Jump to content


Exploiting CVE-2013-6282 vulnerability

  • Please log in to reply
1 reply to this topic

#1 Holmes.Sherlock


    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
    United States

Posted 17 April 2014 - 02:34 AM

On October 25, 2013, a Linux kernel bug CVE-2013-6282 was published. It was largely exploited around that time to get root access on existing Android devices. After reading tons of user review, I also applied the rootkit to get root access on my Sony Xperia - L handeset successfully. It was quite surprising that even the latest firmware update, too, didn't fix the vulnerability. What the flaw basically says is,




The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013.


The rootkit has its source code attached.




Can anyone shed some light on:

  • How's this ~650 lines of C code exploiting the bug?
  • Where can I have more technical information on the bug realize the magic played by the code under the hood?

#2 synchronicity


    Frequent Member

  • Advanced user
  • 165 posts
    United States

Posted 17 April 2014 - 03:25 PM

Not sure what you plan to use this for, but you already have the source, and I'm sure all the "bad guys" already know about this...

I took a quick look at this source, and as far as I can tell the bug itself is fairly simple, and most of the exploit code is just "boilerplate", if you will, that makes use of the ability to read/write arbitrary kernel memory addresses.  Briefly, it searches the kernel image for the symbol table, then gets the addresses of several functions, including several involved in credential managment as well as several used to run the exploit code.  It also gets the address of ptmx_fops, which is a file operations structure that contains function pointers, and it may disassemble a function to get this address if it's not found in the symbol table.  The exploit itself replaces the fsync() member of ptmx_fops with a pointer to a custom function that prepares and commits root credentials.  And finally the exploit simply fsync()'s the appropriate device to trick the kernel into running the code.
I'm sure there are other places on the Internet where people discuss exploits in more detail ... otherwise you can better understand them by just better understanding the software they are written for (in this case Linux).  I'm just surprised that despite the fact this was (seemingly) a very simple bug, it still took 600+ lines of code to exploit it.  There's even a decompression algorithm hidden in there...!  Oh, and this is *not* a "rootkit"; it's simply an exploit to get a root shell.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users