Skip to content

Exploiting Linux sock_sendpage() NULL Pointer Dereference on Power

Info

This post was originally published at https://risesecurity.com/blog/2009/08/31/exploiting-linux-sock_sendpage-null-pointer-dereference-on-power/.

Sep 10, 2009

We released a third and final version of the exploit. The third version has complete support for i386, x86_64, ppc, and ppc64; uses the personality trick published by Tavis Ormandy and Julien Tinnes; uses the TOC pointer workaround for data items addressing on ppc64 (i.e., functions in exploit code and libc can be referenced); and for SELinux-enforced systems, has improved search for domains configured to allow mmap_zero it can transition to.

Sep 7, 2009

We released a second version of the exploit. The second version also works with Linux kernel versions that have copy-on-write (COW) credentials (e.g., Fedora 11), and for SELinux-enforced systems, it automatically searches the SELinux policy rules for domains configured to allow mmap_zero it can transition to, and tries to exploit the vulnerability using these domains.

We wrote an exploit for the Linux kernel sock_sendpage NULL pointer dereference vulnerability, discovered by Tavis Ormandy and Julien Tinnes, to demonstrate the exploitability of this vulnerability on Linux running on Power/Cell BE architecture -based processors.

The exploit uses the SELinux policy and the mmap_min_addr protection issue (CVE-2009-2695) to exploit this vulnerability on Red Hat Enterprise Linux 5.3 and CentOS 5.3. The problem, first noticed by Brad Spengler, was described by Red Hat in the Red Hat Knowledgebase article: Security-Enhanced Linux (SELinux) policy and the mmap_min_addr protection (CVE-2009-2695)

We added support for i386 and x86_64 for completeness. For a more complete implementation, see Brad Spengler's exploit, which also uses the personality trick published by Tavis Ormandy and Julien Tinnes.

Linux kernel versions from 2.4.4 to 2.4.37.4, and from 2.6.0 to 2.6.30.4 are vulnerable.

The exploit was tested and works on these distributions and their respective kernel versions:

  • CentOS 5.3 (2.6.18-128.4.1.el5)
  • CentOS 5.3 (2.6.18-128.2.1.el5)
  • CentOS 5.3 (2.6.18-128.1.16.el5)
  • CentOS 5.3 (2.6.18-128.1.14.el5)
  • CentOS 5.3 (2.6.18-128.1.10.el5)
  • CentOS 5.3 (2.6.18-128.1.6.el5)
  • CentOS 5.3 (2.6.18-128.1.1.el5)
  • CentOS 5.3 (2.6.18-128.el5)
  • CentOS 4.8 (2.6.9-89.0.7.EL)
  • CentOS 4.8 (2.6.9-89.0.3.EL)
  • CentOS 4.8 (2.6.9-89.EL)
  • Fedora 11 (2.6.29.4-167.fc11)
  • Fedora 10 (2.6.27.5-117.fc10)
  • Red Hat Enterprise Linux 5.3 (2.6.18-128.4.1.el5)
  • Red Hat Enterprise Linux 5.3 (2.6.18-128.2.1.el5)
  • Red Hat Enterprise Linux 5.3 (2.6.18-128.1.16.el5)
  • Red Hat Enterprise Linux 5.3 (2.6.18-128.1.14.el5)
  • Red Hat Enterprise Linux 5.3 (2.6.18-128.1.10.el5)
  • Red Hat Enterprise Linux 5.3 (2.6.18-128.1.6.el5)
  • Red Hat Enterprise Linux 5.3 (2.6.18-128.1.1.el5)
  • Red Hat Enterprise Linux 5.3 (2.6.18-128.el5)
  • Red Hat Enterprise Linux 4.8 (2.6.9-89.0.7.EL)
  • Red Hat Enterprise Linux 4.8 (2.6.9-89.0.3.EL)
  • Red Hat Enterprise Linux 4.8 (2.6.9-89.EL)
  • SUSE Linux Enterprise Server 11 (2.6.27.25-0.1)
  • SUSE Linux Enterprise Server 11 (2.6.27.23-0.1)
  • SUSE Linux Enterprise Server 11 (2.6.27.21-0.1)
  • SUSE Linux Enterprise Server 11 (2.6.27.19-5)
  • SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.39.3)
  • SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.37_f594963d)
  • SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.34)
  • SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.33)
  • SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.31)
  • SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.29)
  • SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.27)
  • SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.23)
  • SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.21)
  • Ubuntu 8.10 (2.6.27-11)
  • Ubuntu 8.10 (2.6.27-9)
  • Ubuntu 8.10 (2.6.27-7)
  • openSUSE 11.1 (2.6.27.25-0.1)
  • openSUSE 11.1 (2.6.27.23-0.1)
  • openSUSE 11.1 (2.6.27.21-0.1)
  • openSUSE 11.1 (2.6.27.19-3.2)
  • openSUSE 11.1 (2.6.27.7-9)

It was also tested and does not work on these distributions and their respective kernel versions (i.e., the vulnerability was fixed):

  • CentOS 5.3 (2.6.18-128.7.1.el5)
  • CentOS 4.8 (2.6.9-89.0.9.EL)
  • Red Hat Enterprise Linux 5.3 (2.6.18-128.7.1.el5)
  • Red Hat Enterprise Linux 4.8 (2.6.9-89.0.9.EL)
  • SUSE Linux Enterprise Server 11 (2.6.27.29-0.1)
  • SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.42.4)
  • Ubuntu 8.10 (2.6.27-14)
  • openSUSE 11.1 (2.6.27.29-0.1)

The exploit may also work on earlier versions of these and other distributions.