Monday, 23 November 2009

MIT Open Course Ware

MIT OpenCourseWare is a web-based repository of MIT university course materials.
It is free, it doesn't require any registration. Obviously, you can't get any certificate or degree!



Others universities all over the world are sharing Course Materials: official ones are those affiliated to the Open Course Ware Consortium.

A great step towards education for all people is to make content and knowledge available for free and the smoothest way possible.

Contents are available as lecture notes, exams, videos, audio files...

It is also possible to contriute on this activity, translating contents in non-english languages or use them (giving the proper attribution to the original MIT Faculty Author/s).
Contents are released in Creative Commons BY-NC-SA License.

Monday, 9 November 2009

Non-exploitable vulnerabilities at source code level

I am writing a small article describing a kind of vulnerability that can be used against Linux Kernel.
This is due gcc and its optimization procedures, in some cases, make some source code buggy.
Furthermore, in this case, if SELinux is enabled, the system becomes weaker.

The vulnerability is described here (by Brad Spengler) and it can be exploited in Linux Kernel 2.6.30+/RHEL5 2.6.18 in /dev/net/tun.
The implmentation (was, before being fixed):

struct sock *sk = tun->sk; // initialize sk with tun->sk

if (!tun)
return POLLERR; // if tun is NULL return error

As tun is dereferenced (to use tun->sk) the compiler assumes that tun is non NULL, so it removes the check for tun against NULL.
Avoiding the initial crash caused to bad initialization (using mmap and SELinux), it is possible to exploit the Kernel because there is no check against tun.

I can point You all to this blog, in which are described a lot of vulnerabilities (also silently fixed ones).
Milw0rm is another source of exploit notices.