Wednesday, December 17, 2008

NULL pointer exploitation

Today Sun finally released a fix for a kernel bug I reported to them back in 2007 (TKADV2008-015). The vulnerability is a NULL pointer dereference that can be reliably exploited under x86 platforms (32 and 64bit).

This movie demonstrates the exploitability of the vulnerability. The exploit first escapes from a restricted non-global Solaris zone back into the global zone, drops all restrictions and then gains root privileges.

# mdb -k unix.4 vmcore.4
Loading modules: [ unix krtld genunix specfs dtrace cpu.AuthenticAMD.15 uppc
pcplusmp ufs ip sctp usba fcp fctl nca lofs audiosup zfs random sppp crypto md 
cpc fcip logindmux ptm nfs ]

> $c
0x44434241(c, dad0ebc0) 
ip_sioctl_tunparam+0xfc(0, d46c0200, d6d352b0, d6849380, fecc6e80, d6d352b0)
ip_process_ioctl+0x2a9(0, d6d352b0, d6849380, fecc6e80)
ip_wput_nondata+0x248(0, d6d352b0, d6849380, 0)
ip_output+0x376()
ip_wput+0x14(d6d352b0, d6849380)
putnext+0x1b7(d6d352b0, d6849380)
ar_wput+0x131(d6d31430, d6849380)
putnext+0x1b7(d6d31430, d6849380)
strdoioctl+0x4f1(d6218508, d55d6d10, 0, 100003, 1, d60225b0)
strioctl+0x3b1(d6d64a80, 40586993, 8061020, 100003, 1, d60225b0)
spec_ioctl+0x48(d6d64a80, 40586993, 8061020, 100003, d60225b0, d55d6f78)
fop_ioctl+0x24(d6d64a80, 40586993, 8061020, 100003, d60225b0, d55d6f78)
ioctl+0x199()
sys_sysenter+0x100()

> $r
%cs = 0x0158            %eax = 0x44434241   
%ds = 0xd4d80160        %ebx = 0x000007d0
%ss = 0x000c            %ecx = 0x000007d0
%es = 0x0160            %edx = 0xd561c000
%fs = 0x0000            %esi = 0x00000000
%gs = 0x01b0            %edi = 0x00000000

%eip = 0x44434241  
%ebp = 0xd55d6a8c
%esp = 0xd55d6a48