Linux 2.X pipe() NULL ptr deref/race local root exploit (RHEL 5.4 x64)

Watch in HD Fullscreen :)

Back again with yet another linux exploit. For time purposes I'm only demonstrating it on RHEL 5.4, but if you look on my twitter you can see screenshots of it working on every distro mentioned in the video. It'll work on everything else too, I just don't have the VMs installed. Every version of Linux I can get my hands on is vulnerable.

Initially the title of this video stated the exploit was SMP-only. That's not the case -- some single-processor systems with PREEMPT enabled are also capable of winning the race, leading to compromise.

Mitigation:
Make sure you have mmap_min_addr enabled on your machines and that it can't be bypassed. To test if mmap_min_addr can be bypassed or is disabled or not present on your machine, download enlightenment and run ./run_null_exploits.sh You don't have to choose any particular exploit -- it will attempt to mmap at NULL by any means possible and report the success or failure. Unlike with sock_ops there is no workaround for this vulnerability -- so it's time to bite the bullet and upgrade to a kernel that protects against this specific class of bugs in general. Workarounds have never been a long-term solution.

This exploit was written within an hour on October 22nd 2009.

Category:

Comedy

Tags:

• linux
• redhat
• selinux
• root exploit
• 0day

License:

Standard YouTube License