Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×

139 comments

Easy and concise (5, Funny)

Lord Grey (463613) | more than 4 years ago | (#31838954)

TFA is an extremely well-written, easy-to-follow tutorial. I "played along at home" (well, at work, actually) as the author recommended and exploited a system on the first try. Great stuff!

Hang on, one of our SysAdmins wants to talk to me about something.

BRB

Re:Easy and concise (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31839352)

Cool story, bro!

Re:Easy and concise (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31839398)

TFA is an extremely well-written, easy-to-follow tutorial. I "played along at home" (well, at work, actually) as the author recommended and exploited a system on the first try. Great stuff!

Hang on, one of our SysAdmins wants to talk to me about something.

BRB

Hey since you think you're such a funny guy I've got a joke for you!


What do you call a nigger with a stutter? A cocoon!

What's the difference between a black welfare mom and an elephant? About five pounds.

Why did a nigger commit suicide? Somebody tossed a bucket of KFC into traffic.

Why is Stevie Wonder always smiling? He doesn't know he's black.


Those are at least as funny as your lame-ass predictable joke. Niggers!

I Know How To Do It (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31838964)

How to turn any NULL pointer into a root exploit

Use it to install Windows?

Re:I Know How To Do It (2, Funny)

Anonymous Coward | more than 4 years ago | (#31838998)

What a bad attempt at trolling. You could make various funny posts involving Windows and security, and this is what you came up with? Up your game, mister.

Re:I Know How To Do It (0)

Anonymous Coward | more than 4 years ago | (#31839200)

Be the change you want to see in the world.

Re:I Know How To Do It (3, Funny)

Stupid McStupidson (1660141) | more than 4 years ago | (#31839256)

Well, I upped my game. Now up yours.

Re:I Know How To Do It (1)

selven (1556643) | more than 4 years ago | (#31840526)

I tried to up my game, but instead I just lost it.

Re:I Know How To Do It (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31839286)

I sat naked on the bench in the health club locker room, staring at the tiles on the floor between my feet, but really looking at nothing. I was waiting for Barack to decide to come up and talk to me. He was this muscular teenage nigger who frequented the club and had ruined my life in the last few weeks. I was ordered to sit naked on the bench without a towel or anything to cover my nakedness. I had to keep my legs spread and my cock and balls visible for the anyone in the locker room who wanted a look. I knew instantly that it had been a mistake to sign up at the inner city health club which was eighty percent black, but it was near my house and cheap which was even more important.

The harassment had started on my first visit. Dark skinned, muscular black boys bouncing around the locker room with their huge dicks and pendulous sacks of balls swinging, high fiving each other and laughing and rapping, and there I was, this moderately built white guy of thirty two.

I will never forget coming back from the shower and one chocolate skinned thug of about eighteen let out a "weeeeeeeow" kind of sound and then said very loudly to me, loudly enough for all his pals to hear, "White man, how the hell can you fuck wit such a small dick?" They all roared with laughter and I turned bright red. Before I left that first time, I met Barack. He eased up to me while I was packing my gym bag. He is one good looking darkie, I will say that for him. He flashed me a big white toothed smile and said he hoped I wasn't thinking of quitting the club. He said he was friends with the manager and they had my address and shit, and it would be really unfortunate if I decided to quit. Then he laid one large basketball player sized hand on my shoulder and said that he would see me at the same time the next day.

Well, that's how it started. It got worse each time I went to the club. Barack and the other niggers got me to get towels for them, had me scrub their backs in the shower, even made me pick their dirty stinking jock straps up off the floor. They sent their filthy jocks and socks home with me to wash for them.

Now let me state here once and for all, that I am in no way at all gay. I don't think I ever even had a gay thought. So all of this really repulsed me. They would brush up against me so their big fat black dicks rubbed my body. They would make constant jokes about me being a faggot.

So I had it out with Barack. I told him I was a single parent with a thirteen year old daughter and in no way gay, and I wanted to quit the club. That mention of my daughter was the biggest mistake of my life. Barack demanded to see a photo of her. Her name is Crissy. After that, all they talked about was "Crissy the Cunt" in the locker room.

"Some fourteen year old school boy probably shoving his dick in her right now while you is at da club." They would say things like that. Barack would ask, "Do you suppose she had ever sucked black dick?" I told them she was totally innocent, and they should keep their foul mouths to themselves. They beat the shit out of me.

I didn't go to the club for a week. All the windows were broken on my car, and my newspaper was stolen, and somebody pissed all over our door. I received a package at work, and when I opened it, there was a pile of shit in a box. I was going nuts with anguish. I thought of going to the police, but I knew I would face even worse if I did. So I went back to the club. That was two months ago. A lot had happened in those two months.

Now I sat waiting for Barack to speak with me. He walked up, stark naked. The first thing I saw were his huge brown feet next to me. I looked up at his long muscular legs. How could I miss the seven inch flaccid dick, thick as a flashlight and the ball sack that looked like it had oranges in it. It was fucking obscene. His stomach was hard and tight. His ass was one of those round tight nigger bubble butts. His chest well defined with large nipples. He had a killer smile, thick nigger lips, and dark flashing eyes that often looked drugged. He had only recently gotten out of reform school for molesting a girl on the playground.

"So, my man, how's that little dick of yours hangin'?"

I spread my legs wider so he could see my pathetic shriveled white prick and small ball sack. If I didn't keep myself on display for them at all times, they would have a wet towel snapping session where my scrotum was the target. It hurt like hell and was totally humiliating.

"So, bro, is everything set up for tomorrow?" He stood close to me...so close that his huge flaccid hunk of fuck meat brushed my shoulder. His dick was so huge, it was just fucking obscene, and that was in its flaccid state. He had not showered yet, and his body reeked of the nigger stink of his workout.

"Please. Please don't do this. I know I agreed, but that was after you had beaten me almost senseless. Please, isn't there some other way?"

He lifted one leg and put his foot on the bench next to me. His gigantic balls swung back and forth in their fleshy sack.

"Dere is no other fucking way, man. You don't wanna even think of what we gonna do to you next time you disobeys us. Dere is no other way. Now it so happens dat I needs me a new girlfriend, and your pretty little daughter fills da bill."

I felt my stomach turn over. I tried to relax, to breath deeply, but I felt like I was choking. This teenage nigger thug was talking about my daughter. My little Crissy. My thirteen year old angel. He had announced to me that he wanted her to become his girlfriend! Jesus Christ!

At first I had bluntly refused, letting my anger and disgust show. All the niggers in the club gathered around me, about fifteen of them, and Barack announced that I was racially prejudiced and didn't want him dating his white daughter. They started to slap and punch me.

"It's not that. Honest to God, I swear, it's not that you are black. It's that she is only thirteen. She's my innocent baby!"

Barack roared with laughter. "Any bitch of thirteen is totally ready for dick! She probably sucking da boys at school every day anyway by now." He looked at the photo of her which he had taken from me. "Yeah, she got real cocksucker lips, she shore do!"

"Oh God no, she's just a baby." I was crying in front of all of them.

"No, daddy, you gots it wrong. She is a babe...not a baby. Dat pretty little pussy is ready for some nigger popping!" Half the niggers surrounding me were getting hard ons, and I don't there there was one under eight and a half inches.

For weeks I had argued, begged, pleaded, tried to bargain with Barack, but he only wanted one thing. My daughter's virgin pussy. Once I stood up to them and told them I would go to the police. They had dragged me naked and screaming into the health club bathroom and forced me to eat turds out of the toilet bowl. I was sick for two days. The next time I went to the club, Barack had made me suck his dick. That was the first time I saw it erect. Over twelve inches of throbbing leaking nigger cock. I had a panic attack and literally tried to run out of the club. They held me down on a bench and Barack fed me his black fuck meat. His balls almost suffocated me. His dick choked me. He even made me suck his ass. What could I do? I agreed to let them have my daughter. I know, I am an awful man. A sinner. It is unforgivable, but I am scared out of my wits.

"So, tomorrow, I comes over to yo house dressed up real good. You introduce me to yo bitch daughter. Now when I sees her, dis is how I wants her dressed. A very tight tee shirt dat says printed on it, "I Love Nigga Dick!" She will wear no bra under it so I can see the tips of her budding little titties through the material. Den she is to wear her nice pleated cheer leader skirt like in da photo, only I don want her to wear no panties under it. From now on, yo daughter is forbidden to ever wear any panties. We want dat fresh young cunt and ass ready and available at all times. I want you to have some really top drawer booze at yo house ready for me. I am not sure what I will want, so you better have enough to satisfy me, whatever my taste might be. Who da fuck knows, I may want a cosmo, or maybe some of dat Louis XIII Brandy dat costs three hundred dollars. You better have it all. After I has a drink, you pretty little bitch and I gonna sit on da couch and get acquainted. Dat means you as da daddy get to watch me finger her cunt and play wit her titties. You gets to see her meet my big fat old dick and even lick and suck it a little. I always insists on sex on da first date, cause how else you know how a bitch perform, right? Shit, I insist on sex on every date. I mean dat is da only reason for da fucking date..to plow some pussy! Right? Otherwise I'd rather hang wit da home boys. Now she gonna be a little uptight and scared at firs...right? Specially when she see my dick and she know dat huge motherfucker is gonna plow her virgin twat! Oh yea, if she got any hair on her cunt yet, you make sure she shave it all off before tomorrow. I wanna see bald thirteen year old pussy."

While he said all of this to me at the health club, his dick got thicker and thicker and long strings of pre-fuck started to hang from the fat pisshole.

"Please don't hurt her...please." I was shaking in my naked agony.

"Hurt her? No why the fuck would I hurt my new girlfriend? I gonna love her. I gonna show her da pleasures of lovemaking. Shore, it gonna hurt a little da first time I ram my twelve and a half inch motherfucking dick balls deep into her tight little teenage pussy. Shore it gonna hurt when I pounds her as hard as I can, and den pull out and shove it as hard as I can up her little asshole. Shore dat gonna hurt a little, but dat is jus' part of growin' up. A her daddy, you understand dat. Right? Better to hab some nice boy like me who wants her for his girlfriend fucking her, den every boy at school who don't give a shit about her.

"Now don't you worry, I gonna take her into the bedroom to fuck her cunt and ass. I think dat is private. I mean, you can watch da first time she suck my balls and lick my dick and such. But fucking is between a guy and his girlfriend. I wants you dere at the start...at the sucking part, cause she is gonna be scared like I say, and you can calm her. Tell her it is a natural part of life, and she just gotta learn to please a man. She, she shoulda learned dat couple of years ago already. She is a late bloomer.

Now I am gonna want to use her bedroom for da first fuck,cause I wants to fuck her little bitch body in her teenage bed, wit all her teenage shit around. It will be so hot. But den, I is moving into your master bedroom. You can sleep on da couch. I wants a nice big bed and luxury for future fucks. I gotta fuck at least three times a day, usually more. Now of course I still going to be bangin' other cunt, but I will fuck your daughter regularly cause she is my number one girlfriend. My special bitch. I ain't gonna introduce her to my bros until after I fuck her for a week or so. Den when she broken in, I gonna share her with all da boys from dis here health club. Dere about twenty of us here as you know, so she gonna be pretty busy sucking nigga dick and getting ass and cunt fucked. We gonna do mos' of it over at yo house. You have lots of food dere at all times fo my brothers when dey comes over to fuck your daughter. Since she be fucking most every day all day and night from now on, I suggest you apply to home school her. Dat way, she don't even need to think about school and she can concentrate on nigga cock all da time."

"Please, please use condoms...." I had tears running down my face.

Barack roared with laughter. "Condoms? Shit...no. We never use condoms. It ruins da fuck. Dat little bitch gonna be pregnant in a couple of weeks at mos'. You gonna be da grand daddy of a nigga chile! And who knows. She young. If she stay tight enough and cute enough, maybe we fuck her for three or four years, you know, pass her around, pimp her out. Shit, she still young enough. She could hab five or six nigga babies! We don' allow no abortions. She gonna breed. Now my brothers and daddy be comin' over lots to fuck her too, so you better have lots of keys to yo house made, or jus' leave the fucking place unlocked. She don't leave da house without permission. I would hate it for both of you if some black bro comes over for a good hard fuck, and she not dere! Now I know you worried about her. Don' be. After a few days of getting nigga dick, she gonna love it so much, dat all she gonna live for. I seen it in young white bitches lots of times. Someday she gonna thank you for all dis. I mean how many girls her age so lucky to get ten to fifteen black cocks a day? Long as her pussy and asshole hold up, she be happy. One thing, she gonna hab to be a really good cocksucker, cause One thig is dat when da boys in my hood meet up wit guys from other gangs...we got dis thing. We hab our girlfriends suck da cocks of all da members of the other gangs, as kind of a peace signal, you know, a sign dat we is kewl and everything is okay. So she gonna pretty much hab a dick in her mouth twenty-four seven for da next few months. She gonna be sucking on nigga dick even when she getting fucked by my bros. Dis house gonna be pretty packed full of black boys! Now, after a bitch has sucked fifteen to twenty dicks a day, she often get a real tired jaw and swollen lips and a sore tongue, so you gonna have to tell her no matter how tired she get, da last dick of da day she suck, gets jus' as good a suck as da first one in da morning. You gotta make sue she understand that. I can't have no bad reports from rival gangs dat my bitch can't suck!

Now we gots one more problem. Da little bitch gonna be so busy getting fucked and sucking dick, she ain't gonna hab no proper time to clean up da dicks after dey fuck her cunt and ass! You know it da bitch's job to clean a dick wit her mouth after a brother fuck her. I mean, you can't expect a brother to walk around wit pussy slime or ass juice on his dick. But she gonna be so busy, she ain't always gonna hab time to clean up, so you my friend is going to have to step up to da plate to help her. You gonna be the official dick cleaner. You gonna lick and suck da dicks clean after dey fuck yo bitch of a daughter. I want you naked on you hands and knees at all times around da house, ready to lick and suck dick clean. And you gonna do a fine job too, I just know it. You get all dat stink off da cock. Maybe you can entertain da brothers waiting next in line to fuck yo daughter too by lickig dere balls and assholes. I never thought of dat until just now. Hot damn, dat is a good idea, ain't it? So dey don't get bored while dey waitin. And den, to keep your daughter fresh and tight, after every three or four fucks, you gonna crawl in and suck the nigga cum right outta her pussy and asshole. Think how great dat is. You gonna get to suck some thirteen year old pussy and asshole! How lucky is dat? You gonna clean out her cunt real good with yo tongue so it is ready for da next nigga.

We gonna be da happiest family you ever seen! Now come on, white boy, suck my dick, can't you see it dripping all over da floor?"

I put my mouth over the head of the huge leaking hunk of fuckmeat, and resigned myself and my daughter to our new destiny.

Exceptons? (4, Informative)

mccalli (323026) | more than 4 years ago | (#31839046)

"Ever wondered what was so bad about NULL pointer exceptions?..."

Nothing. Because if they're an exception, they've been safely caught by the platform's exception handling mechanism. This article isn't about exceptions, it's about dereferencing your actual raw NUL pointers themselves in languages that either don't have the exception mechanism or where it simply hasn't been used.

Cheers,
Ian

Re:Exceptons? (4, Insightful)

shutdown -p now (807394) | more than 4 years ago | (#31839128)

Nothing. Because if they're an exception, they've been safely caught by the platform's exception handling mechanism. This article isn't about exceptions, it's about dereferencing your actual raw NUL pointers themselves in languages that either don't have the exception mechanism or where it simply hasn't been used.

Actually, most JIT-based VMs don't do explicit null checks, but rather let the OS signal access violation (as it is supposed to be guaranteed for NULL pointers, unlike dangling or garbage ones), and if it happens, wrap it into the language-specific exception - it's much faster than explicit checks for every pointer dereference.

Re:Exceptons? (0)

Anonymous Coward | more than 4 years ago | (#31839346)

Nothing you said contradicts the the GP.

Re:Exceptons? (5, Informative)

Chris Burke (6130) | more than 4 years ago | (#31839418)

Besides, the article is actually about NULL pointer dereferences within the kernel, where niceties like language-based exception handling mechanisms are often hard to come by. So the language you write your application code is immaterial.

Also not just any dereference will do, it has to be a function pointer dereference.

And recent kernels have protection against mmap()ing page 0.

However the author has a good point that both NULL function pointer calls in the kernel and hackers getting around the mmap() protection have happened before. So while you can't exactly exploit any Linux system using the procedure he describes (several critical components require you to already have root :P) it does sound like a weakness.

Re:Exceptons? (3, Interesting)

Hurricane78 (562437) | more than 4 years ago | (#31839688)

But then it is not an exploit, since the kernel always is root anyway.

Re:Exceptons? (4, Informative)

Chris Burke (6130) | more than 4 years ago | (#31839804)

But then it is not an exploit, since the kernel always is root anyway.

As given, no the procedure is not a working exploit for any meaningful definition ("I'm teh 1337 hacks-zor! I r00ted my home desktop!")

However, if you could identify a case where the kernel dereferenced a NULL function pointer, and if you could get around the kernel's mmap() protection (neither implausible), then you can get the kernel to run your code using its privilege level. Meaning you can get root for yourself. And then yes indeedy you have an exploit.

Re:Exceptons? (2)

raftpeople (844215) | more than 4 years ago | (#31841316)

If you have the keys to the server room, and if you notice a post-it note with the root password, then yes indeedy you have an exploit.

Re:Exceptons? (1)

micheas (231635) | more than 4 years ago | (#31841784)

If you have the keys to the server room, and if you notice a post-it note with the root password, then yes indeedy you have an exploit.

Especially if you have an 18 wheeler and a fork lift.

Re:Exceptons? (1)

shentino (1139071) | more than 4 years ago | (#31840650)

It's an exploit of the kernel, not the application.

Re:Exceptons? (1)

Angst Badger (8636) | more than 4 years ago | (#31839876)

Besides, the article is actually about NULL pointer dereferences within the kernel, where niceties like language-based exception handling mechanisms are often hard to come by. So the language you write your application code is immaterial.

Exception handling is immaterial anyway. It's not like you need language support for exceptions to check the value of an untrusted pointer against the NULL constant.

And yes, it's nice to have your tools do that for you, but odds are that if you're that sloppy to begin with, it won't take you long to introduce a vulnerability that no language constraint or compiler/interpreter toolchain can catch.

Re:Exceptons? (2, Interesting)

Chris Burke (6130) | more than 4 years ago | (#31839936)

Exception handling is immaterial anyway. It's not like you need language support for exceptions to check the value of an untrusted pointer against the NULL constant.

Yeah but constantly checking sucks, as does recovery.

Personally I use the method described by the uh... GGP? The dude what I first replied to. Basically, I refrain from using root access to tell the OS to let me map page 0, and then refrain from mmap()ing page 0. Then I let the hardware detect the illegal access for me. =D

Re:Exceptons? (4, Insightful)

eparis (1289526) | more than 4 years ago | (#31840186)

He demonstrates the simplest easiest to understand case, that of a NULL function pointer. But it really can extend to reads and writes of a NULL pointer as well (not always but often). If you can make the kernel read data from a NULL pointer you would be able to trick the kernel into reading a fake struct that you placed at NULL. Maybe that fake struct had a function pointer which you can easily set to another userspace address and voila, win. Maybe the code will read that struct and then write somewhere else in memory based on the information in that struct. Simply make that write happen in a place you choose which might lead to an eventual NULL function pointer.

Any time the kernel accidentally dereferences a pointer (especially one outside of kernel space) and uses that data things can go bad. The mmap_min_addr checks were added to harden against the EXACT class of common bugs he describes and I'm saddened it was dismissed so out of hand.

Re:Exceptons? (1)

Chris Burke (6130) | more than 4 years ago | (#31840862)

If you can make the kernel read data from a NULL pointer you would be able to trick the kernel into reading a fake struct that you placed at NULL.

A pointer (that's NULL) pointing to a function, a pointer (that's NULL) pointing to a pointer to a pointer... It's all just pointer-chasing indirect function calls to me. :)

The mmap_min_addr checks were added to harden against the EXACT class of common bugs he describes and I'm saddened it was dismissed so out of hand.

Who dismissed it? The distros? The kernel devs?

Re:Exceptons? (0)

Anonymous Coward | more than 4 years ago | (#31841362)

Besides, the article is actually about NULL pointer dereferences within the kernel, where niceties like language-based exception handling mechanisms are often hard to come by.

Let's not beat around the bush, though. In the normal case (assuming address 0 hasn't been mapped) when you dereference NULL, it generates a page fault. That page fault can be termed an exception.

Really what people in this thread are trying to express is that these things passively rely on the CPU to generate the exception. (Via a page fault which the kernel can handle and either deliver to a user process or panic.)

Re:Exceptons? (2, Insightful)

sopssa (1498795) | more than 4 years ago | (#31839226)

it's about dereferencing your actual raw NUL pointers themselves in languages that either don't have the exception mechanism or where it simply hasn't been used.

But if this gains you root access without you actually having it, it's a fault in the OS security. You cant rely on programming languages to protect against such methods.

Re:Exceptons? (2, Insightful)

0123456 (636235) | more than 4 years ago | (#31839396)

But if this gains you root access without you actually having it, it's a fault in the OS security. You cant rely on programming languages to protect against such methods.

Except you need root access in order to map page zero into your address space, and you generally need root access to configure the kernel so that it will allow root to map page zero into your address space (Wine in Ubuntu used to set the minimum mmap address to zero, I'm not sure whether it still does). So to get root access in this way you either need root access or multiple userspace vulnerabilities. And then you need a kernel flaw which executes code relative to a null pointer.

So while it's interesting and something developers should be aware of, it's not really a serious security threat in most cases; the last use of this exploit that I'm aware of required a kernel bug combined with a pulseaudio bug combined with an SELinux bug.

Re:Exceptons? (1)

prockcore (543967) | more than 4 years ago | (#31839544)

Except you need root access in order to map page zero into your address space

That's assuming there aren't any exploitable bugs that will allow you to map page zero. For example, a bug (that has since been fixed) existed where you could mmap a lot of memory and it would eventually fail and mmap page 0.

Re:Exceptons? (2, Informative)

maxwell demon (590494) | more than 4 years ago | (#31839874)

If there are exploitable bugs in the kernel, then those are the fault in OS security.

Not on embedded platforms (5, Interesting)

marcansoft (727665) | more than 4 years ago | (#31839264)

One of the many exploits that we've used to own the Wii (in fact, the very first runtime IOS exploit that we used, which I found and implemented) was a NULL pointer dereference bug, and it wasn't even a function pointer.

I wrote a detailed blog post [hackmii.com] about it recently. The short version is that they doubly dereference a near-NULL address and write to it, and NULL happens to be real physical memory that we control (call it 'insecure', if you wil). The double dereference lets us direct the write anywhere, including the stack, and it's game over. That's the "usermode" exploit. Privilege escalation into the kernel is trivial because they have some huge kernel holes. The fact that they map the 'insecure' memory as executable (!) in every application makes it even easier.

Re:Not on embedded platforms (2, Insightful)

godrik (1287354) | more than 4 years ago | (#31840780)

I recall wondering whether you were the marcan from team twiizer or not. I guess I am sure now.

PS: you did an awesome job on the wii. thank you for it!

Re:Exceptons? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31841312)

In other words, you're another fucking idiot Java programmer who doesn't understand how things really work, but think you do.

Blue E and W icons (1)

X-Power (1009277) | more than 4 years ago | (#31839050)

Where can I find these on my Linux box? I cant follow along cause I seem to be stuck here.

Do I have to use a magnifying glass on the ram stick itself?

OS dependent (3, Informative)

mdf356 (774923) | more than 4 years ago | (#31839076)

This is very OS dependent.

For example, on AIX on POWER, page 0 in both real and virtual addressing modes is readable by all and writable by none. So a read from a NULL pointer produces junk data (actually interrupt machine code) and a write is fatal.

Re:OS dependent (4, Informative)

hrimhari (1241292) | more than 4 years ago | (#31839378)

Sorry to point out the redundancy, but the summary seems clear enough with its how to turn any NULL pointer into a root exploit on Linux .

Re:OS dependent (4, Interesting)

Imagix (695350) | more than 4 years ago | (#31839588)

But it's a bad summary. They missed the rather critical phrase "how to turn any NULL pointer dereference in the kernel into a root exploit". This isn't about any NULL pointer.

Re:OS dependent (3, Funny)

Megaweapon (25185) | more than 4 years ago | (#31839628)

But it's a bad summary.

java.lang.RedundantSlashdotObservationException

Re:OS dependent (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31839634)

Furthermore, you also have to turn off the kernel protection to do it.

Re:OS dependent (1)

maxwell demon (590494) | more than 4 years ago | (#31839782)

It's not even about any NULL pointer dereference in the kernel. It's only about those used for calling functions through function pointers.

Re:OS dependent (1)

hrimhari (1241292) | more than 4 years ago | (#31839834)

I dunno. One of the key info in the article is the possibility to map NULL to a real memory space. That's precisely what was missing in my idea of how the NULL pointer exploits work.

Re:OS dependent (1)

cortana (588495) | more than 4 years ago | (#31839896)

Pfft. It says, right there, "on Linux". What else could that possibly mean? :)

Re:OS dependent (1)

dudpixel (1429789) | more than 4 years ago | (#31841202)

But it's a bad summary.

That too is redundant here...

Re:OS dependent (0)

Anonymous Coward | more than 4 years ago | (#31839516)

Indeed. In fact, this exploit is so OS dependent that even the author of this article wrote the following:

In order to allow you play along at home, I’ve prepared a trivial kernel module that will deliberately cause a NULL pointer derefence

In this case this particular hack is so dependent on the OS that it has to run on a custom purpose-built OS in order to run.

Re:OS dependent (2, Interesting)

russotto (537200) | more than 4 years ago | (#31840674)

So a read from a NULL pointer produces junk data (actually interrupt machine code) and a write is fatal.

IIRC, the first two words of the AIX page 0 are 0xdeadbeef 0xbadfca11. Because of the way the AIX function pointers work, calling page 0 results in the PC being set to 0xdeadbeef and R2 to 0xbadfca11, and the register dump (for the misaligned PC) immediately tells you what you did wrong. (The reason AIX page 0 is readable is for a specific compiler optimization -- the case "if (foo && *foo)" and its cousins. If page 0 is guaranteed readable, the short circuit can be ignored and a branch avoided)

As for " how to turn any NULL pointer into a root exploit"... not. First you have to be able to map page zero, and then the NULL pointer read must be a function pointer. The author says "it's quite common that a NULL pointer dereference is, or can be easily turned into, a NULL function pointer dereference", but that seems a bit handwavy to me.

Assumes a CALL to the NULL ptr (not any reference) (3, Interesting)

NumberField (670182) | more than 4 years ago | (#31839144)

I was intrigued by the ./ posting, which claimed that the tutorial would show how to exploit any NULL pointer dereference. The actual article, however, requires a CALL to the NULL pointer. While some NULL pointer bugs are function pointers, many are not. Kernel code that merely reads or writes data to a NULL pointer will not be exploitable as shown.

Re:Assumes a CALL to the NULL ptr (not any referen (4, Funny)

McNally (105243) | more than 4 years ago | (#31839216)

I was intrigued by the ./ posting, which claimed that the tutorial would show how to exploit any NULL pointer dereference. The actual article, however, requires a CALL to the NULL pointer.

For further context, see my whitepaper on how to turn any kdawson-posted Slashdot story into a NULL issue.

Re:Assumes a CALL to the NULL ptr (not any referen (0)

Anonymous Coward | more than 4 years ago | (#31839276)

even better, you need to do some incredibly dumb shit as root first. Next up: if you're logged in as root, su doesn't prompt for a password! security breach!!!!

Re:Assumes a CALL to the NULL ptr (not any referen (1, Informative)

Anonymous Coward | more than 4 years ago | (#31839560)

even better, you need to do some incredibly dumb shit as root first. Next up: if you're logged in as root, su doesn't prompt for a password! security breach!!!!

It assumes that the hacker would be able to find an exploit so that no root would be necessary:

While mmap_min_addr does provide some protection against these exploits, attackers have in the past found numerous ways around this restriction. In a real exploit, an attacker would use one of those or find a new one, but for demonstration purposes it’s easier to just turn it off as root.

Re:Assumes a CALL to the NULL ptr (not any referen (0)

Anonymous Coward | more than 4 years ago | (#31839426)

I was intrigued by the ./ posting, which claimed that the tutorial would show how to exploit any NULL pointer dereference.

Actually, it claimed that the tutorial would show how to exploit any NULL pointer. Yes, that's right, using a NULL to mean "no object here" is automatically insecure no matter how carefully you check before using it.

Re:Assumes a CALL to the NULL ptr (not any referen (0)

Anonymous Coward | more than 4 years ago | (#31840546)

Directly writing data to a NULL pointer is not enough for an exploit, but if the NULL pointer is to a struct which contains a second pointer, and it modifies what lies behind that pointer-- rather common-- it's not too hard to own the kernel.

Is the kernel address mapping part still true? (1)

cant_get_a_good_nick (172131) | more than 4 years ago | (#31839152)

from the article

For various reasons, that that’s not quite how it works. It turns out that switching between address spaces is relatively expensive, and so to save on switching address spaces, the kernel is actually mapped into every process’s address space, and the kernel just runs in the address space of whichever process was last executing.

I thought the BigMem kernel patches a few years back put the kernel in it's own VM, with minimal copying into userspace VM space, or am i missing something?

Re:Is the kernel address mapping part still true? (1)

thoughtsatthemoment (1687848) | more than 4 years ago | (#31839280)

Yeah, shouldn't switch be easily take care of by a base register?

Re:Is the kernel address mapping part still true? (5, Informative)

Chris Burke (6130) | more than 4 years ago | (#31839526)

Yeah, shouldn't switch be easily take care of by a base register?

Well it is. On x86 systems, the intuitively named Control Register 3 is a pointer to the base of the page tables. From a software point of view, switching address spaces is as easy as writing CR3.

From a hardware point of view, that act has additional implications. You have to flush the TLBs, which sucks royal if it happens on every system call. If you have linearly tagged caches (or any other linearly tagged structure) then you'll have to flush those too. There are ways to partially mitigate these effects, but since you can't rely on them being there it's best to just avoid CR3 writes as much as possible -- which means there's less reason to implement the necessary widgets.

Re:Is the kernel address mapping part still true? (2, Interesting)

Chris Burke (6130) | more than 4 years ago | (#31839296)

I thought the BigMem kernel patches a few years back put the kernel in it's own VM, with minimal copying into userspace VM space, or am i missing something?

I don't know what that patch did (BigMem implies something like using 2MB pages, but what's in a name?), but I do know that the author is right about address space switches being expensive and not something you'd want to do on every system call, or any system call that is expected to return control to the same process for that matter.

In practice I don't ever see CR3 writes ( CR3 points to the root of the page table, so writing it is how you switch address spaces) in system calls. Though I am not sure exactly what kernel rev or patch level the benchmark traces are taken from. Still, sounds like it's probably right to me.

Re:Is the kernel address mapping part still true? (1)

maxwell demon (590494) | more than 4 years ago | (#31839562)

Why should a change of the page table be needed? All you need are separate segments for kernel and user mode. Since pointers are relative to the corresponding segment, the kernel segment address 0 would be completely different from the user mode address 0 (and should be in reserved kernel space).

Re:Is the kernel address mapping part still true? (1)

0123456 (636235) | more than 4 years ago | (#31839714)

Why should a change of the page table be needed? All you need are separate segments for kernel and user mode.

For a start, because code segments no longer exist in x86_64.

Re:Is the kernel address mapping part still true? (1)

maxwell demon (590494) | more than 4 years ago | (#31839838)

For a start, because code segments no longer exist in x86_64.

I didn't know that. That was IMHO a bad move by AMD.

Re:Is the kernel address mapping part still true? (1)

0123456 (636235) | more than 4 years ago | (#31840006)

I didn't know that. That was IMHO a bad move by AMD.

Yeah, I tend to agree, but they probably thought that removing them was a step forward (or needed the bits in the instruction for something else).

Re:Is the kernel address mapping part still true? (2, Informative)

Chris Burke (6130) | more than 4 years ago | (#31839732)

Why should a change of the page table be needed?

It's not needed if you map your kernel into the application's page tables. ;)

All you need are separate segments for kernel and user mode.

1) Segmentation is essentially non-existent* in 64-bit mode.
2) Segmentation sucks. Always has, always will. That's why even in 32-bit mode most segments are made with base 0 and max limit, and processors are optimized for this case.
3) Okay, so you switch your CS and DS segments when you go into kernel mode (well actually you do anyway, but they're non-base-zero in this case). That's great, but you still need to map your linear address (linear = virtual address + segment base) to a physical address. So you either need to write to CR3 to use the kernel's page table, or you need to map your kernel's memory into the user's page table.

* Ask VmWare about the non-essentially existent remnants of segmentation.

Re:Is the kernel address mapping part still true? (1)

maxwell demon (590494) | more than 4 years ago | (#31840068)

1) Segmentation is essentially non-existent* in 64-bit mode.

That's a fact I was not aware of. And which I personally don't consider a good change.

2) Segmentation sucks. Always has, always will. That's why even in 32-bit mode most segments are made with base 0 and max limit, and processors are optimized for this case.

I strongly disagree. Segmented addressing got a bad name from the days of real mode (where the segment just gave an offset into memory, and segments were restricted to 64k) and 16 bit protected mode (where the 64k limit still applied). There it basically forced you to make pointless splits into different segments whenever you needed more than 64k, which made segmentation unnecessarily painful. However, in the scenario I described, you'd effectively have just four segments, user code/data and kernel code/data. That's not really hard to handle, especially since the code/data part is automatically handled by the processor.

3) Okay, so you switch your CS and DS segments when you go into kernel mode (well actually you do anyway, but they're non-base-zero in this case). That's great, but you still need to map your linear address (linear = virtual address + segment base) to a physical address. So you either need to write to CR3 to use the kernel's page table, or you need to map your kernel's memory into the user's page table.

Yes, the kernel memory would still be in the user's page table. But that doesn't matter because it's not in the user segments. Kernel code would have to explicitly distinguish between user mode access and kernel mode access (which IMHO is good). Kernel code would not accidentally execute user code, or access user data instead of kernel data.

Re:Is the kernel address mapping part still true? (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31840656)

Yes, the kernel memory would still be in the user's page table. But that doesn't matter because it's not in the user segments. Kernel code would have to explicitly distinguish between user mode access and kernel mode access (which IMHO is good). Kernel code would not accidentally execute user code, or access user data instead of kernel data.

Actually the better solution was the Motorola 68k series: separate address spaces for kernel and user. To access user space memory from the kernel on behalf of applications, you use special forms of move instructions. This also gives the kernel access to all 32 bit physical address space (no need for high memory) and a full 4GB of virtual address space for every application. The 68k is dead, but I liked its MMU, at least the integrated versions (68040 and 68060). The PPC MMU is sometimes weird, but it also had good ideas,
like using a huge virtual address space to map all virtual memory of the system, avoiding the need to flush TLB on context switches. The implementation of the hash table sucks; however, hash tables would have been fine for the higher levels, but the lower level
should have been normal linear tables.

Re:Is the kernel address mapping part still true? (2, Interesting)

rk (6314) | more than 4 years ago | (#31840886)

68k is alive and well in the embedded market with ColdFire and DragonBall processors.

Re:Is the kernel address mapping part still true? (3, Interesting)

Chris Burke (6130) | more than 4 years ago | (#31840974)

I strongly disagree.

With the entire industry. It's okay. You're not the only one to have maintained the belief that segments are not useless crap. ;)

Segmented addressing got a bad name from the days of real mode

That wasn't "segmentation" in the academic sense, and it's the academic sense of segmentation, what is actually implemented in 32-bit protected mode, that has the well-deserved bad reputation among the engineers implementing and coding for it. Since the default in 32-bit mode was to effectively eliminate segmentation, it only made sense to just get rid of it.

That's not really hard to handle, especially since the code/data part is automatically handled by the processor.

In the sense that you don't have to specify that your code accesses use the code segment and data accesses use the data segment by default. However you still have to explicitly change code and data descriptors when changing between OS and user land and those operations are also not performance-neutral. They are rather slow in fact. Not as bad as a CR3 switch, but bad enough you don't want to do two (per segment, so four) just so the kernel can return the value in it's time_t structure.

And that's before adding on the performance penalty of having to do an extra addition for every access when not using zero-base segments. You realize how many man-years of performance widgets you've undone by doing that? :)

Kernel code would have to explicitly distinguish between user mode access and kernel mode access (which IMHO is good).

In theory, but the exact case in question (mmap) is one where you want the both kernel and application to have the fastest access to the mmap()ed region possible. Which, in case you were wondering, means you can't just map two linear addresses to the same physical page, one for the user and one for the kernel, because that results in TLB thrashing. And when you take that and then add all the other cases where the kernel needs to regularly access something that might be mapped in user land, and suddenly you've just recreated the need for far pointers, and passing around far pointers results in the same possibility for badly formed pointers as before. Remember, if making sure all your pointers were valid was easy we wouldn't have this problem in the first place.

There's a reason why even when IA32 provided these segmentation facilities that nobody used them. And it's not prejudice from the 16-bit days, as if that could explain why nobody else has implemented segmentation.

Good riddance to bad rubbish I say. Modern ISAs ftw, even if they're still CISCy. :)

Bad summary (4, Insightful)

ElMiguel (117685) | more than 4 years ago | (#31839154)

As usual, bad summary. TFA explains how to exploit a theoretical kernel bug that happens to "read a function pointer from address 0, and then call through it". That's a long shot from turning "any NULL pointer" into a root exploit as the summary claims.

To be honest, I'm not sure why I bothered writing this comment. If the editors themselves don't care about the accuracy of the stories, why should I?

Re:Bad summary (1)

thoughtsatthemoment (1687848) | more than 4 years ago | (#31839320)

Well, if the hacker put his function at address 0, to deference any NULL pointer would effectively be calling that function, assuming this memory mapping really works.

Re:Bad summary (1)

thoughtsatthemoment (1687848) | more than 4 years ago | (#31839336)

hmm, it should be any NULL *function* pointer.

Re:Bad summary (3, Informative)

argent (18001) | more than 4 years ago | (#31839380)

The OP's article wasn't very long, so you should be able to figure out that you just rephrased what he said: you need to have a null pointer function call kernel bug to exploit this. No combination of null pointer vulnerabilities in user space, and no null pointer reads and writes in kernel mode (which are more common) will get you root.

Re:Bad summary (1)

thoughtsatthemoment (1687848) | more than 4 years ago | (#31839524)

OK, you rephrased it the best.

Re:Bad summary (1)

larry bagina (561269) | more than 4 years ago | (#31839412)

void myfunction(void){ printf("bull shit\n"); }
...
((void *)NULL) = myfunction;
...
int *ip = NULL;
...
int i = *ip;

Re:Bad summary (4, Insightful)

BJ_Covert_Action (1499847) | more than 4 years ago | (#31839350)

If the editors themselves don't care about the accuracy of the stories, why should I?

Because you're not kdawson, and that's something to be proud of. ;)

Re:Bad summary (0)

Anonymous Coward | more than 4 years ago | (#31839824)

Its not just Kdawson, its Taco and many others who post stories here who seem to fail at reading and comprehension before posting a story, inflating it out of whack. Maybe its just a stupid ploy to grab traffic, but, really, the quality of information here is sadly very low.

Re:Bad summary (1)

mr_stinky_britches (926212) | more than 4 years ago | (#31839566)

Yep, this is how it's been with pretty much all /. articles that link to ksplice. The articles are second rate almost everytime, but they attempt to pass it off as revelation.

It's been done before... (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31839160)

In fact, the author is quite accurately describing a Blue waffle [bluewaffle.net] attack.

Bad MMU design + bad OS design = pwned (1)

Animats (122034) | more than 4 years ago | (#31839214)

It turns out that switching between address spaces is relatively expensive, and so to save on switching address spaces, the kernel is actually mapped into every process's address space, and the kernel just runs in the address space of whichever process was last executing.

So a CPU design bug propagated its way into OS architecture, leading to a security hole.

Intel never really got the crossing of privilege domains right. Context switching is too slow, call gates aren't very useful, and the segmented memory architecture in the 32-bit machines never really caught on. Yet domain-crossing is one of the most likely places for security holes.

Re:Bad MMU design + bad OS design = pwned (1)

Chris Burke (6130) | more than 4 years ago | (#31839596)

It's not about changing privilege levels, it's about changing address spaces, which is a costly operation in any architecture.

Re:Bad MMU design + bad OS design = pwned (1)

Animats (122034) | more than 4 years ago | (#31841342)

it's about changing address spaces, which is a costly operation in any architecture.

Not necessarily. On some of the SPARC machines, it's relatively cheap, because there's a separate set of registers for each protection level.

Re:Bad MMU design + bad OS design = pwned (1)

Chris Burke (6130) | more than 4 years ago | (#31841734)

Not necessarily. On some of the SPARC machines, it's relatively cheap, because there's a separate set of registers for each protection level.

On a typical system call you really only need to save the registers you use just like in a normal function call so it's relatively cheap in x86 too. Though it's hardly instantaneous to change privilege levels. I can certainly believe you when you say SPARC does this faster. But that's not what we're talking about.

We're talking about changing the Page Table Base Register (not sure if that's SPARC parlance, in x86 it's CR3 :P) to point at a different set of page tables. Doing that is damaging for performance in just about any virtual memory architecture, since it usually means flushing the TLB and stalling until all previous memory ops have completed to change PTBR values. You can partially mitigate it by tagging TLB entries with address space IDs, but you introduce a lot of complexity when you have to consider multiple translations to the same address in the TLB at the same time. Doubly so if you try to eliminate the stalls and rename the PTBR.

So regardless of how fast your privilege level switches are, it makes sense to have the OS mapped into the application's page table so you don't have to change address spaces.

FYI: AMD-V or Intel Nehalem or later (2, Informative)

tlambert (566799) | more than 4 years ago | (#31841810)

FYI: AMD-V or Intel Nehalem or later

Nehalem processor TLB address mapping entries include a Virtual Processor Identifier (VPID), while AMD-V supports tagged TLBs.

-- Terry

AOL Null (1)

irreverant (1544263) | more than 4 years ago | (#31839220)

Does anyone remember sending a link in AIM as file:||null\null\null? does null points?

Re:AOL Null (0)

Anonymous Coward | more than 4 years ago | (#31839366)

Yep but that wasn't as fun as sending the sound playing command in a chat room and watch everyone exit the chat.

Re:AOL Null (0)

Anonymous Coward | more than 4 years ago | (#31840530)

The real fun was on aol, where you could cause people to play local sounds by says {S path/to/sound and could exploit it that way.

But no, thats completely unrelated, that flaw is in DOS 'reserved words' being accessed. In DOS you could write to the file "LPT1" and it would send the bytes to your parralel port. Windows tried to prevent you from accessing these special filenames, but accessing it as a file under a folder with the same name worked around it. So con/con or aux/aux or com1/com1 or any number of others all bluescreened.

{S themoreyouknow.wav

Shush Now (1)

Unka Willbur (1771596) | more than 4 years ago | (#31839246)

You're gonna blow the best source of income some folks have. Nothing like an OS its operator thinks is "secure"....

Re:Shush Now (2, Insightful)

maxwell demon (590494) | more than 4 years ago | (#31839414)

Well, if you read the article, you'll find out that you have to
* circumvent the protection against mmap to address 0 (in the article, that one was just done as root)
* get the kernel to call a function through a function NULL pointer (that's what was done through the special kernel module)

Since the exploit doesn't make much sense if you already are root, for this exploit you have to
* find an existing bug in the kernel which allows you to circumvent the mmap protection.
* find another existing bug in the kernel which causes the kernel to do a function call through a NULL function pointer.

So you need two independent bugs in the kernel to make an actual exploit from this demonstration code.

Having said that, I think it would certainly be a nice option to be able to trade performance for security by telling the system to put the kernel into its own memory space.

Re:Shush Now (2, Interesting)

gman003 (1693318) | more than 4 years ago | (#31839540)

Considering that null function pointer bugs are a dime a dozen on any system, finding one of those is easy. TFA also points out that the mmap protection code in Linux has been historically weak, although there don't seem to be any open bugs at the moment.

So the article could have been better titled as "Why null function pointer bugs are serious business", but "How to exploit null [function] pointers" is still pretty accurate.

how to exploit/explode an entire civilization (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31839402)

easy on the 'civil' part by our reckoning.

you do still have the right to remain silent.

greed, fear & ego (in any order) are unprecedented evile's primary weapons. those, along with deception & coercion, helps most of us remain (unwittingly?) dependent on its' life0cidal hired goons' agenda. most of our dwindling resources are being squandered on the 'wars', & continuation of the billionerrors stock markup FraUD/pyramid schemes. nobody ever mentions the real long term costs of those debacles in both life & any notion of prosperity for us, or our children. not to mention the abuse of the consciences of those of us who still have one. see you on the other side of it. the lights are coming up all over now. the fairytail is winding down now. let your conscience be yOUR guide. you can be more helpful than you might have imagined. we now have some choices. meanwhile; don't forget to get a little more oxygen on yOUR brain, & look up in the sky from time to time, starting early in the day. there's lots going on up there.

"The current rate of extinction is around 10 to 100 times the usual background level, and has been elevated above the background level since the Pleistocene. The current extinction rate is more rapid than in any other extinction event in earth history, and 50% of species could be extinct by the end of this century. While the role of humans is unclear in the longer-term extinction pattern, it is clear that factors such as deforestation, habitat destruction, hunting, the introduction of non-native species, pollution and climate change have reduced biodiversity profoundly." (wiki)

"I think the bottom line is, what kind of a world do you want to leave for your children," Andrew Smith, a professor in the Arizona State University School of Life Sciences, said in a telephone interview. "How impoverished we would be if we lost 25 percent of the world's mammals," said Smith, one of more than 100 co-authors of the report. "Within our lifetime hundreds of species could be lost as a result of our own actions, a frightening sign of what is happening to the ecosystems where they live," added Julia Marton-Lefevre, IUCN director general. "We must now set clear targets for the future to reverse this trend to ensure that our enduring legacy is not to wipe out many of our closest relatives."

"The wealth of the universe is for me. Every thing is explicable and practical for me .... I am defeated all the time; yet to victory I am born." --emerson

no need to confuse 'religion' with being a spiritual being. our soul purpose here is to care for one another. failing that, we're simply passing through (excess baggage) being distracted/consumed by the guaranteed to fail illusionary trappings of man'kind'. & recently (about a 1000 years ago) it was determined that hoarding & excess by a few, resulted in negative consequences for all.

consult with/trust in your creators. providing more than enough of everything for everyone (without any distracting/spiritdead personal gain motives), whilst badtolling unprecedented evile, using an unlimited supply of newclear power, since/until forever. see you there?

"If my people, which are called by my name, shall humble themselves, and pray, and seek my face, and turn from their wicked ways; then will I hear from heaven, and will forgive their sin, and will heal their land." )one does not need not to agree whois in charge to grasp the notion that there may be some assistance available to us(

boeing, boeing, gone.

If you have a bug in kernel code... (5, Interesting)

Alex Belits (437) | more than 4 years ago | (#31839436)

If you have a bug in kernel code that causes NULL pointer dereference, it can be used for various nastiness (in this case, privilege escalation).

This is why kernel shouldn't do it, and this is why it was an actual kernel bug that was exploited by so-called NULL pointer exploits. This is why those bugs were fixed.

Apparently some readers have an impression that what was posted is an actual exploit that works on a current kernel by dereferencing NULL pointer in userspace. In reality it relies on a buggy module being introduced, so kernel NULL dereference can be triggered by the user.

The kernel is at fault. (0)

Hurricane78 (562437) | more than 4 years ago | (#31839640)

Sorry, but if anything that simple can cause root access, then that’s a general error of the architecture and kernel. An OS should expect every app and every data input source to cause maximum mayhem in the system. And start from that point.

On in other words: Get SElinux, or an equivalent system (RSbac+more?)!

Re:The kernel is at fault. (4, Informative)

0123456 (636235) | more than 4 years ago | (#31839660)

Sorry, but if anything that simple can cause root access, then that’s a general error of the architecture and kernel.

By default you need root access (or an exploitable bug) to map page zero into your address space, and you need to specifically configure the kernel to allow it, and then you need an exploitable kernel bug to make use of it.

I wouldn't exactly call that 'simple'.

Re:The kernel is at fault. (1)

Athanasius (306480) | more than 4 years ago | (#31840250)

And a bug in SELinux was precisely one way in which it was possible to map page zero.

Re:The kernel is at fault. (0)

Anonymous Coward | more than 4 years ago | (#31841440)

By default you need root access (or an exploitable bug) to map page zero into your address space

No. You don't need to be root to map your own process's mapping for page 0.

and you need to specifically configure the kernel to allow it,

The echo to /proc as root is only necessary if your distro has mmap_min_add set to something other than the default, which some distros are doing now to prevent this kind of attack.. I also read (IIRC) that this same setting is needed for WINE, which a lot of people use anyway.

and then you need an exploitable kernel bug to make use of it.

More common than you might think.

A year or so ago, there was a real exploit like this. I don't think dismissing this technique is the right approach. The right approach is to eliminate null pointer dereferences.

But how do i ..... (1)

unity100 (970058) | more than 4 years ago | (#31839756)

get a null pointer to exploit ME

ooooohhhhhhhh

Re:But how do i ..... (1)

laederkeps (976361) | more than 4 years ago | (#31840322)

Try moving to the former eastern bloc? Just a hunch.

Re:But how do i ..... (0)

Anonymous Coward | more than 4 years ago | (#31841496)

That's easy. Just move to Soviet Russia.

printf "GIVE ME ALL YOUR MONEY!" null (1)

swschrad (312009) | more than 4 years ago | (#31839826)

rats, doesn't work. you guys lie.

Re:printf "GIVE ME ALL YOUR MONEY!" null (1)

maxwell demon (590494) | more than 4 years ago | (#31840238)

Actually it did work. It's just that root didn't have any money.

By why not just use a buffer overfl (1)

gef7 (1789448) | more than 4 years ago | (#31839880)

[place your favourite code here]

Code Review Time! (1)

martin-boundary (547041) | more than 4 years ago | (#31840352)

Ok, kids, it's code review time! What's wrong with the following code? :)

#include <sys/mman.h>
#include <stdio.h>
#include <fcntl.h>

int main() {
mmap(0, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, -1, 0);
int fd = open("/sys/kernel/debug/nullderef/null_read", O_WRONLY);
write(fd, "1", 1);
close(fd);

printf("Triggered a kernel NULL pointer dereference!\n");
return 0;
}

Major caveat from another article (1)

Max Threshold (540114) | more than 4 years ago | (#31840402)

In the author's article about how to map the NULL pointer [ksplice.com] , there's this caveat:

Note that most modern systems actually specifically disallow mapping the NULL page, out of security concerns. To run the following example on a recent Linux machine at home, you'll need to run # echo 0 > /proc/sys/vm/mmap_min_addr as root, first.

So under normal circumstances, even with a NULL dereference in the running kernel, this method would not allow you to gain root privileges.

My question is, what legitimate reason might there be for a system to allow applications to map the NULL pointer? Is there a class or role of machines where this might be expected to work?

Re:Major caveat from another article (1, Informative)

Anonymous Coward | more than 4 years ago | (#31840716)

Wine and Dosemu take advantage of it. Also, the decision by the designers of C to make 0 an invalid address is really just a language decision, and has no basis in real hardware. The Linux kernel, however, is written in C, but can't assume the hardware will take care of a NULL dereference. That's really what the problem is. In reality, the bare hardware will allow something like *((int*) 0) = 0xdeadbeef; it's the operating systems job to enforce the rules.

kernel null function pointer (3, Insightful)

heli_flyer (614850) | more than 4 years ago | (#31840554)

This is not "how to exploit NULL pointers" ... this is "how to exploit a kernel NULL function pointer". Well, duh. In other news, security researches find exploit for systems with blank root password.

mod do3n (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31841020)

lost its earlier fucking confirmed: effort to aadress Big picture. What
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...