Dailydave mailing list archives
Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns
From: TINNES Julien RD-MAPS-ISS <julien.tinnes () francetelecom com>
Date: Mon, 05 Mar 2007 14:16:16 +0100
Michal Zalewski a écrit :
On Sat, 3 Mar 2007, Brad Spengler wrote:Also, if there are any security historians on the list, I submit for your record-keeping what I believe to be the first public exploit for a null ptr dereference bug in the Linux kernel.Historians, wait! Here, I have the same code dated 2001! Which is notable, because it actuallly predates the 2.6 kernel altogether! On a more serious note... null pointer _dereference_ ("following of") is almost never exploitable on modern platforms (unless you count 0x0+large_offset table element access), and this exploit is consistent with that assessment.
Local Kernel mode exploits rely on the following paradigm: you _already_ have arbitrary code execution and you want to run code with kernel privileges (or just with more privilege) or to write to memory you're not allowed to write to. So, to exploit "to-userland pointer dereference" class of kernel flaws, you just have to mmap() the page at the correct address (and mmap at 0 is perfectly allowed). The problem in Linux is that since kernel 2.4 the segment selector registers are loaded (in *both* kernel and user mode) with references to segments with a base address of 0 (in kernel 2.0 and 2.2, the base for most selectors was different in kernel mode). This is not the case in PaX . This means that dereferencing a NULL pointer will indeed point you to address 0 in linear memory wich is also address 0 in userland in current Linux kernels.
What you have here is not a dereference of a null pointer (the kernel never tries to read/write *0x0), but rather, an opportunity to access a fun page of memory because of a missing 0x0 value check.
I don't understand you here. The bug spender has mentioned is afair, exactly a null pointer dereference.
Naming your post / exploit in such an alarmist way will only have folks report NULL ptrs in /bin/date as "EXTREMELY CRITICAL" as opposed to the usual "VERY CRITICAL" we're all accustomed to. Please don't ;-)
Also while it is not really relevant to the current subject (in-kernel null pointer dereference), here is a link to a paper by Gael Delalleau treating the subject of exploiting user-land null pointer dereferences. http://cansecwest.com/core05/memory_vulns_delalleau.pdf -- Julien TINNES - & france telecom - R&D Division/MAPS/NSS Research Engineer - Internet/Intranet Security GPG: C050 EF1A 2919 FD87 57C4 DEDD E778 A9F0 14B9 C7D6 _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Brad Spengler (Mar 03)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Michal Zalewski (Mar 03)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Michal Zalewski (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns Michal Zalewski (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns don bailey (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns Thomas Ptacek (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Michal Zalewski (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Dave Korn (Mar 06)
- (windows is vulnerable too) & final comments on naming Brad Spengler (Mar 07)
- Re: (windows is vulnerable too) & final comments on naming intropy (Mar 07)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Michal Zalewski (Mar 03)