Thursday, April 16, 2009

udev trickery (CVE-2009-1185 and CVE-2009-1186)




While the security industry is making weird statements about
no-more-free-hugs and
OSX vs. Windows exploitation fun,
I add my two cents on UNIX exploitation.


There have been two problems in all currently running udevd's
which are shipped on
all major Linux distributions. Even if you
install
selinux or other hardening mechanisms, you are at risk
(please see above screenshot on a targeted selinux config).

The first problem (CVE-2009-1185) appears since the origin of
KOBJECT_UEVENT
messages are not verified, so any user can spoof
messages that udevd takes
as granted from kernel. This allows
some trickery to create a device named
/dev/random with permission
0666 but major and minor number of your
root blockdevice. The rest
is code. Alternatively, CVE-2009-1186 could be exploited
which is a standard stack buffer overflow. Depending on the
configuration of the system
CVE-2009-1185 can also be exploited
with weird network interface-names and
alike so at the end,
chrooted/jailed or PrivSep'ed users have good chance to get a full rootshell.

7 comments:

Anonymous said...

Gimme exploit

The gun (r) said...

Hi,

as all distros have released patches and the exploit has been fixed can you now publish the code you've been using to actually gain root privileges?

Anonymous said...

it is public vuln why dont u make the exploit public lol ;].

Julien said...

Congratulation, you've found a very nice bug!

Alternatively, you can exploit the remove action instead of add to directly execute shell commands.

Anonymous said...

Really, just write your own exploit. Releasing it now would not benefit anyone except the script kiddies. You have been given more than enough information to be able to write your own exploit. I know I did...

Anonymous said...

I'm sure asking for the exploit isn't motivation for publication. Nice work.

zImage said...

This reminds me of a quite old vulnerability in the Zebra routing suite:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0858

Everything new is a well forgotten old?