[Dailydave] On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns
Sebastian Krahmer
krahmer at suse.de
Tue Mar 6 04:28:41 EST 2007
On Mon, 5 Mar 2007, Michal Zalewski wrote:
Although its not a classic NULL ptr dereference; its a function-ptr
thingie; you can exploit NULL ptr dereferences:
**ptr = value;
that can happen in more places you first think of. And if ptr is NULL,
you have your real NULL ptr exploit.
Sebastian
> On Mon, 5 Mar 2007, TINNES Julien RD-MAPS-ISS wrote:
>
> > So, to exploit "to-userland pointer dereference" class of kernel flaws,
> > you just have to mmap() the page at the correct address (and mmap at 0
> > is perfectly allowed).
> > [...]
> > I don't understand you here. The bug spender has mentioned is afair,
> > exactly a null pointer dereference.
>
> You're not exploiting any userland application (the code being run is your
> own program, you already have a full control of it), correct? You're
> attacking the kernel. The flaw in kernel is not caused by a null pointer
> dereference (the kernel is not vulnerable because of trying to read or
> write *0x0 - that's what a dereference is).
>
> The flaw is caused by a missing check that allows you to gain access to
> the first physical page of memory, which you can then read or write. So a
> proper title would be "on exploiting missing checks" or "on gaining access
> to *0x0". Note that Brad's exploit doesn't even get to access 0x0 in
> process's address space - he just gets an instance of physical page 0
> mapped to some sane address.
>
> Yeah, it's just semantics, but the issue is important in that we do not
> want crashes caused as userland NULL pointer dereferences to be considered
> exploitable by those who misinterpret the nature of this flaw.
>
> > http://cansecwest.com/core05/memory_vulns_delalleau.pdf
>
> Yeah, seen that presentation in person. That's a wholly different class of
> problems, and I did mention it in my initial response (some architectures,
> and some large-offset operations on NULL ptr tables or structures, are
> vulnerable; NULL ptr derefs as such usually aren't).
>
> /mz
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
--
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer at suse.de - SuSE Security Team
~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
More information about the Dailydave
mailing list