How To Exploit NULL Pointers 139
An anonymous reader writes "Ever wondered what was so bad about NULL pointer exceptions? An MIT Linux kernel programmer explains how to turn any NULL pointer into a root exploit on Linux. (There was also a previous installment about virtual memory and how to make NULL pointers benign.)"
Re:Exceptons? (Score:5, Insightful)
Nothing. Because if they're an exception, they've been safely caught by the platform's exception handling mechanism. This article isn't about exceptions, it's about dereferencing your actual raw NUL pointers themselves in languages that either don't have the exception mechanism or where it simply hasn't been used.
Actually, most JIT-based VMs don't do explicit null checks, but rather let the OS signal access violation (as it is supposed to be guaranteed for NULL pointers, unlike dangling or garbage ones), and if it happens, wrap it into the language-specific exception - it's much faster than explicit checks for every pointer dereference.
Bad summary (Score:5, Insightful)
To be honest, I'm not sure why I bothered writing this comment. If the editors themselves don't care about the accuracy of the stories, why should I?
Re:Exceptons? (Score:3, Insightful)
it's about dereferencing your actual raw NUL pointers themselves in languages that either don't have the exception mechanism or where it simply hasn't been used.
But if this gains you root access without you actually having it, it's a fault in the OS security. You cant rely on programming languages to protect against such methods.
Re:Bad summary (Score:5, Insightful)
If the editors themselves don't care about the accuracy of the stories, why should I?
Because you're not kdawson, and that's something to be proud of. ;)
Re:Exceptons? (Score:3, Insightful)
But if this gains you root access without you actually having it, it's a fault in the OS security. You cant rely on programming languages to protect against such methods.
Except you need root access in order to map page zero into your address space, and you generally need root access to configure the kernel so that it will allow root to map page zero into your address space (Wine in Ubuntu used to set the minimum mmap address to zero, I'm not sure whether it still does). So to get root access in this way you either need root access or multiple userspace vulnerabilities. And then you need a kernel flaw which executes code relative to a null pointer.
So while it's interesting and something developers should be aware of, it's not really a serious security threat in most cases; the last use of this exploit that I'm aware of required a kernel bug combined with a pulseaudio bug combined with an SELinux bug.
Re:Shush Now (Score:2, Insightful)
Well, if you read the article, you'll find out that you have to
* circumvent the protection against mmap to address 0 (in the article, that one was just done as root)
* get the kernel to call a function through a function NULL pointer (that's what was done through the special kernel module)
Since the exploit doesn't make much sense if you already are root, for this exploit you have to
* find an existing bug in the kernel which allows you to circumvent the mmap protection.
* find another existing bug in the kernel which causes the kernel to do a function call through a NULL function pointer.
So you need two independent bugs in the kernel to make an actual exploit from this demonstration code.
Having said that, I think it would certainly be a nice option to be able to trade performance for security by telling the system to put the kernel into its own memory space.
Re:OS dependent (Score:1, Insightful)
Furthermore, you also have to turn off the kernel protection to do it.
Re:Exceptons? (Score:5, Insightful)
He demonstrates the simplest easiest to understand case, that of a NULL function pointer. But it really can extend to reads and writes of a NULL pointer as well (not always but often). If you can make the kernel read data from a NULL pointer you would be able to trick the kernel into reading a fake struct that you placed at NULL. Maybe that fake struct had a function pointer which you can easily set to another userspace address and voila, win. Maybe the code will read that struct and then write somewhere else in memory based on the information in that struct. Simply make that write happen in a place you choose which might lead to an eventual NULL function pointer.
Any time the kernel accidentally dereferences a pointer (especially one outside of kernel space) and uses that data things can go bad. The mmap_min_addr checks were added to harden against the EXACT class of common bugs he describes and I'm saddened it was dismissed so out of hand.
kernel null function pointer (Score:3, Insightful)
Re:Not on embedded platforms (Score:3, Insightful)
I recall wondering whether you were the marcan from team twiizer or not. I guess I am sure now.
PS: you did an awesome job on the wii. thank you for it!
Re:Assumes a CALL to the NULL ptr (not any referen (Score:3, Insightful)
I was intrigued by the ./ posting, which claimed that the tutorial would show how to exploit any NULL pointer dereference. The actual article, however, requires a CALL to the NULL pointer. While some NULL pointer bugs are function pointers, many are not. Kernel code that merely reads or writes data to a NULL pointer will not be exploitable as shown.
But sometimes, they can still be exploited. Let's hypothesize a UNIX clone whose kernel has this code in its implementation of the chroot() system call, something that only root should be able to call:
if (get_current_process()->m_uid != 0)
{
return EPERM;
}
Now let's suppose that there is a bug in the kernel that you can exploit to cause get_current_process() to return a null process pointer. Using mmap(), you can allocate the zero page. The get_current_process()->m_uid expression now reads memory that you control. Of course, you're going to put 0 at that location.
With chroot() available to a non-root program, it will only be a matter of a few tricks with setuid programs before you get root access. Once you have root access, you can elevate to full kernel mode by loading a kernel extension.