Quick video of an exploit I wrote for the move_pages() infoleak just submitted to oss-sec (though I had noticed the commit earlier today with SuSE security on CC 
). The analysis and exploit development were all completed within an hour. I can leak 512MB of kernel memory around a specific bitmap in the kernel. I demonstrate the leaking of the contents of two sysctl variables in the exploit, as well as the NUMA bitmap.
Source code will be released shortly — it’s a neat little bug, and I like the idea of deducing kernel memory one bit at a time via the return value of the system call
PS: SELinux did nothing to prevent this exploit
Duration : 0:6:30
Read the rest of this entry »
Technorati Tags: exploit, infoleak, linux, redhat, selinux
Watch in HD Fullscreen 
Back again with yet another linux exploit. For time purposes I’m only demonstrating it on RHEL 5.4, but if you look on my twitter you can see screenshots of it working on every distro mentioned in the video. It’ll work on everything else too, I just don’t have the VMs installed. Every version of Linux I can get my hands on is vulnerable.
Initially the title of this video stated the exploit was SMP-only. That’s not the case — some single-processor systems with PREEMPT enabled are also capable of winning the race, leading to compromise.
Mitigation:
Make sure you have mmap_min_addr enabled on your machines and that it can’t be bypassed. To test if mmap_min_addr can be bypassed or is disabled or not present on your machine, download enlightenment and run ./run_null_exploits.sh You don’t have to choose any particular exploit — it will attempt to mmap at NULL by any means possible and report the success or failure. Unlike with sock_ops there is no workaround for this vulnerability — so it’s time to bite the bullet and upgrade to a kernel that protects against this specific class of bugs in general. Workarounds have never been a long-term solution.
This exploit was written within an hour on October 22nd 2009.
Duration : 0:7:28
Read the rest of this entry »
Technorati Tags: 0day, linux, redhat, root exploit, selinux
Same exploit as the previous two videos, this time on a new target: RHEL5 2.6.18-157
Same destruction commences
Ah I forgot to show in the video after I got root that SELinux was still reporting being in enforcing mode, since the same code that faked that information for 2.6.30 worked fine with the 2.6.18.
I had to remove some part of me typing near the very end so that the video could fit in the 10min restriction, nothing before that was edited.
Duration : 0:9:59
Read the rest of this entry »
Technorati Tags: 0day, enterprise, exploit, kernel, linux, redhat, rhel, selinux
