Home page logo

dailydave logo Dailydave mailing list archives

Wow, free kernel zero day?
From: Don Bailey <don.bailey () gmail com>
Date: Tue, 27 Feb 2007 14:43:26 -0700

I know, I know. You can't believe I didn't sell this to
Simon at SNOsoft (or former SNOsoft or whatever) and I
can't either! I, too, want hundreds of thousands of
dollars in zero day earnings!

But, don't get too excited yet! This code exploits a
kernel bug for Plan 9, and you probably don't even
run Plan 9! The fun part is that lots of government
labs and corporate R&D facilities do.

But (yes, another but) I'm not such a terrible guy. I
waited until the bug was patched in the Plan 9 tree.
I wonder who fed the bunny? Hmmm...

Anyway, this was a great bug and lasted for quite a while
in private. Not to mention, it was probably the most
elegant kernel bug I've ever found... thanks to this code:

envwrite(Chan *c, void *a, long n, vlong off)
         char *s;
         int vend;
         Egrp *eg;
         Evalue *e;
         ulong offset = off;

         if(n <= 0)
                 return 0;

         vend = offset+n;
         if(vend > Maxenvsize)

Hmmm... what if we do this a couple lines later:

         if(vend > e->len) {
         memmove(e->value+offset, a, n);

The best part is that we can truncate e->value to
zero which basically allows us to write kernel
memory at exact addresses! No hassle, no waiting.


Don Bailey

Dailydave mailing list
Dailydave () lists immunitysec com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]