Home page logo
/

dailydave logo Dailydave mailing list archives

Wow, free kernel zero day?
From: Don Bailey <don.bailey () gmail com>
Date: Tue, 27 Feb 2007 14:43:26 -0700

I know, I know. You can't believe I didn't sell this to
Simon at SNOsoft (or former SNOsoft or whatever) and I
can't either! I, too, want hundreds of thousands of
dollars in zero day earnings!

But, don't get too excited yet! This code exploits a
kernel bug for Plan 9, and you probably don't even
run Plan 9! The fun part is that lots of government
labs and corporate R&D facilities do.

But (yes, another but) I'm not such a terrible guy. I
waited until the bug was patched in the Plan 9 tree.
I wonder who fed the bunny? Hmmm...

Anyway, this was a great bug and lasted for quite a while
in private. Not to mention, it was probably the most
elegant kernel bug I've ever found... thanks to this code:

envwrite(Chan *c, void *a, long n, vlong off)
{
         char *s;
         int vend;
         Egrp *eg;
         Evalue *e;
         ulong offset = off;

         if(n <= 0)
                 return 0;

         vend = offset+n;
         if(vend > Maxenvsize)
                 error(Etoobig);
        ...

Hmmm... what if we do this a couple lines later:

         if(vend > e->len) {
                ...
         }
         memmove(e->value+offset, a, n);

The best part is that we can truncate e->value to
zero which basically allows us to write kernel
memory at exact addresses! No hassle, no waiting.
Snazzy.

Enjoy:
        http://kernelspace.us/itheft.c

Don Bailey

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault