Vulners
Lucene search
LG G4 - Touchscreen Driver write_log Kernel Read/Write Exploit
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=990
The following function (and variations on the same code) is used to write to
files from kernel code in various touchscreen drivers. This copy is from
RefCode_CustomerImplementation.c - I'm unsure which copy is actually being used
on the LG G4, but I can trigger the vulnerability. A function with the same
issues exists as "write_file" in several files.
int _write_log(char *filename, char *data)
{
struct file *file;
loff_t pos = 0;
int flags;
char *fname = "/data/logger/touch_self_test.txt";
char *fname_normal_boot = "/sdcard/touch_self_test.txt";
char *fname_mfts_folder = "/data/logger/touch_self_test_mfts_folder.txt";
char *fname_mfts_flat = "/data/logger/touch_self_test_mfts_flat.txt";
char *fname_mfts_curved = "/data/logger/touch_self_test_mfts_curved.txt";
int cap_file_exist = 0;
if (f54_window_crack || f54_window_crack_check_mode == 0) {
mm_segment_t old_fs = get_fs();
set_fs(KERNEL_DS);
flags = O_WRONLY | O_CREAT;
if (filename == NULL) {
flags |= O_APPEND;
switch (mfts_mode) {
case 0:
if (factory_boot)
filename = fname;
else
filename = fname_normal_boot;
break;
case 1:
filename = fname_mfts_folder;
break;
case 2:
filename = fname_mfts_flat;
break;
case 3:
filename = fname_mfts_curved;
break;
default:
TOUCH_I("%s : not support mfts_mode\n",
__func__);
break;
}
} else {
cap_file_exist = 1;
}
if (filename) {
file = filp_open(filename, flags, 0666);
sys_chmod(filename, 0666);
} else {
TOUCH_E("%s : filename is NULL, can not open FILE\n",
__func__);
return -1;
}
if (IS_ERR(file)) {
TOUCH_I("%s : ERR(%ld) Open file error [%s]\n",
__func__, PTR_ERR(file), filename);
set_fs(old_fs);
return PTR_ERR(file);
}
vfs_write(file, data, strlen(data), &pos);
filp_close(file, 0);
set_fs(old_fs);
log_file_size_check(filename);
}
return cap_file_exist;
}
int write_log(char *filename, char *data)
{
return _write_log(filename, data);
}
This code is setting KERNEL_DS, and there is a code-path in which it does not
restore USER_DS before returning (when mfts_mode is outside the range [0, 3] and
the filename argument is NULL). This can be triggered by first writing to the
sysfs node /sys/devices/virtual/input/lge_touch/mfts and then reading from the
sysfs node /sys/devices/virtual/input/lge_touch/sd. (root needed to write to mfts node).
Once the kernel has returned control to userland with KERNEL_DS set, userland can simply read/write from arbitrary kernel addresses. See
attached for a working exploit for the LG G4, which when run as root will
disable selinux enforcement.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41353.zip
# 0day.today [2018-02-19] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Feb 2017 00:00Current
7High risk
Vulners AI Score7