/*
* Linux Kernel <= 2.6.37 local privilege escalation |
* by Dan Rosenberg |
* @djrbliss on twitter |
* |
* Usage: |
* gcc full-nelson.c -o full-nelson |
* ./full-nelson |
* |
* This exploit leverages three vulnerabilities to get root, all of which were |
* discovered by Nelson Elhage: |
* |
* CVE-2010-4258 |
* ------------- |
* This is the interesting one, and the reason I wrote this exploit. If a |
* thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL |
* word will be written to a user-specified pointer when that thread exits. |
* This write is done using put_user(), which ensures the provided destination |
* resides in valid userspace by invoking access_ok(). However, Nelson |
* discovered that when the kernel performs an address limit override via |
* set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault, |
* etc.), this override is not reverted before calling put_user() in the exit |
* path, allowing a user to write a NULL word to an arbitrary kernel address. |
* Note that this issue requires an additional vulnerability to trigger. |
* |
* CVE-2010-3849 |
* ------------- |
* This is a NULL pointer dereference in the Econet protocol. By itself, it's |
* fairly benign as a local denial-of-service. It's a perfect candidate to |
* trigger the above issue, since it's reachable via sock_no_sendpage(), which |
* subsequently calls sendmsg under KERNEL_DS. |
* |
* CVE-2010-3850 |
* ------------- |
* I wouldn't be able to reach the NULL pointer dereference and trigger the |
* OOPS if users weren't able to assign Econet addresses to arbitrary |
* interfaces due to a missing capabilities check. |
* |
* In the interest of public safety, this exploit was specifically designed to |
* be limited: |
* |
* * The particular symbols I resolve are not exported on Slackware or Debian |
* * Red Hat does not support Econet by default |
* * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and |
* Debian |
* |
* However, the important issue, CVE-2010-4258, affects everyone, and it would |
* be trivial to find an unpatched DoS under KERNEL_DS and write a slightly |
* more sophisticated version of this that doesn't have the roadblocks I put in |
* to prevent abuse by script kiddies. |
* |
* Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64. |
* |
* NOTE: the exploit process will deadlock and stay in a zombie state after you |
* exit your root shell because the Econet thread OOPSes while holding the |
* Econet mutex. It wouldn't be too hard to fix this up, but I didn't bother. |
* |
* Greets to spender, taviso, stealth, pipacs, jono, kees, and bla |
*/
Download Full