Dailydave mailing list archives
Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns
From: TINNES Julien RD-MAPS-ISS <julien.tinnes () francetelecom com>
Date: Mon, 05 Mar 2007 15:23:17 +0100
You're not exploiting any userland application (the code being run is your own program, you already have a full control of it), correct? You're attacking the kernel. The flaw in kernel is not caused by a null pointer dereference (the kernel is not vulnerable because of trying to read or write *0x0 - that's what a dereference is).
That's exactly my point, you're not exploiting a userland application, so the paradigm is different, and _YOU_ can map page 0 because you've already got arbitrary code execution. ptr = mmap(NULL, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0); That's what this line of code does.
The flaw is caused by a missing check that allows you to gain access to the first physical page of memory, which you can then read or write. So a proper title would be "on exploiting missing checks" or "on gaining access to *0x0". Note that Brad's exploit doesn't even get to access 0x0 in process's address space - he just gets an instance of physical page 0 mapped to some sane address.
It has nothing to do with ' first physical page', it's a logical address (0) translated into a linear address which happens to also be 0 because the base address in most segments descriptor is 0 since Linux 2.4. To sum it up, you control what is at any address in user-land (you've already got arbitrary code execution and can use mmap/munmap) and, because of a flaw (a to-user-land pointer dereference), the kernel will 'think' his data is in some area you control (here the first page of the process). -- Julien TINNES - & france telecom - R&D Division/MAPS/NSS Research Engineer - Internet/Intranet Security GPG: C050 EF1A 2919 FD87 57C4 DEDD E778 A9F0 14B9 C7D6 _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Brad Spengler (Mar 03)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Michal Zalewski (Mar 03)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Michal Zalewski (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns Michal Zalewski (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns don bailey (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns Thomas Ptacek (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Michal Zalewski (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Dave Korn (Mar 06)
- (windows is vulnerable too) & final comments on naming Brad Spengler (Mar 07)
- Re: (windows is vulnerable too) & final comments on naming intropy (Mar 07)
- Re: (windows is vulnerable too) & final comments on naming Dave Aitel (Mar 07)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Michal Zalewski (Mar 03)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Joel Eriksson (Mar 07)