Research and bypass of PXN Protection Technology

Research and bypass of PXN Protection Technology

Introduction to Linux Security Mechanism

In recent yearsAndroidThe rise of the system,AndroidUnderlying implementationLinuxKernel security issues have become increasingly popular. To reduce the harm and loss caused by vulnerabilities,LinuxThe kernel has added a series of vulnerability mitigation technologies. IncludingDEP,ALSR, StrongerSelinuX, kernel code segment read-only, PXN, and so on.LinuxThe increase in these security features makes it increasingly difficult for hackers to exploit vulnerabilities. Where,DEP,ALSR,SelinuxAnd other technologiesPCThe times have matured. The read-only kernel code segment can also be modifiedPtmx_fopsAnd other solutions. So,PXNWhat is it? How can it be bypassed?

PXN Overview

PXNActuallyPrivileged Execute-NeverLiteral Translation Means "privileged execution never ". Whether it is enabled depends on the page table attribute.PXNTo control ,.

On Android machines without the PXN security mechanism, we generally consider the following steps:

Modify Ptmx_fopsTable FsyncPointer address to point to the elevation code of our user State. Application Layer call FsyncFunction, so that the system triggers our elevation code. Obtain RootPermission. Set Ptmx_fopsTable FsyncSet pointer NULLTo prevent other processes from calling. FsyncThe system crashes.

The Elevation of Privilege mentioned above is a general idea without the PXN effect. InPXNWhat is the performance on the machine? After multiple tests, the performance of different models varies. Some machines will get stuck,ShellcodeWill not continue; some machines will generateKernel Panic, The machine is restarted directly. Therefore, the general principle of PXN is that in the kernel state, the system cannot directly execute user-mode code. Therefore, our common ideas for Elevation of Privilege won't work. The vast majority of attacksArm64System Model (such as SamsungS6, HuaweiP8), And someArm32BIT model (such as SamsungNote3, SamsungS5And other mainstream models)ROMEnabled by default.PXN.

A Preliminary Study on PXN

In one way of exploiting the CVE-2015-3636 vulnerability, we can ultimately control the value of the sk-> sk_prot-> close pointer in the inet_release function. Corresponding assembly code.

In Figure 2, the value of the X2 register is the sk-> sk_prot-> close pointer address. Here, X2 corresponds to R2 in a 32-bit system. The BLR X2 command jumps to the address pointed to by X2 and runs the command. On the PXN model, if we direct the sk_prot-> close pointer address to the authorization code of the user State, the system restarts the panic directly, as shown in the error message. In this panic information, we can see that the PC register value is 0x558d15a2a8, which is a user-mode address.

Since the PXN mechanism can prevent the system from running user-state code in the kernel state, will it block code execution at the kernel layer? We direct the sk_prot-> close pointer address to the return position of the inet_release function. Code.

Then, the vulnerability is triggered. The function correctly returns to the user State, and the system does not have a panic. This verifies that PXN does not prevent kernel state code execution. This is also consistent with PXN's own principle.

Fight PXN again

Basic Ideas

Although the user-state shellcode cannot be executed on machines with PXN, the kernel-state code can still be executed. Therefore, our policy is to use the kernel drop: Build the kernel gadget so that the stack pointer sp leaks, and then use the sp to calculate the address of the thread_info structure, and then the addr_limit field of the patch thread_info structure, in this way, the user State can be read and written to the kernel state.

Build a gadget

Next, our main purpose is to verify the feasibility of the above scheme. The first task is to find the appropriate kernel gadget. Suppose we can use the vulnerability to control the value of the X1 register ,.

Therefore, when looking for the gadget required by the drop operation, we control the values of other registers based on the memory area pointed to by X1. Before triggering the vulnerability, use the mmap function to create a memory space that can be controlled by the user State. As shown below

void *map_addr_tmp = mmap((void*) 0x30303000, 0x10000, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_SHARED|MAP_ANONYMOUS|MAP_FIXED, -1, 0);

After completing the above preparations, I will divide the above solution into the following three steps:

The value of the leaked sp; The addr_limit address; patch addr_limit.

First, we use ROP to complete sp leakage. Because the address indicated by register X1 is a memory block that we allocate in the user State and can control at will, we use X1 in the first section of the gadget to deploy the jump addresses, then jump to the next section of the gadget to start execution. The second section of gadget mainly assigns the sp Stack pointer value to X0 and jumps to the next section of gadget. In this example, the user State cannot be obtained through X0 directly. Therefore, in gadget3, The X0 value is saved to the user State through a STR command. Shows the general idea of ROP. Looking for a gadget is a kind of physical activity to some extent. Of course, you can also use some tools to Make life easier. You can Google it on your own. Note that the gadget described here is just a general idea, and there may be some differences between it and the actual environment.

After we get the sp value, we can calculate the address of the addr_limit field. On the arm64 system, the maximum stack depth is 16 kb. Second, the addr_limit field is located at the position of thread_info structure + 8. Therefore, the calculation method is as follows:

unsigned long thread_info_addr = sp & 0xFFFFFFFFFFFFC000;unsigned long addr_limit_addr = thread_info_addr + 8;printf("addr_limit_addr: %p\n", addr_limit_addr); 

Finally, we set the addr_limit value to 0 xffffffffffffff through the drop-down method. Similarly, we can control the content of the X1 register at will. The first piece of gadget is used to set the jump addresses. The second step of the gadget command is to complete the main task, that is, to complete the patch addr_limit through a STR command. Finally, jump to the inet_release function return. The general idea of ROP.

After completing the patch of the addr_limit field, the user State can read and write the kernel state at will. There will be a lot of options. One way is to first determine the address of task_struct, which is at the position of thread_info + 0x10. After obtaining the task_struct address, you can locate the cred field, and then patch uid, gid, capability, selinux, and so on. In practice, by combining known vulnerabilities, the above scheme can be successfully tested on some recently released 64-bit flagship models ,. Of course, this idea also applies to 32-bit models.

Suppose we are using an arbitrary Write Vulnerability, so the PXN bypass method is similar. First, a function pointer of the Kernel is controlled through any write hole, pointing to our gadget to leak the sp value. Next, you can directly use the arbitrary write capability to patch addr_limit (no need to patch through the ROP ).

Summary

In recent years with the study of Android, Linux more and more in-depth, general Linux platform vulnerabilities, such as: CVE-2013-6282, CVE-2014-3153 (towelroot) and the latest CVE-2015-3636 (pingpong) have been made public. At the same time, the latest vulnerability mitigation mechanism used in Linux makes it more difficult to exploit system vulnerabilities. However, technologies that bypass these mitigation mechanisms are also being developed. The Attack and Defense Games will never end.