[Dailydave] Wow, free kernel zero day?
Don Bailey
don.bailey at gmail.com
Tue Feb 27 16:43:26 EST 2007
I know, I know. You can't believe I didn't sell this to
Simon at SNOsoft (or former SNOsoft or whatever) and I
can't either! I, too, want hundreds of thousands of
dollars in zero day earnings!
But, don't get too excited yet! This code exploits a
kernel bug for Plan 9, and you probably don't even
run Plan 9! The fun part is that lots of government
labs and corporate R&D facilities do.
But (yes, another but) I'm not such a terrible guy. I
waited until the bug was patched in the Plan 9 tree.
I wonder who fed the bunny? Hmmm...
Anyway, this was a great bug and lasted for quite a while
in private. Not to mention, it was probably the most
elegant kernel bug I've ever found... thanks to this code:
envwrite(Chan *c, void *a, long n, vlong off)
{
char *s;
int vend;
Egrp *eg;
Evalue *e;
ulong offset = off;
if(n <= 0)
return 0;
vend = offset+n;
if(vend > Maxenvsize)
error(Etoobig);
...
Hmmm... what if we do this a couple lines later:
if(vend > e->len) {
...
}
memmove(e->value+offset, a, n);
The best part is that we can truncate e->value to
zero which basically allows us to write kernel
memory at exact addresses! No hassle, no waiting.
Snazzy.
Enjoy:
http://kernelspace.us/itheft.c
Don Bailey
More information about the Dailydave
mailing list