Another linux kernel NULL pointer vulnerability ( exploit here )

Christoph Wickert christoph.wickert at googlemail.com
Fri Aug 14 19:23:49 UTC 2009


Am Freitag, den 14.08.2009, 14:39 -0300 schrieb Itamar Reis Peixoto:
> Hello guy's
> 
> for the people who don't have updated the kernel.

I'm running kernel-2.6.29.6-217.2.3.fc11.x86_64 and this one is not
supposed to be fixed, however...

> http://grsecurity.net/%7Espender/wunderbar_emporium.tgz

... it doesn't work here. Although the author claims it's not stopped by
SELinux (he even mentions Dan by name), SELinux one more time saves the
world:

$ su -c 'setenforce 0'
$ LANG=C sh wunderbar_emporium.sh 
runcon: invalid context:
unconfined_u:unconfined_r:initrc_t:s0-s0:c0.c1023: Invalid argument
 [+] MAPPED ZERO PAGE!
 [+] Resolved selinux_enforcing to 0xffffffff81874374
 [+] Resolved selinux_enabled to 0xffffffff815a0a60
 [+] Resolved security_ops to 0xffffffff81871b20
 [+] Resolved default_security_ops to 0xffffffff815a0080
 [+] Resolved sel_read_enforce to 0xffffffff8118934c
 [+] Resolved audit_enabled to 0xffffffff8182e804
 [+] Resolved commit_creds to 0xffffffff810615c3
 [+] Resolved prepare_kernel_cred to 0xffffffff810614a4
 [+] got ring0!
 [+] detected 2.6 style 4k stacks
sh: mplayer: command not found
 [+] Disabled security of : nothing, what an insecure machine!
 [+] Got root!
sh-4.0# setenforce 1
sh-4.0# exit
exit
$ LANG=C sh wunderbar_emporium.sh 
runcon: invalid context:
unconfined_u:unconfined_r:initrc_t:s0-s0:c0.c1023: Invalid argument
UNABLE TO MAP ZERO PAGE!

The log entry:
> node=wicktop.localdomain type=AVC msg=audit(1250276339.135:27494):
> avc: denied { mmap_zero } for pid=16293 comm="exploit"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=memprotect node=wicktop.localdomain type=SYSCALL
> msg=audit(1250276339.135:27494): arch=c000003e syscall=9 success=yes
> exit=0 a0=0 a1=1000 a2=7 a3=32 items=0 ppid=16273 pid=16293 auid=500
> uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
> fsgid=500 tty=pts4 ses=1 comm="exploit"
> exe="/home/chris/Downloads/wunderbar_emporium/exploit"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 

So I suggest to calm down and not believer everything you read.

Regards,
Christoph




More information about the devel mailing list