Bug kernel linux (2009)
Ditemukan bug di kernel linux yang cukup serius, penyebabnya NULL pointer. Kalau di-exploit bisa sampai dapet root... osram........ The system would do anything for you..
Hampir semua kernel dari versi 2.4 sampai 2.6 terkena bug ini:
- Linux 2.4, from 2.4.4 up to and including 2.4.37.4
- Linux 2.6, from 2.6.0 up to and including 2.6.30.4
exploit testing:
$ ./script
[+] MAPPED ZERO PAGE!
[+] Resolved selinux_enforcing to 0xffffffff80bb4348
[+] Resolved selinux_enabled to 0xffffffff80bb4344
[+] Resolved security_ops to 0xffffffff80bb2ae0
[+] Resolved default_security_ops to 0xffffffff808e55a0
[+] Resolved sel_read_enforce to 0xffffffff803e16e0
[+] Resolved audit_enabled to 0xffffffff80ae2ec4
[+] Resolved commit_creds to 0xffffffff8026d3f0
[+] Resolved prepare_kernel_cred to 0xffffffff8026d040
[+] got ring0!
[+] detected 2.6 style 4k stacks
sh: mplayer: not found
[+] Disabled security of : nothing, what an insecure machine!
[+] Got root!
#
# id
uid=0(root) gid=0(root)
#
Original bug report:
Linux NULL pointer dereference due to incorrect proto_ops initializations
-------------------------------------------------------------------------
In the Linux kernel, each socket has an associated struct of operations
called proto_ops which contain pointers to functions implementing various
features, such as accept, bind, shutdown, and so on.
If an operation on a particular socket is unimplemented, they are expected
to point the associated function pointer to predefined stubs, for example if
the "accept" operation is undefined it would point to sock_no_accept(). However,
we have found that this is not always the case and some of these pointers are
left uninitialized.
-- -- -- --
http://www.cr0.org/misc/CVE-2009-2692.txt
Hampir semua kernel dari versi 2.4 sampai 2.6 terkena bug ini:
- Linux 2.4, from 2.4.4 up to and including 2.4.37.4
- Linux 2.6, from 2.6.0 up to and including 2.6.30.4
exploit testing:
$ ./script
[+] MAPPED ZERO PAGE!
[+] Resolved selinux_enforcing to 0xffffffff80bb4348
[+] Resolved selinux_enabled to 0xffffffff80bb4344
[+] Resolved security_ops to 0xffffffff80bb2ae0
[+] Resolved default_security_ops to 0xffffffff808e55a0
[+] Resolved sel_read_enforce to 0xffffffff803e16e0
[+] Resolved audit_enabled to 0xffffffff80ae2ec4
[+] Resolved commit_creds to 0xffffffff8026d3f0
[+] Resolved prepare_kernel_cred to 0xffffffff8026d040
[+] got ring0!
[+] detected 2.6 style 4k stacks
sh: mplayer: not found
[+] Disabled security of : nothing, what an insecure machine!
[+] Got root!
#
# id
uid=0(root) gid=0(root)
#
Original bug report:
Linux NULL pointer dereference due to incorrect proto_ops initializations
-------------------------------------------------------------------------
In the Linux kernel, each socket has an associated struct of operations
called proto_ops which contain pointers to functions implementing various
features, such as accept, bind, shutdown, and so on.
If an operation on a particular socket is unimplemented, they are expected
to point the associated function pointer to predefined stubs, for example if
the "accept" operation is undefined it would point to sock_no_accept(). However,
we have found that this is not always the case and some of these pointers are
left uninitialized.
-- -- -- --
http://www.cr0.org/misc/CVE-2009-2692.txt
Comments