lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <trinity-10aeed49-cb96-47d9-818e-b938913e6fce-1620770433273@3c-app-gmx-bap63>
Date:   Wed, 12 May 2021 00:00:33 +0200
From:   Norbert Slusarek <nslusarek@....net>
To:     oss-security@...ts.openwall.com
Cc:     netdev@...r.kernel.org, socketcan@...tkopp.net, mkl@...gutronix.de,
        alex.popov@...ux.com, linux-can@...r.kernel.org,
        seth.arnold@...onical.com, steve.beattie@...onical.com,
        cascardo@...onical.com
Subject: Linux kernel: net/can/isotp: race condition leads to local
 privilege escalation

A race condition in the CAN ISOTP networking protocol was discovered which
allows forbidden changing of socket members after binding the socket.

In particular, the lack of locking behavior in isotp_setsockopt() makes it
feasible to assign the flag CAN_ISOTP_SF_BROADCAST to the socket, despite having
previously registered a can receiver. After closing the isotp socket, the can
receiver will still be registered and use-after-free's can be triggered in
isotp_rcv() on the freed isotp_sock structure.
This leads to arbitrary kernel execution by overwriting the sk_error_report()
pointer, which can be misused in order to execute a user-controlled ROP chain to
gain root privileges.

The vulnerability was introduced with the introduction of SF_BROADCAST support
in commit 921ca574cd38 ("can: isotp: add SF_BROADCAST support for functional
addressing") in 5.11-rc1.
In fact, commit 323a391a220c ("can: isotp: isotp_setsockopt():
block setsockopt on bound sockets") did not effectively prevent isotp_setsockopt()
from modifying socket members before isotp_bind().

The requested CVE ID will be revealed along with further exploitation details
as a response to this notice on 13th May of 2021.

Credits: Norbert Slusarek

*** exploit log ***

Adjusted to work with openSUSE Tumbleweed.

noprivs@...e:~/expl> uname -a
Linux suse 5.12.0-1-default #1 SMP Mon Apr 26 04:25:46 UTC 2021 (5d43652) x86_64 x86_64 x86_64 GNU/Linux
noprivs@...e:~/expl> ./lpe
[+] entering setsockopt
[+] entering bind
[+] left bind with ret = 0
[+] left setsockopt with flags = 838
[+] race condition hit, closing and spraying socket
[+] sending msg to run softirq with isotp_rcv()
[+] check sudo su for root rights
noprivs@...e:~/expl> sudo su
suse:/home/noprivs/expl # id
uid=0(root) gid=0(root) groups=0(root)
suse:/home/noprivs/expl # cat /root/check
high school student living in germany looking for an internship in info sec.
if interested please reach out to nslusarek@....net.

Regards,
Norbert Slusarek

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ