Posts tagged: Full Disclouser

Dec 07 2010

Linux Kernel Exploit PoC Testing

About an hour or so ago I notice a posting on the Full Disclosure mailing list with a proof of concept code (PoC) that will allow a non-privileged user to gain Root access on a Linux system , below is a snippet from the comment section of the code that explains it.

–snip–

/*
* Linux Kernel <= 2.6.37 local privilege escalation
* by Dan Rosenberg
* @djrbliss on twitter
*
* Usage:
* gcc full-nelson.c -o full-nelson
* ./full-nelson
*
* This exploit leverages three vulnerabilities to get root, all of which were
* discovered by Nelson Elhage:
*
* CVE-2010-4258
* ————-
* This is the interesting one, and the reason I wrote this exploit.  If a
* thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
* word will be written to a user-specified pointer when that thread exits.
* This write is done using put_user(), which ensures the provided destination
* resides in valid userspace by invoking access_ok().  However, Nelson
* discovered that when the kernel performs an address limit override via
* set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
* etc.), this override is not reverted before calling put_user() in the exit
* path, allowing a user to write a NULL word to an arbitrary kernel address.
* Note that this issue requires an additional vulnerability to trigger.
*
* CVE-2010-3849
* ————-
* This is a NULL pointer dereference in the Econet protocol.  By itself, it’s
* fairly benign as a local denial-of-service.  It’s a perfect candidate to
* trigger the above issue, since it’s reachable via sock_no_sendpage(), which
* subsequently calls sendmsg under KERNEL_DS.
*
* CVE-2010-3850
* ————-
* I wouldn’t be able to reach the NULL pointer dereference and trigger the
* OOPS if users weren’t able to assign Econet addresses to arbitrary
* interfaces due to a missing capabilities check.
*
* In the interest of public safety, this exploit was specifically designed to
* be limited:
*
*  * The particular symbols I resolve are not exported on Slackware or Debian
*  * Red Hat does not support Econet by default
*  * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
*    Debian
*
* However, the important issue, CVE-2010-4258, affects everyone, and it would
* be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
* more sophisticated version of this that doesn’t have the roadblocks I put in
* to prevent abuse by script kiddies.
*
* Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
*
* NOTE: the exploit process will deadlock and stay in a zombie state after you
* exit your root shell because the Econet thread OOPSes while holding the
* Econet mutex.  It wouldn’t be too hard to fix this up, but I didn’t bother.
*
* Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
*/

Naturally I would feel incline to turn up a Linux VM to test this exploit, I decided to go with a fully patched Ubuntu 10.10 with kernel version 2.6.35-23-generic to start my testing however the exploit fail on this system. I then decided to go with a default install of Unbuntu 10.10 with Kernel version 2.6.35-22-generic and to my amazement it worked.

Steps taken:

Ensure that I have gcc isntalled since the exploit was written in C.

infolookup@ubuntu:/tmp/exploitpoc$ touch full-nelson.c

Once the file is created simply copy the PoC from http://pastebin.com/qKZp2Qic or from the original post
and paste it into your newly created file.

infolookup@ubuntu:/tmp/exploitpoc$ nano full-nelson.c

Next just execute it….

infolookup@ubuntu:/tmp/exploitpoc$ gcc full-nelson.c -o full-nelson

infolookup@ubuntu:/tmp/exploitpoc$ ./full-nelson.c

And as you can see from the image above “Got Root”!

Alibi3col theme by Themocracy

css.php