Monday, November 9, 2009

Linux 2.6.x fs/pipe.c local root exploit

For those who were not yet aware, there is at least 3 public exploits
since 11/05/2009 for CVE-2009-3547 targeting *all* linux kernels from
2.6.0 to 2.6.31 included. Since spender and fotis have already release
their own, there is not need for us to keep this on our hd.
ImpelDown.c is a poc trying to exploit null ptr dereference in fs/pipe.c
for *all* linux kernel from 2.6.0 to 2.6.31 and ImpelDown-2.6.31only.c
target only linux kernel version 2.6.31 (tested and approuved with
mmap_min_addr at 0).
If you were writing your own, you have already noticed that there is a
subtle difference in the way you can own kernels 2.6.0 up to 2.6.10 and
kernels 2.6.11 up to 2.6.31: in the first one the null ptr deref leads
to an arbitrary write to everywhere in the kernel since you have control
over the destination address of


More info and exploit

No comments: