Monday 9 November 2009

Non-exploitable vulnerabilities at source code level

I am writing a small article describing a kind of vulnerability that can be used against Linux Kernel.
This is due gcc and its optimization procedures, in some cases, make some source code buggy.
Furthermore, in this case, if SELinux is enabled, the system becomes weaker.

The vulnerability is described here (by Brad Spengler) and it can be exploited in Linux Kernel 2.6.30+/RHEL5 2.6.18 in /dev/net/tun.
The implmentation (was, before being fixed):

struct sock *sk = tun->sk; // initialize sk with tun->sk

if (!tun)
return POLLERR; // if tun is NULL return error

As tun is dereferenced (to use tun->sk) the compiler assumes that tun is non NULL, so it removes the check for tun against NULL.
Avoiding the initial crash caused to bad initialization (using mmap and SELinux), it is possible to exploit the Kernel because there is no check against tun.

I can point You all to this blog, in which are described a lot of vulnerabilities (also silently fixed ones).
Milw0rm is another source of exploit notices.

No comments: