Illustrating the Linux sock_sendpage() NULL pointer dereference
| From: | Ramon de Carvalho Valle <ramon-AT-risesecurity.org> | |
| To: | bugtraq-AT-securityfocus.com, full-disclosure-AT-lists.grok.org.uk | |
| Subject: | Illustrating the Linux sock_sendpage() NULL pointer dereference on Power/Cell BE Architecture | |
| Date: | Mon, 31 Aug 2009 09:32:02 -0300 | |
| Message-ID: | <1251721922.7495.5.camel@logos> | |
| Archive‑link: | Article |
I've released an exploit for the Linux sock_sendpage() NULL pointer dereference[1], discovered by Tavis Ormandy and Julien Tinnes. This exploit was written to illustrate the exploitability of this vulnerability on Power/Cell BE architecture. The exploit makes use of the SELinux and the mmap_min_addr problem to exploit this vulnerability on Red Hat Enterprise Linux 5.3 and CentOS 5.3. The problem, first noticed by Brad Spengler, was described by Red Hat in Red Hat Knowledgebase article: Security-Enhanced Linux (SELinux) policy and the mmap_min_addr protection[2]. Support for i386 and x86_64 was added for completeness. For a more complete implementation, refer to Brad Spengler's exploit[3], which also implements the personality trick[4] published by Tavis Ormandy and Julien Tinnes. Linux kernel versions from 2.4.4 to 2.4.37.4, and from 2.6.0 to 2.6.30.4 are vulnerable. The exploit was tested on: * CentOS 5.3 (2.6.18-128.7.1.el5) is not vulnerable * CentOS 5.3 (2.6.18-128.4.1.el5) * CentOS 5.3 (2.6.18-128.2.1.el5) * CentOS 5.3 (2.6.18-128.1.16.el5) * CentOS 5.3 (2.6.18-128.1.14.el5) * CentOS 5.3 (2.6.18-128.1.10.el5) * CentOS 5.3 (2.6.18-128.1.6.el5) * CentOS 5.3 (2.6.18-128.1.1.el5) * CentOS 5.3 (2.6.18-128.el5) * CentOS 4.8 (2.6.9-89.0.9.EL) is not vulnerable * CentOS 4.8 (2.6.9-89.0.7.EL) * CentOS 4.8 (2.6.9-89.0.3.EL) * CentOS 4.8 (2.6.9-89.EL) * Red Hat Enterprise Linux 5.3 (2.6.18-128.7.1.el5) is not vulnerable * Red Hat Enterprise Linux 5.3 (2.6.18-128.4.1.el5) * Red Hat Enterprise Linux 5.3 (2.6.18-128.2.1.el5) * Red Hat Enterprise Linux 5.3 (2.6.18-128.1.16.el5) * Red Hat Enterprise Linux 5.3 (2.6.18-128.1.14.el5) * Red Hat Enterprise Linux 5.3 (2.6.18-128.1.10.el5) * Red Hat Enterprise Linux 5.3 (2.6.18-128.1.6.el5) * Red Hat Enterprise Linux 5.3 (2.6.18-128.1.1.el5) * Red Hat Enterprise Linux 5.3 (2.6.18-128.el5) * Red Hat Enterprise Linux 4.8 (2.6.9-89.0.9.EL) is not vulnerable * Red Hat Enterprise Linux 4.8 (2.6.9-89.0.7.EL) * Red Hat Enterprise Linux 4.8 (2.6.9-89.0.3.EL) * Red Hat Enterprise Linux 4.8 (2.6.9-89.EL) * SUSE Linux Enterprise Server 11 (2.6.27.19-5) * SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.21) * Ubuntu 8.10 (2.6.27-14) is not vulnerable * Ubuntu 8.10 (2.6.27-11) * Ubuntu 8.10 (2.6.27-9) * Ubuntu 8.10 (2.6.27-7) The exploit is available at our exploits section or directly at the following address: http://www.risesecurity.org/exploits/linux-sendpage.c Please, let me know if you have any questions or comments. Also, feel free to leave a comment at: http://www.risesecurity.org/entry/illustrating-linux-sock... [1] http://blog.cr0.org/2009/08/linux-null-pointer-dereferenc... [2] http://kbase.redhat.com/faq/docs/DOC-18042 [3] http://www.grsecurity.net/~spender/wunderbar_emporium2.tgz [4] http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.... Best regards, Ramon
Posted Sep 3, 2009 2:16 UTC (Thu)
by dlang (guest, #313)
[Link] (2 responses)
if I have a system that doesn't use SELinux is this bug still there?
Posted Sep 5, 2009 13:23 UTC (Sat)
by zhllg (guest, #26587)
[Link] (1 responses)
Posted Sep 5, 2009 19:17 UTC (Sat)
by dlang (guest, #313)
[Link]
so what I think I am hearing you say is that if I don't use pulseaudio or SELinux on a system then I don't have to worry about this sock_sendpage() vunerability
Illustrating the Linux sock_sendpage() NULL pointer dereference
Illustrating the Linux sock_sendpage() NULL pointer dereference
Illustrating the Linux sock_sendpage() NULL pointer dereference