NULL-deref in kernel-land to code execution
The first documented instead of a NULL-deref exploitation appeared in 1994, in 8lgm’s famous ptchown exploit. But NULL pointer deference kernel exploits have started to become popular with Ilja van Sprundel’s Unusual bugs talk at the 32C3, at the end of 2006. This was followed by a couple of exploits by spender, starting with tee42-24tee.c for Linux 2.6.16 to 18.104.22.168.
In 2003, pipacs added KERNEXEC to PaX, as an equivalent to PAGEEXEC, but for kernel-land. Due to the way it’s implemented, it’s marking the userland virtual address region as non-executable from the kernel perspective, effectively killing code-pointer NULL-dereference based exploits.
In 2006, PaX gained UDEREF, killing, amongst other things, data-pointer NULL-dereference exploits.
In the beginning of 2007, a Phrack article was published
on the topic, and the
mmap_min_addr sysctl was added in Linux 2.6.23,
preventing this kind of vulnerabilities.
In November 2008, one year and a half after the publication of the
(CVE-2007-0085) from Ilja, OpenBSD 4.4
joined the party and made this class of exploits a thing of the past,
thanks to a
commit from Theo de Raadt in
I’m not convinced that this snarky comment by Theo de Raadt is justified:
For the record, this particular problem was resolved in OpenBSD a while back, in 2008. We are not super proud of the solution, but it is what seems best faced with a stupid Intel architectural choice. However, it seems that everyone else is slowly coming around to the same solution.
Especially since the explanation for sitting on this exploit technique for 2 years without fixing it is “At least three of our developers were aware of this exploitation method going back perhaps two years before than the commit, but we gnashed our teeth a lot to try to find other solutions.” instead of committing a simple-maybe-a-bit-gross-but-yet-working one-liner solution.