doesn't work here. Although the author claims it's not stopped by
SELinux (he even mentions Dan by name), SELinux one more time saves the
world:

$ su -c 'setenforce 0'
$ LANG=C sh wunderbar_emporium.sh
runcon: invalid context:
unconfined_u:unconfined_r:initrc_t:s0-s0:c0.c1023: Invalid argument
[+] MAPPED ZERO PAGE!
[+] Resolved selinux_enforcing to 0xffffffff81874374
[+] Resolved selinux_enabled to 0xffffffff815a0a60
[+] Resolved security_ops to 0xffffffff81871b20
[+] Resolved default_security_ops to 0xffffffff815a0080
[+] Resolved sel_read_enforce to 0xffffffff8118934c
[+] Resolved audit_enabled to 0xffffffff8182e804
[+] Resolved commit_creds to 0xffffffff810615c3
[+] Resolved prepare_kernel_cred to 0xffffffff810614a4
[+] got ring0!
[+] detected 2.6 style 4k stacks
sh: mplayer: command not found
[+] Disabled security of : nothing, what an insecure machine!
[+] Got root!
sh-4.0# setenforce 1
sh-4.0# exit
exit
$ LANG=C sh wunderbar_emporium.sh
runcon: invalid context:
unconfined_u:unconfined_r:initrc_t:s0-s0:c0.c1023: Invalid argument
UNABLE TO MAP ZERO PAGE!
Post by Itamar Reis Peixoto
avc: denied { mmap_zero } for pid=16293 comm="exploit"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect node=wicktop.localdomain type=SYSCALL
msg=audit(1250276339.135:27494): arch=c000003e syscall=9 success=yes
exit=0 a0=0 a1=1000 a2=7 a3=32 items=0 ppid=16273 pid=16293 auid=500
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 tty=pts4 ses=1 comm="exploit"
exe="/home/chris/Downloads/wunderbar_emporium/exploit"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
So I suggest to calm down and not believer everything you read.

Regards,
Christoph
Jon Masters
2009-08-17 18:00:19 UTC
Permalink
Post by Christoph Wickert
Post by Itamar Reis Peixoto
Hello guy's
for the people who don't have updated the kernel.
I'm running kernel-2.6.29.6-217.2.3.fc11.x86_64 and this one is not
supposed to be fixed, however...
Post by Itamar Reis Peixoto
http://grsecurity.net/%7Espender/wunderbar_emporium.tgz
... it doesn't work here. Although the author claims it's not stopped by
SELinux (he even mentions Dan by name), SELinux one more time saves the
FYI I saw a real life attempt to exploit this over the weekend on a
machine of mine where someone had found a PHP exploit. Fortunately, I
had already upgraded the kernel and their rootkit attempt failed,
however it's worth emphasizing that this is certainly out there.

I have more information on the rootkit they used for legitimate security
researchers who are interested in the issue.

Jon.

Loading...