tag:blogger.com,1999:blog-8992811497323121233.post4884559622868011417..comments2011-12-07T18:39:29.152-08:00Julien Tinnesnoreply@blogger.comBlogger32125tag:blogger.com,1999:blog-8992811497323121233.post-41917015178099107362009-11-30T10:28:05.134-08:002009-11-30T10:28:05.134-08:00I have no ideasaksithttp://my2blog.comnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-80228916146279793572009-09-27T12:41:41.973-07:002009-09-27T12:41:41.973-07:00@John: I have no idea what you&#39;re talking about. We also worked on the patch, which was released even before the advisory.<br /><br />I even link to it from the blog post.Julien Tinneshttp://www.blogger.com/profile/05636781178145883012noreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-47906404811996185022009-09-26T14:59:35.565-07:002009-09-26T14:59:35.565-07:00Is it not normal procedure to inform the Kernel maintainers before publishing an exploit to the world? It took until 13th August for a patch to be released.John Cooperhttp://www.blogger.com/profile/06524239861768487132noreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-78630828711108369912009-09-07T14:15:24.640-07:002009-09-07T14:15:24.640-07:00oo thanx bro. good bilgi..yenimodahttp://yenimoda.blogspot.com/noreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-76408368543259012002009-08-27T03:33:01.888-07:002009-08-27T03:33:01.888-07:00http://www.doecirc.energy.gov/bulletins/t-217.shtml<br />Julien can u give more info about this vuln and how to trigger it. <br />thanksAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-16147312606640376982009-08-16T17:23:01.449-07:002009-08-16T17:23:01.449-07:00It did exploit Fedora SELinux up until August 13, then was patched. I successfully exploited Kernel 2.6.29.6-213.fc11.i586 with this mechanism.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-47956799511049626532009-08-16T02:30:29.104-07:002009-08-16T02:30:29.104-07:00my fedora 11 with SELinux enforcing is also safe, the exploit doesnt work or did i miss something?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-42456566174613735782009-08-15T23:43:41.435-07:002009-08-15T23:43:41.435-07:00This definetly does not work on fedora with selinux enforcing.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-20471059157162817972009-08-15T09:13:07.778-07:002009-08-15T09:13:07.778-07:00Here&#39;s a reply to some of the comments (not all, sorry):<br /><br />- @Anonymous: you&#39;re correct, about SPARC. Interestingly, IA32 could also be safe but is not for performances reasons (unless you use Linux 2.0 or PaX KERNEXEC/UDEREF). x86_64 however killed segmentation :(<br />- About mapping to Null. This should be protected by mmap_min_addr since Linux 2.6.23. Last month, <a href="http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html" rel="nofollow">Tavis and I published a way to bypass it by using personalities</a> and Pulseaudio. Brad Spengler then implemented this technique in an exploit and noticed that it worked even without the Pulseaudio trick. The reason was the default SELinux policy allowing unconfined users to mmap at address zero.Julien Tinneshttp://www.blogger.com/profile/05636781178145883012noreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-45931224751512281072009-08-15T08:06:25.221-07:002009-08-15T08:06:25.221-07:00So there&#39;s actually two bugs. One is NULL pointer dereference and the other is allowing to mmap (presumably unmmapable) memory at 0x0 location (even if /proc/sys/vm/mmap_min_addr &gt; 0).Emsinoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-66199580405962807572009-08-15T03:00:53.346-07:002009-08-15T03:00:53.346-07:00Fedora&#39;s SELinux policy (asuuming you leave it enforcing) protects from the exploit (runcon can&#39;t change the type).Lamhttp://lac.pl/noreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-66260512527156772572009-08-14T13:43:16.343-07:002009-08-14T13:43:16.343-07:00Doesn&#39;t work with SELinux, although you claim the opposite in the source:<br /><br />sh wunderbar_emporium.sh <br />runcon: invalid context:<br />unconfined_u:unconfined_r:initrc_t:s0-s0:c0.c1023: Invalid argument<br />UNABLE TO MAP ZERO PAGE!<br /><br />and the raw audit message for this:<br />localhost.localdomain type=AVC msg=audit(1250278420.753:27501): avc: denied { mmap_zero } for pid=16933 comm=&quot;exploit&quot; scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect<br /><br />So obviously you were to fast when you thanked Dan for &quot;great SELinux bypass&quot;.Christophhttp://www.christoph-wickert.denoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-34260193539593058442009-08-14T12:46:38.877-07:002009-08-14T12:46:38.877-07:00Looks like you where to fast when you thanked Dan, because SELinux does indeed stop this:<br /><br />$ LANG=C sh wunderbar_emporium.sh <br />runcon: invalid context:<br />unconfined_u:unconfined_r:initrc_t:s0-s0:c0.c1023: Invalid argument<br />UNABLE TO MAP ZERO PAGE!Christophhttp://www.christoph-wickert.denoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-77517847779387429262009-08-14T12:29:18.170-07:002009-08-14T12:29:18.170-07:00Why can&#39;t the kernel track the process that map page zero and does extra stuff when switching from user mode to kernel mode (update mmu to make it not excecutable, ...)<br /><br />Of course this will slowdown these processes but are there performance program that depend of that ?<br />Wine ?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-33748645485167841952009-08-14T12:04:12.233-07:002009-08-14T12:04:12.233-07:00UNABLE TO MAP ZERO PAGE! on up to date Fedora with SELinux. Problem addressed by Red Hat when fixing CVE-2009-1895 recently?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-91223969912652192402009-08-14T08:32:18.250-07:002009-08-14T08:32:18.250-07:00Don&#39;t use the one from securityfocus, they have an old version of the exploit.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-70988279523218818952009-08-14T07:13:50.390-07:002009-08-14T07:13:50.390-07:00Looks like it&#39;s finally kernel upgrade time!<br />Goodbye Linux_2.6.19, I&#39;ll miss you.<br /><br />CodifexAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-65298385298765241642009-08-14T03:42:32.834-07:002009-08-14T03:42:32.834-07:00Yet another reason to use some alternative with better track record wrt security, like Solaris or *BSD.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-55254461946411694462009-08-14T01:20:42.120-07:002009-08-14T01:20:42.120-07:00Congrats for the discover !Fanfhttp://www.blogger.com/profile/10948445494945956846noreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-84149094204714047342009-08-14T01:12:17.499-07:002009-08-14T01:12:17.499-07:00Can anybody explain why http://www.securityfocus.com/bid/36038/exploit only works once?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-58319029603351753212009-08-13T21:39:50.614-07:002009-08-13T21:39:50.614-07:00Exploit code has been available at http://grsecurity.net/~spender/wunderbar_emporium.tgz<br /><br />Works on all affected kernels: both x86 and x64, 4k stacks or 8k stacks, cred framework or not. Disables SELinux, AppArmor, LSM, and auditing. Also plays an embedded movie if the host is up to it.<br /><br />-BradAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-18658538259235692472009-08-13T19:23:24.738-07:002009-08-13T19:23:24.738-07:00Good find, great work.nojoyhttp://sdf.lonestar.orgnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-88519091239861813832009-08-13T18:04:52.123-07:002009-08-13T18:04:52.123-07:00&gt; This is one reason so many 64b systems<br />&gt; (Tru64 on Alpha being a good example<br />&gt; prevent mapping the first 32 bits of<br />&gt; address space. Surprising that Linux<br />&gt; doesn&#39;t do the same.<br /><br />?? First of all - the whole problem has nothing to do with architecture of the used CPU (intel, non-intel, 32bit, 64bit).<br /><br />Secondly - Linux also offers such protection, but it was somehow flawed until one of the kernel versions<br /><br />3rdly - It is guaranteed on some systems (SVR4) that the fisrt page is always mapped (PROT_READ afair), so linux tries to emulate that behavior via the personality mechanism - http://linux.die.net/man/2/personality - and that is where the bug lied (the one with mapping zero page).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-46657888233202626932009-08-13T15:59:16.515-07:002009-08-13T15:59:16.515-07:00This is one reason so many 64b systems (Tru64 on Alpha being a good example) prevent mapping the first 32 bits of address space. Surprising that Linux doesn&#39;t do the same.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-13516937151628118422009-08-13T14:56:18.788-07:002009-08-13T14:56:18.788-07:00http://www.securityfocus.com/bid/36038/exploit<br />beer please nowAnonymousnoreply@blogger.com