CVE-2 0 1 6-1 7 5 7 a simple analysis-vulnerability warning-the black bar safety net

2016-04-09T00:00:00
ID MYHACK58:62201673460
Type myhack58
Reporter 佚名
Modified 2016-04-09T00:00:00

Description

Recent 1 0. 1 1. 4 patch fixes a use condition of competition to get code execution permissions of vulnerability after the kernel source code as well as poc to understand after the first of the issues to make a simple analysis. 0x01 basics 1.1 the exec function to process I'm in the OSX kernel to load the mach-o Process Analysis in the more detailed analysis of the exec throughout the implementation process, the more important of several functions, this is a comparison of the streamline of a flow chart. ! 1.2 mach_vm_ API Mach provides a user layer of the virtual memory mode of operation. A series of vm_map_t make the operation of the API to the virtual memory make a lot of operation. Here vm_map_t is the PORT. This series of API there are many, here only briefly introduce the POC will be used to the API. 1.2.1 mach_vm_allocate mach_vm_allocate(vm_map_t map,mach_vm_address_t address,mach_vm_size_t size,int flags); In the map allocates size bytes the size of the memory, according to the flags of the different will have a different approach. the address is an I/O parameters such as: the acquisition after the allocation of the memory size. If the flags value is not VM_FLAGS_ANYWHERE, then memory will be allocated to the address pointing to the address. 1.2.2 mach_vm_region kern_return_t mach_vm_region( vm_map_t map, mach_vm_offset_t address, / IN/OUT / mach_vm_size_t size, / OUT / vm_region_flavor_t flavor, / IN / vm_region_info_t info, / OUT / mach_msg_type_number_t count, / IN/OUT / mach_port_t object_name) / OUT / Get the map points to the tasks, address the address of the start of the VM region and virtual memory region information. Currently the mark for flavor only VM_BASIC_INFO_64 it. Get the info data structure is as follows. struct vm_region_basic_info_64 { vm_prot_t protection; vm_prot_t max_protection; vm_inherit_t inheritance; boolean_t shared; boolean_t reserved; memory_object_offset_t offset; vm_behavior_t behavior; unsigned short user_wired_count; }; 1.2.3 mach_vm_protect kern_return_t mach_vm_protect( mach_port_name_t task, mach_vm_address_t address, mach_vm_size_t size, boolean_t set_maximum, vm_prot_t new_protection) To address to address+size which is a segment of memory set the memory protection policy,new_protection is finally set to become a protection mechanism. 1.2.4 mach_vm_write kern_return_t mach_vm_write( vm_map_t map, mach_vm_address_t address, pointer_t data, __unused mach_msg_type_number_t size) The address points to the memory to rewrite the content. 1.3 Ports Ports is a Mach provide the task between each other interaction mechanism, through the Ports can be done similar to inter-process communication behavior. Each Ports will have its own permissions.

define MACH_PORT_RIGHT_SEND ((mach_port_right_t) 0)

define MACH_PORT_RIGHT_RECEIVE ((mach_port_right_t) 1)

define MACH_PORT_RIGHT_SEND_ONCE ((mach_port_right_t) 2)

define MACH_PORT_RIGHT_PORT_SET ((mach_port_right_t) 3)

define MACH_PORT_RIGHT_DEAD_NAME ((mach_port_right_t) 4)

define MACH_PORT_RIGHT_LABELH ((mach_port_right_t) 5)

define MACH_PORT_RIGHT_NUMBER ((mach_port_right_t) 6)

The Ports can be in different task between the transfer, the pass through can be given other task to the ports of the operating authority. For example, the POC used is in the parent process and the child process between the transfer Port to get the memory operation permissions. 0x02 vulnerability principles The kernel processing setuid program when there is a time window, by this time window, the process Port is closed before, has a process Port of the program can be rewritten in the target process's arbitrary memory, by rewriting the memory you can use the target process's root privileges to execute arbitrary shellcode in. 2.1 execv process vulnerability ! load_machfile source code analysis exec_mach_imgact source code analysis In swap_task_map and exec_handle_suid between there is a time window, the task port can memory to make changes. Specific details can refer to the poc, but also can refer to the source code analysis of the log.

[1] [2] [3] [4] [5] [6] [7] [8] next