Full Disclosure mailing list archives
Re: vm86 syscall kernel-panic and some more goodies waiting to be analyzed
From: halfdog <me () halfdog net>
Date: Sun, 29 Dec 2013 20:49:24 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 halfdog wrote:
It seems that at least on 32-bit Debian-sid kernel in VirtualBox guest, [1] triggers a kernel-panic. This simple POC does not allow privilege escalation although there might be also some time-race component involved, sometimes similar code seems to access uninitialized memory or triggers NULL-dereferences. Therefore the simple POC code could be extended for more extensive testing. See [2] for more information. hd
I've created [1] to ease discovery of new problematic code combinations. Good use is to run it with e.g. socat TCP4-LISTEN:1234,reuseaddr=1,fork=1 EXEC:./Virtual86RandomCode,nofork=1 And send random data via network: tee TestInput < /dev/urandom | socat - TCP4:x.x.x.x:1234 > ProcessedBlocks And watch your console or dmesg output (when your kernel did not lock up completely) hd [1] http://www.halfdog.net/Security/2013/Vm86SyscallTaskSwitchKernelPanic/Virtual86RandomCode.c - -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlLAiroACgkQxFmThv7tq+58dACggUEhW1toL8/9UnZkcEXZ+Ukk yvUAnjFTETZf/nXr/96fbp8soRpUdJiv =mLVT -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- vm86 syscall kernel-panic and some more goodies waiting to be analyzed halfdog (Dec 28)
- Re: vm86 syscall kernel-panic and some more goodies waiting to be analyzed halfdog (Dec 29)