Saturday, August 15, 2009

CVE-2009-2692 and android; mitigation

Update:{ it seems like someone else have had more time than me
checking out the CVE-2009-2692 vulnerability and the -EINVAL
vs. -EPERM issue on android. As already stated below, one
should check the ELF loader and how it handles PT_LOAD
segments of 0-addr.And, it seems that it did the trick!
At least from reading their exploit.
I didnt test it but it looks good to me.}

I made up a reliable exploit for CVE-2009-2692 myself with a generic
kernel 2.6 x86-64 shellcode which has only a small stub in
asm and does the rest in C.
It works reliable across the various kernel versions and I hoped to pwn my android with it, but unfortunately it turned out that the running 2.6.27 kernel inside has proper mmap_min_addr set to 0x1000 so this bug is out of the game. There is no suid for a
PERSONALITY_SVR4 preload either. The thing that makes me
wonder is, that it returns -EINVAL instead of the common -EPERM,
so maybe some further research is required.
Maybe linking the ELF binary's PT_LOAD segment to 0 helps :)

The funny thing is that a lot "
CVE-2009-2692 exploit" queries
from search engines point to this site and the crowd seem to have problems finding spender's wunderbar_emporium.tgz :-)

If you are looking for easy mitigation of the attack
on openSUSE systems, call

echo 0x1000 > /proc/sys/vm/mmap_min_addr

from a rootshell. Since there is no setuid pulseaudio or
SELinux installed on openSUSE, this kills any NULL ptr attacks.

1 comment:

Julien said...

Unfortunately mmap() not working when trying to map the first page is not a security boundary.
IIRC, here, it's just a side effect of the PT_LOAD executable segment being mapped so low in the address space by default on ARM.

You can easily bypass this restriction by crafting a special ELF file, using mremap, or with other techniques I won't describe here.

I believe Zinx used the former in his exploit.