

How to root a Linux machine using a kernel NULL pointer vulnerability - nelhage
http://blog.ksplice.com/2010/04/exploiting-kernel-null-dereferences/

======
rbanffy
Would you rephrase the article to make it clear it's a module designed to make
the kernel vulnerable and not a vulnerability of a kernel currently in use?

And if I read the article correctly, you have to be root to load the module

~~~
geocar
I don't think you understand what's going on. A kernel-side null-pointer
dereference is normally a denial of service, but this article explains how to
convert it into privilege escalation.

Using a kernel module with the bug in it lets the article talk about that
particular transformation, without emboldening a bunch of script kiddies with
a new rootme script. You can of course replace that kernel module with any
null-pointer dereference you happen to notice in the kernel changelog.

~~~
rbanffy
> A kernel-side null-pointer dereference is normally a denial of service, but
> this article explains how to convert it into privilege escalation

Still, the title can be misinterpreted. The vulnerability being used is not a
"real one" but one injected by a kernel module.

~~~
sophacles
Actually there are several different things working in concert here. 1) The
ability to mmap adress 0 2) Code which knows how to escalate privileges of an
entire process if run in kernel space. 3) A kernel module which intentionally
calls a bad pointer, to illustrate the point.

3 by itself is not a vulnerability. In fact, it is by itself just a stupidly
written peice of code, the real vulnerability is in 1 & 2 which take advantage
of a vulnerability in null pointer handling.

In fact, even if I didn't know anything other than 1 and 2, It is possible to
start fuzzing syscalls until I accidentally cause one to dereference a null
pointer, in which case it is game over.

Edit: another way to say this is: Kernel null pointer vulnerabilities are a
class of vulnerability, much like buffer overflows are a class of
vulnerability. Even if there is just a toy example of the exploit in an
article, it doesn't change the concept. Much like the classic "Smashing the
stack for fun an profit"

~~~
rbanffy
"Dereferencing null pointers for fun and profit" would have been a great
title.

------
Periodic
There are so many things we take for granted when programming. It's always
enlightening to see how simple bugs can turn into serious vulnerabilities for
the clever hacker.

As programmers we really should educate ourselves about these things because
there can be unusual interactions which you don't expect, such as caching
behavior, or spreading your data across many virtual pages on a heavily-used
machine.

