an exploit was posted to milw0rm first here and then another here.
finally a really good package came out called "The Rebel" and even included a nifty shell script. here is the head!
/* second verse, same as the first
CVE-2009-2698 udp_sendmsg(), x86/x64
Cheers to Julien/Tavis for the bug, p0c73n1 for just throwing code at
NULL and finding it executed
This exploit is a bit more nuanced and thoughtful ;)
use ./therebel.sh for everything
At this moment, when each of us must fit an arrow to his bow and
enter the lists anew, to reconquer, within history and in spite of it,
that which he owns already, the thin yield of his fields, the brief
love of the earth, at this moment when at last a man is born, it is
time to forsake our age and its adolescent furies. The bow bends;
the wood complains. At the moment of supreme tension, there will
leap into flight an unswerving arrow, a shaft that is inflexible and
free. -Camus
*/
the problem in udp_sendmsg() is that rt routing table is initialized as NULL and in certain situations ip_append_data() could be called with a NULL rt causing a NULL pointer dereference! (thank you cr0 for pointing this out)
here is a patch that should make ip_append_data() handle this better.
the explanation at the cr0 blog is very in depth and worth a read.
the second is in the linux kernel getname() function which gets information about a socket. This information is stored in the form of sockaddr struct and is accessed by userspace by getsockname(2) and getpeername(2) system calls. the problem lies in that uninitialized/non memset()'ed data will be returned from the stack to userspace.
examples of this:
AF_IRDA Exploit
AF_LLC Exploit
and Clement Lecigne’s AF_APPLETALK exploit at milw0rm
and here is Jon Oberheide's excellent overview including af_irda example code.
No comments:
Post a Comment