

Exploiting the unexploitable, Linux 2.6.30+/SELinux/RHEL5 test kernel 0day - kirubakaran
http://lists.grok.org.uk/pipermail/full-disclosure/2009-July/069714.html

======
jacquesm
So, to make a long story short, apparently compiling your kernel with -fno-
delete-null-pointer-checks removes this kind of vulnerability.

It's a good thing this is a local exploit... humble fellow too...

------
bcl
Looks like it is using suid pulseaudio to load the exploit into the kernel. I
don't think RHEL5 systems install pulseaudio by default. Also note that this
is a local exploit, you need access to a user account on the system.

ETA: I just tried this on a CentOS5 vmware image (2.6.18-92.1.22.el5) without
SELinux and couldn't get it to work.

~~~
notaddicted
I think the whole pulse audio thing is just for a little entertainment. Check
the description in "exploit.c".

~~~
nailer
My understanding is that it uses pulseaudio to avoid null pointer dereference
protection, but the hole is in the tunneling driver.

~~~
jmillikin
Any SUID binary which allows library loading would work for this purpose.
Normally that's not a security problem, but a combination of other factors has
allowed it to become one.

~~~
yosh
"Normally that's not a security problem" ? PulseAudio allowing arbitrary code
loaded into a suid root app via command line parameters is a gaping security
hole by itself.

This exploit used a trivial root exploit to setup a deeper kernel level
exploit, that can bypass SELinux, hide itself completely, etc.

------
j2d2
Kudos on cracking SELinux!

