Wow, free kernel zero day?

[Don Bailey <don.bailey () gmail com>]

I know, I know. You can't believe I didn't sell this to
Simon at SNOsoft (or former SNOsoft or whatever) and I
can't either! I, too, want hundreds of thousands of
dollars in zero day earnings!

But, don't get too excited yet! This code exploits a
kernel bug for Plan 9, and you probably don't even
run Plan 9! The fun part is that lots of government
labs and corporate R&D facilities do.

But (yes, another but) I'm not such a terrible guy. I
waited until the bug was patched in the Plan 9 tree.
I wonder who fed the bunny? Hmmm...

Anyway, this was a great bug and lasted for quite a while
in private. Not to mention, it was probably the most
elegant kernel bug I've ever found... thanks to this code:

envwrite(Chan *c, void *a, long n, vlong off)
{
         char *s;
         int vend;
         Egrp *eg;
         Evalue *e;
         ulong offset = off;

         if(n <= 0)
                 return 0;

         vend = offset+n;
         if(vend > Maxenvsize)
                 error(Etoobig);
        ...

Hmmm... what if we do this a couple lines later:

         if(vend > e->len) {
                ...
         }
         memmove(e->value+offset, a, n);

The best part is that we can truncate e->value to
zero which basically allows us to write kernel
memory at exact addresses! No hassle, no waiting.
Snazzy.

Enjoy:
        http://kernelspace.us/itheft.c

Don Bailey

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave