Illustrating the Linux sock_sendpage() NULL pointer dereference on Power/Cell BE Architecture

--=-2WbFwutUrWue5ZbMZnAm
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Ive released an exploit for the Linux sock_sendpage() NULL pointer
dereference[1], discovered by Tavis Ormandy and Julien Tinnes. This exploit
was written to illustrate the exploitability of this vulnerability on
Power/Cell BE architecture.

The exploit makes use of the SELinux and the mmap_min_addr problem to explo=
it
this vulnerability on Red Hat Enterprise Linux 5.3 and CentOS 5.3. The
problem, first noticed by Brad Spengler, was described by Red Hat in Red Ha=
t
Knowledgebase article: Security-Enhanced Linux (SELinux) policy and the
mmap_min_addr protection[2].

Support for i386 and x86_64 was added for completeness. For a more complete
implementation, refer to Brad Spenglers exploit[3], which also implements
the personality trick[4] published by Tavis Ormandy and Julien Tinnes.

Linux kernel versions from 2.4.4 to 2.4.37.4, and from 2.6.0 to 2.6.30.4
are vulnerable.

The exploit was tested on:

 * CentOS 5.3 (2.6.18-128.7.1.el5) is not vulnerable
 * CentOS 5.3 (2.6.18-128.4.1.el5)
 * CentOS 5.3 (2.6.18-128.2.1.el5)
 * CentOS 5.3 (2.6.18-128.1.16.el5)
 * CentOS 5.3 (2.6.18-128.1.14.el5)
 * CentOS 5.3 (2.6.18-128.1.10.el5)
 * CentOS 5.3 (2.6.18-128.1.6.el5)
 * CentOS 5.3 (2.6.18-128.1.1.el5)
 * CentOS 5.3 (2.6.18-128.el5)
 * CentOS 4.8 (2.6.9-89.0.9.EL) is not vulnerable
 * CentOS 4.8 (2.6.9-89.0.7.EL)
 * CentOS 4.8 (2.6.9-89.0.3.EL)
 * CentOS 4.8 (2.6.9-89.EL)
 * Red Hat Enterprise Linux 5.3 (2.6.18-128.7.1.el5) is not vulnerable
 * Red Hat Enterprise Linux 5.3 (2.6.18-128.4.1.el5)
 * Red Hat Enterprise Linux 5.3 (2.6.18-128.2.1.el5)
 * Red Hat Enterprise Linux 5.3 (2.6.18-128.1.16.el5)
 * Red Hat Enterprise Linux 5.3 (2.6.18-128.1.14.el5)
 * Red Hat Enterprise Linux 5.3 (2.6.18-128.1.10.el5)
 * Red Hat Enterprise Linux 5.3 (2.6.18-128.1.6.el5)
 * Red Hat Enterprise Linux 5.3 (2.6.18-128.1.1.el5)
 * Red Hat Enterprise Linux 5.3 (2.6.18-128.el5)
 * Red Hat Enterprise Linux 4.8 (2.6.9-89.0.9.EL) is not vulnerable
 * Red Hat Enterprise Linux 4.8 (2.6.9-89.0.7.EL)
 * Red Hat Enterprise Linux 4.8 (2.6.9-89.0.3.EL)
 * Red Hat Enterprise Linux 4.8 (2.6.9-89.EL)
 * SUSE Linux Enterprise Server 11 (2.6.27.19-5)
 * SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.21)
 * Ubuntu 8.10 (2.6.27-14) is not vulnerable
 * Ubuntu 8.10 (2.6.27-11)
 * Ubuntu 8.10 (2.6.27-9)
 * Ubuntu 8.10 (2.6.27-7)
=20
The exploit is available at our exploits section or directly at the followi=
ng
address:
http://www.risesecurity.org/exploits/linux-sendpage.c

Please, let me know if you have any questions or comments.

Also, feel free to leave a comment at:
http://www.risesecurity.org/entry/illustrating-linux-sock_sendpage-null-poi=
nter/

[1] http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html
[2] http://kbase.redhat.com/faq/docs/DOC-18042
[3] http://www.grsecurity.net/~spender/wunderbar_emporium2.tgz
[4] http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html

Best regards,
Ramon


--=-2WbFwutUrWue5ZbMZnAm
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAkqbwr8ACgkQGIS0iEuhp4Ny5QCffuRZDSMxBTziUFCRWi0S26at
n/MAn2VgwxiWiH++gp4Xkbyp41aHNlsB
=R+uk
-----END PGP SIGNATURE-----

--=-2WbFwutUrWue5ZbMZnAm--