Thursday, August 20, 2009

Linux NULL Pointer Dereference CVE-2009-2692

Refer here for a quick read on what a NULL Pointer Dereference vulnerability is.

Over the past week, the latest Linux NULL Pointer Dereference exploit has rendered millions of servers world-wide vulnerable to root compromise. Here's the CVE reference CVE-2009-2692.

Several local exploits have been released so far, the ones I tried and worked like magic are at:
- The shorter one http://www.securityfocus.com/data/vulnerabilities/exploits/36038-4.tgz
- The longer one http://www.securityfocus.com/data/vulnerabilities/exploits/wunderbar_emporium.tgz

Here's how simply I get root on my box using the former exploit

To understand the exploit in detail a good explanation can be found here.

In summary - the exploit does a NULL pointer dereference that lands on page zero that is filled with bytes in your control. The exploit leverages pulseaudio, a setuid binary, to load your code.

2 comments:

  1. Yes its acknowledge by few other users in amazon ec2 (which we use a lot)
    http://developer.amazonwebservices.com/connect/thread.jspa?threadID=35410

    thanks a ton for this blogpost

    ReplyDelete