A researcher has published exploit code for a new vulnerability he discovered in the Linux kernel. The vulnerability is an especially interesting one in that the researcher who discovered it, Brad Spengler, has demonstrated that he can use the weakness to defeat many of the add-on security protections offered by SELinux and AppArmor.
The vulnerability is in the 2.6.30 release of the Linux kernel, and in a message to the Daily Dave mailing list Spengler said that he was able to exploit the flaw, which at first glance seemed unexploitable. He said that he was able to defeat the protection against exploiting NULL pointer dereferences on systems running SELinux and those running typical Linux implementations. SELinux is a set of security enhancements to the Linux OS developed by the National Security Agency.
Spengler also said he is able to turn off the auditing processes in SELinux, AppArmor and the Linux Security Module. He posted a video demonstration of the exploit in action on YouTube.
This code looks perfectly ok, right? Well, it is, until the compiler takes this into its hands. While optimizing the code, the compiler will see that the variable has already been assigned and will actually remove the if block (the check if tun is NULL) completely from the resulting compiled code. In other words, the compiler will introduce the vulnerability to the binary code, which didn't exist in the source code. This will cause the kernel to try to read/write data from 0x00000000, which the attacker can map to userland – and this finally pwns the box.
Until recently, exploiting NULL pointer dereferences was thought to be virtually impossible. But work done by Mark Dowd of IBM ISS last year put the lie to that. Dowd designed his technique to exploit a problem in Adobe Flash, but was able to extend it to exploit similar conditions in other applications.
-----------------------Prefect example of how you can't find all vulnerabilities by just reviewing source code alone.
While code review is critical to reducing the number of vulnerabilities, it is only part of the overall security puzzle.
Of course, the security puzzle changes so fast...there isn't a real solution...but that is another blog altogether ;)