tag:blogger.com,1999:blog-4838136820032157985.post3269994653990393776..comments2024-03-28T17:48:16.347-07:00Comments on Project Zero: The poisoned NUL byte, 2014 editionUnknownnoreply@blogger.comBlogger23125tag:blogger.com,1999:blog-4838136820032157985.post-60809716109612220272015-08-01T09:21:19.599-07:002015-08-01T09:21:19.599-07:00Thanks, but you don't need to explain the diff...Thanks, but you don't need to explain the difference between system and execve to us ;-)<br /><br />It's being called via a corrupted tls_dtor_list, so execve does not match the required prototype, it couldn't be used here.tavisohttps://www.blogger.com/profile/15823607850344092370noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-40694468245174367172015-07-14T13:26:07.711-07:002015-07-14T13:26:07.711-07:00And the flag is actually "-p", not "...And the flag is actually "-p", not "-r".rnysteryhttps://www.blogger.com/profile/06840732133786330958noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-85498807848264516792015-02-15T04:03:23.902-08:002015-02-15T04:03:23.902-08:00I've only recently switched to Debian. I don&#...I've only recently switched to Debian. I don't much care for dash, but it doesn't figure in anyway.<br /><br />If you want to avoid /bin/sh -> bash dropping privs right away, use exec*() instead of system(), bypassing /bin/sh, going straight to sush, which does a setreuid() and throws you to bash with proper root privs. Or just skip all that and take the example of sush.c as intended and call setreuid (or setuid) before system, which will let you keep root. Which was the point of my post.<br /><br />(If we could edit posts, the post above would still be there. Here's what I added.)<br /><br />If I understand step 8 correctly, you're overwriting two atexit destructors with pointers to chroot and system to get root regardless of what /bin/sh you have on the system. Instead, you can overwrite with pointers to set(re)uid and system/exec. So system's implicit /bin/sh -c call doesn't matter at all.Anonymoushttps://www.blogger.com/profile/15368037096433245170noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-84650132081680137832015-02-15T03:42:39.265-08:002015-02-15T03:42:39.265-08:00This comment has been removed by the author.Anonymoushttps://www.blogger.com/profile/15368037096433245170noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-90358681090689653432014-12-30T08:40:44.424-08:002014-12-30T08:40:44.424-08:00Good site.Good site.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-90294914794885787922014-09-17T14:33:50.696-07:002014-09-17T14:33:50.696-07:00PLEASE stop reporting all of the jailbreak usable ...PLEASE stop reporting all of the jailbreak usable bugs PLEASEJaredhttps://www.blogger.com/profile/01089528955900593217noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-86089310095165804612014-09-01T02:45:59.688-07:002014-09-01T02:45:59.688-07:00Your post is really good providing good informatio...Your post is really good providing good information.. I liked it and enjoyed reading it. Keep sharing such important posts.<br /><a href="http://bulksmshyderabad.co.in/" rel="nofollow">Bulk SMS Hyderabad</a>Anonymoushttps://www.blogger.com/profile/16833087123944997054noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-40654341663769534442014-08-31T08:51:12.542-07:002014-08-31T08:51:12.542-07:00tls_dtor_list not is cipher with xor?tls_dtor_list not is cipher with xor?g05uhttps://www.blogger.com/profile/16082787849260166831noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-57354488283623631152014-08-29T09:06:34.665-07:002014-08-29T09:06:34.665-07:00This comment has been removed by the author.0xBigBanhttps://www.blogger.com/profile/07546370374747870850noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-33647890041122685722014-08-28T17:32:04.742-07:002014-08-28T17:32:04.742-07:00They don't actually overwrite each other. The ...They don't actually overwrite each other. The heap allocations are just pushed to the other side of the stack.Kylehttps://www.blogger.com/profile/12930542787926104681noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-42828403570515359022014-08-28T01:47:00.296-07:002014-08-28T01:47:00.296-07:00Thank's for the informative and educational ar...Thank's for the informative and educational article as well as the educated comments. <br /><br />With regards to the comment on using musl-libc, can someone care to inform about it's adoption ? Does seem like an interesting project but i'm a bit skeptic, given this is a project running in parallell to mainstream libc it will offer it's own set of limitations and imperfections ?Saint Crustyhttps://www.blogger.com/profile/16775745880820642277noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-35882121010040373532014-08-27T16:54:58.196-07:002014-08-27T16:54:58.196-07:00Thanks Hanno!Thanks Hanno!tavisohttps://www.blogger.com/profile/00625649251729449405noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-19469242246203576092014-08-27T15:23:06.459-07:002014-08-27T15:23:06.459-07:00gael dellaleau pointed this out several years ago....gael dellaleau pointed this out several years ago. sometime during the 2.6 kernel linus added a single guard page to separate stack from heap. on current linux you need to find a way to skip your pointer past the size of a page and hope that whatever your using doesn't touch the page in order to collide them.mehttps://www.blogger.com/profile/10425260110163704034noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-9788446637893444862014-08-27T14:38:09.842-07:002014-08-27T14:38:09.842-07:00Just an addition, I've reported the memory lea...Just an addition, I've reported the memory leak in pkexec to the upstream devs and it's now fixed in their git code:<br />https://bugs.freedesktop.org/show_bug.cgi?id=83093<br />Also seems glibc code is now patched, too:<br />https://sourceware.org/bugzilla/show_bug.cgi?id=17187Anonymoushttps://www.blogger.com/profile/00857218075990031511noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-6621096072392251312014-08-27T11:33:00.343-07:002014-08-27T11:33:00.343-07:00That's why you should use musl libc http://www...That's why you should use musl libc http://www.musl-libc.org/<br />glibc is bloated garbage<br /><br />I recommend the Linux distribution "Alpine Linux" that uses the musl libcAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-30570590942099983772014-08-27T08:33:18.873-07:002014-08-27T08:33:18.873-07:00The author wrote:
... The effect of all these com...The author wrote:<br /><br />... The effect of all these command line arguments is to<br />... bloat both the stack (which grows down) and the heap<br />... (which grows up) until they crash into each other.<br />... In response to this collision, the next heap<br />... allocations actually go above the stack, in the small<br />... space between the upper address of the stack and<br />... the kernel space at 0xc0000000.<br /><br />Why is this not an even more serious bug? Does not every piece of code have the duty to maintain the integrity of its own data structures?<br /><br />Not testing for a stack/heap collision of course means faster running code, but most of these kinds of security exploits are possible because a desire for speed and efficiency is trumping integrity/security. By allowing the stack and heap to collide, the kernel, or the design of the call stack, or whatever seems as negligent as the original off-by-1 error in glibc.Anonymoushttps://www.blogger.com/profile/00532343103184740354noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-18669435012056951302014-08-27T08:25:50.902-07:002014-08-27T08:25:50.902-07:00You're mistaken. Bash cannot regain privileges...You're mistaken. Bash cannot regain privileges it has already dropped, that would be a serious bug.<br /><br />Think about it like this, when you do system("bash -r"), you're actually doing execve("sh -c 'bash -r'"), the second shell can't ask for the privileges back that the first shell gave up!tavisohttps://www.blogger.com/profile/15823607850344092370noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-65128638589586465862014-08-27T05:20:29.947-07:002014-08-27T05:20:29.947-07:00/bin/bash -r
... keeps privileges if I'm not .../bin/bash -r <br />... keeps privileges if I'm not mistakenRobert Larsenhttps://www.blogger.com/profile/03507526619743818867noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-65703527966944936562014-08-26T23:29:18.656-07:002014-08-26T23:29:18.656-07:00A factor in this exploit is the repeated -u allowe...A factor in this exploit is the repeated -u allowed by<br />slopy argument processing. Maybe by default in getopt()<br />each option should be allowed only once unless indicated<br />otherwise.<br /><br />Another use of massively repeated arguments is in my article:<br />http://www.zen19351.zen.co.uk/article_series/find_xargs_rm.html<br />Anonymoushttps://www.blogger.com/profile/01215153999053638889noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-69886046620619057802014-08-26T09:59:36.145-07:002014-08-26T09:59:36.145-07:00Yes, although I've only tested with an unconfi...Yes, although I've only tested with an unconfined (default) user.tavisohttps://www.blogger.com/profile/15823607850344092370noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-71953526325297892302014-08-26T09:58:41.644-07:002014-08-26T09:58:41.644-07:00That wouldn't work, by the time your code runs...That wouldn't work, by the time your code runs privileges will already have been dropped. Just setuid(0) is enough if your code is running first, but that isn't the case here.<br /><br />I suspect you might be a Debian or Ubuntu user which is a bit different, because /bin/sh is not bash. I wrote a bit about that here http://blog.cmpxchg8b.com/2013/08/security-debianisms.html.<br />tavisohttps://www.blogger.com/profile/15823607850344092370noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-88436844090177133582014-08-26T07:35:21.112-07:002014-08-26T07:35:21.112-07:00Well done. Impressive. Many thanks for sharing.
I...Well done. Impressive. Many thanks for sharing.<br /><br />I have a question. Does this exploit work, if SELinux has been enabled (default setting)?Nephilimhttps://www.blogger.com/profile/08064530245909192110noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-45165814141580147702014-08-25T21:30:12.116-07:002014-08-25T21:30:12.116-07:00Alternative to Step 8, bypassing bash's forced...Alternative to Step 8, bypassing bash's forced priv dropping when run setuid root:<br /><br />http://pegasus.pimpninjas.org/code/C/sush.c<br /><br />I specifically wrote this to bypass this behavior.Anonymoushttps://www.blogger.com/profile/15368037096433245170noreply@blogger.com