tag:blogger.com,1999:blog-8992811497323121233.post7443061850031050907..comments2011-03-12T17:58:02.562-08:00Comments on cr0 blog: Interesting vulnerability in udevdJulien Tinnesnoreply@blogger.comBlogger15125tag:blogger.com,1999:blog-8992811497323121233.post-6979758591952615552009-08-15T10:22:50.852-07:002009-08-15T10:22:50.852-07:00Hello there,
I was experimenting with this vulner...Hello there,<br /><br />I was experimenting with this vulnerability on a box that had 'noexec' enabled on all partitions, so, I was unable to use the LD_PRELOAD technique. Instead I coded a python exploit (yeap not affected by noexec) that makes use of all the ideas discussed here :-)<br /><br />It replaces /dev/urandom with /dev/mem (/dev/sda, /dev/hda are also ok!). What's really interesting is the fact that this always results in a device mode equal to 0666 whithout requiring any specific rules in /etc/udev/rules.d/ :-)<br /><br />So next step is a /dev/mem backdoor or a debugfs equivalent writen in Python (lol).<br /><br />./hkhukuhttps://www.grhack.netnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-33974163016587077422009-04-18T13:48:00.000-07:002009-04-18T13:48:00.000-07:00http://seclists.org/fulldisclosure/2009/Apr/att-01...http://seclists.org/fulldisclosure/2009/Apr/att-0198/udev_txt :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-82702296113850566552009-04-18T13:23:00.000-07:002009-04-18T13:23:00.000-07:00did anyone come up with something like this?
http...did anyone come up with something like this?<br /><br />http://pastebin.ca/1395979francesco chiesanoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-3316130591484258792009-04-18T10:15:00.000-07:002009-04-18T10:15:00.000-07:00i have the base code up and running. 50 lines of C...i have the base code up and running. 50 lines of C code for me :P. Do we need to send it sh commands or udev command/rules? Thanks.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-39687255159546506852009-04-18T06:57:00.000-07:002009-04-18T06:57:00.000-07:00Yes absolutely, and it's mentioned here too! Where...Yes absolutely, and it's mentioned here too! Where else did you see it?Julien Tinneshttp://www.blogger.com/profile/05636781178145883012noreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-2844902997391089762009-04-18T06:20:00.000-07:002009-04-18T06:20:00.000-07:00As some people stated in other blog,
wouldn't acti...As some people stated in other blog,<br />wouldn't action="remove", RUN+= work like a charm? without any hassle of managing any devices?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-80331413135652301932009-04-18T04:31:00.000-07:002009-04-18T04:31:00.000-07:00You can get access (as far as DAC is concerned) to...You can get access (as far as DAC is concerned) to any device you want easily.<br />However, /dev/kmem is usually otherwise restricted.<br />/dev/mem will work, but will be more complex than any other way unless you already have this code ready, even without STRICT_DEVMEM on.Julien Tinneshttp://www.blogger.com/profile/05636781178145883012noreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-3639459857773303512009-04-18T02:06:00.000-07:002009-04-18T02:06:00.000-07:00What about mapping /dev/mem or /dev/kmem ? ;)What about mapping /dev/mem or /dev/kmem ? ;)dreyercitohttp://sexy.oandas.esnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-824915769338163532009-04-17T10:52:00.000-07:002009-04-17T10:52:00.000-07:00And <a href="http://c-skills.blogspot.com/2009/04/...And <A HREF="http://c-skills.blogspot.com/2009/04/udev-trickery-cve-2009-1185-and-cve.html" REL="nofollow">this blog post</A> from the guy who has disclosed this bug.Julien Tinneshttp://www.blogger.com/profile/05636781178145883012noreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-55777452426574167452009-04-17T10:23:00.000-07:002009-04-17T10:23:00.000-07:00See <a href="http://xorl.wordpress.com/2009/04/17/...See <A HREF="http://xorl.wordpress.com/2009/04/17/cve-2009-1186-linux-udev-netlink-missing-checks/" REL="nofollow">http://xorl.wordpress.com/2009/04/17/cve-2009-1186-linux-udev-netlink-missing-checks/</A>Sidhttp://sid.rstack.org/blog/noreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-55653056653702559762009-04-17T02:16:00.000-07:002009-04-17T02:16:00.000-07:00grep -r RUN /etc/udev/rules.d
result varies for ev...grep -r RUN /etc/udev/rules.d<br />result varies for every distrib.kraalnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-73546100472549343602009-04-16T22:29:00.000-07:002009-04-16T22:29:00.000-07:00people asking to post codes are faggots
do it you...people asking to post codes are faggots<br /><br />do it yourselfAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-58928025872573007822009-04-16T16:29:00.000-07:002009-04-16T16:29:00.000-07:00Post the codes :)Post the codes :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-30056331100570422352009-04-16T15:02:00.000-07:002009-04-16T15:02:00.000-07:00... and where can one get a sample of those lines?...... and where can one get a sample of those lines?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-13246678375823731992009-04-16T14:09:00.000-07:002009-04-16T14:09:00.000-07:00<i>5 lines of Python for Phil</i>We were so used t...<I>5 lines of Python for Phil</I>We were so used to see Scapy one-liners... Kinda disappointing, don't you think ? ;)Sidhttp://sid.rstack.org/blog/noreply@blogger.com