September 10, 2009: I released a third and final version of the exploit. This third version features: Complete support for i386, x86_64, ppc and ppc64; The personality trick published by Tavis Ormandy and Julien Tinnes; The TOC pointer workaround for data items addressing on ppc64 (i.e. functions in exploit code and libc can be referenced); Improved search and transition to SELinux types with mmap_zero permission. The third version of the exploit is available here.

September 7, 2009: I released a second version of the exploit. Now, it also works with Linux Kernel versions which implements COW credentials (e.g. Fedora 11). For SELinux enforced systems, it automatically searches in the SELinux policy rules for types with mmap_zero permission it can transition, and tries to exploit the system with these types. The second version of the exploit is available here.

September 4, 2009: I updated the list of distributions the exploit was tested.

I released an exploit for the Linux sock_sendpage() NULL Pointer Dereference, discovered by Tavis Ormandy and Julien Tinnes. This exploit was written to illustrate the exploitability of this vulnerability on Power/Cell BE architecture.

The exploit makes use of the SELinux and the mmap_min_addr problem to exploit this vulnerability on Red Hat Enterprise Linux 5.3 and CentOS 5.3. The problem, first noticed by Brad Spengler, was described by Red Hat in the Red Hat Knowledgebase article: Security-Enhanced Linux (SELinux) policy and the mmap_min_addr protection.

Support for i386 and x86_64 was added for completeness. For a more complete implementation, refer to Brad Spengler’s exploit, which also implements the personality trick published by Tavis Ormandy and Julien Tinnes.

Linux kernel versions from 2.4.4 to 2.4.37.4, and from 2.6.0 to 2.6.30.4 are vulnerable.

The exploit was tested on:

  • CentOS 5.3 (2.6.18-128.7.1.el5) is not vulnerable
  • CentOS 5.3 (2.6.18-128.4.1.el5)
  • CentOS 5.3 (2.6.18-128.2.1.el5)
  • CentOS 5.3 (2.6.18-128.1.16.el5)
  • CentOS 5.3 (2.6.18-128.1.14.el5)
  • CentOS 5.3 (2.6.18-128.1.10.el5)
  • CentOS 5.3 (2.6.18-128.1.6.el5)
  • CentOS 5.3 (2.6.18-128.1.1.el5)
  • CentOS 5.3 (2.6.18-128.el5)
  • CentOS 4.8 (2.6.9-89.0.9.EL) is not vulnerable
  • CentOS 4.8 (2.6.9-89.0.7.EL)
  • CentOS 4.8 (2.6.9-89.0.3.EL)
  • CentOS 4.8 (2.6.9-89.EL)
  • Fedora 11 (2.6.29.4-167.fc11)
  • Fedora 10 (2.6.27.5-117.fc10)
  • Red Hat Enterprise Linux 5.3 (2.6.18-128.7.1.el5) is not vulnerable
  • Red Hat Enterprise Linux 5.3 (2.6.18-128.4.1.el5)
  • Red Hat Enterprise Linux 5.3 (2.6.18-128.2.1.el5)
  • Red Hat Enterprise Linux 5.3 (2.6.18-128.1.16.el5)
  • Red Hat Enterprise Linux 5.3 (2.6.18-128.1.14.el5)
  • Red Hat Enterprise Linux 5.3 (2.6.18-128.1.10.el5)
  • Red Hat Enterprise Linux 5.3 (2.6.18-128.1.6.el5)
  • Red Hat Enterprise Linux 5.3 (2.6.18-128.1.1.el5)
  • Red Hat Enterprise Linux 5.3 (2.6.18-128.el5)
  • Red Hat Enterprise Linux 4.8 (2.6.9-89.0.9.EL) is not vulnerable
  • Red Hat Enterprise Linux 4.8 (2.6.9-89.0.7.EL)
  • Red Hat Enterprise Linux 4.8 (2.6.9-89.0.3.EL)
  • Red Hat Enterprise Linux 4.8 (2.6.9-89.EL)
  • SUSE Linux Enterprise Server 11 (2.6.27.29-0.1) is not vulnerable
  • SUSE Linux Enterprise Server 11 (2.6.27.25-0.1)
  • SUSE Linux Enterprise Server 11 (2.6.27.23-0.1)
  • SUSE Linux Enterprise Server 11 (2.6.27.21-0.1)
  • SUSE Linux Enterprise Server 11 (2.6.27.19-5)
  • SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.42.4) is not vulnerable
  • SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.39.3)
  • SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.37_f594963d)
  • SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.34)
  • SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.33)
  • SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.31)
  • SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.29)
  • SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.27)
  • SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.23)
  • SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.21)
  • Ubuntu 8.10 (2.6.27-14) is not vulnerable
  • Ubuntu 8.10 (2.6.27-11)
  • Ubuntu 8.10 (2.6.27-9)
  • Ubuntu 8.10 (2.6.27-7)
  • openSUSE 11.1 (2.6.27.29-0.1) is not vulnerable
  • openSUSE 11.1 (2.6.27.25-0.1)
  • openSUSE 11.1 (2.6.27.23-0.1)
  • openSUSE 11.1 (2.6.27.21-0.1)
  • openSUSE 11.1 (2.6.27.19-3.2)
  • openSUSE 11.1 (2.6.27.7-9)

It should also work on early versions of these distributions. The exploit is available here.