[Dailydave] On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns

TINNES Julien RD-MAPS-ISS julien.tinnes at francetelecom.com
Mon Mar 5 08:16:16 EST 2007 

Michal Zalewski a écrit :
> On Sat, 3 Mar 2007, Brad Spengler wrote:
> 
>> Also, if there are any security historians on the list, I submit for
>> your record-keeping what I believe to be the first public exploit for a
>> null ptr dereference bug in the Linux kernel.
> 
> Historians, wait! Here, I have the same code dated 2001! Which is notable,
> because it actuallly predates the 2.6 kernel altogether!
> 
> On a more serious note... null pointer _dereference_ ("following of") is
> almost never exploitable on modern platforms (unless you count
> 0x0+large_offset table element access), and this exploit is consistent
> with that assessment.

Local Kernel mode exploits rely on the following paradigm: you _already_
have arbitrary code execution and you want to run code with kernel
privileges (or just with more privilege) or to write to memory you're
not allowed to write to.

So, to exploit "to-userland pointer dereference" class of kernel flaws,
you just have to mmap() the page at the correct address (and mmap at 0
is perfectly allowed).

The problem in Linux is that since kernel 2.4 the segment selector
registers are loaded (in *both* kernel and user mode) with references to
segments with a base address of 0 (in kernel 2.0 and 2.2, the base for
most selectors was different in kernel mode). This is not the case in PaX .

This means that dereferencing a NULL pointer will indeed point you to
address 0 in linear memory wich is also address 0 in userland in current
Linux kernels.

> What you have here is not a dereference of a null pointer (the kernel
> never tries to read/write *0x0), but rather, an opportunity to access a
> fun page of memory because of a missing 0x0 value check.

I don't understand you here. The bug spender has mentioned is afair,
exactly a null pointer dereference.

> Naming your post / exploit in such an alarmist way will only have folks
> report NULL ptrs in /bin/date as "EXTREMELY CRITICAL" as opposed to the
> usual "VERY CRITICAL" we're all accustomed to. Please don't ;-)

Also while it is not really relevant to the current subject (in-kernel
null pointer dereference), here is a link to a paper by Gael Delalleau
treating the subject of exploiting user-land null pointer dereferences.

http://cansecwest.com/core05/memory_vulns_delalleau.pdf


-- 
Julien TINNES - & france telecom - R&D Division/MAPS/NSS
Research Engineer - Internet/Intranet Security
GPG: C050 EF1A 2919 FD87 57C4 DEDD E778 A9F0 14B9 C7D6

More information about the Dailydave mailing list