-
Notifications
You must be signed in to change notification settings - Fork 418
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add kernelCTF CVE-2023-5345 (lts & mitigation)
- Loading branch information
1 parent
c00f2d6
commit bb04e82
Showing
13 changed files
with
4,551 additions
and
0 deletions.
There are no files selected for viewing
105 changes: 105 additions & 0 deletions
105
pocs/linux/kernelctf/CVE-2023-5345_lts_mitigation/docs/novel-techniques.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,105 @@ | ||
# Exploitation technique | ||
|
||
To my knowledge, the following exploitation techniques are not known/publicly-documented: | ||
|
||
## Leverage `struct netlink_sock` to get arbitrarily read/write primitive | ||
- This technique is used in mitigation exploit. | ||
|
||
### Advantages | ||
- Do not need to setup network user namespace. | ||
- Can read large bytes from specify address. | ||
- Live in less noisy heap. Therefore, free the current fake `struct netlink_sock` object and reclaim with new address to read from or write to is very stable. | ||
- Can be used to perform data only attack. | ||
|
||
### Disadvantages | ||
- Cannot read from invalid memory address. | ||
- Can only write 4 bytes per fake `struct netlink_sock` object. | ||
- Only allocate on kmalloc-2048 (dyn-kmalloc-2048 in mitigation instace). | ||
- In case Apparmor is enabled, `sk-security` need to be valid pointer. | ||
|
||
## Leverage `struct packet_fanout` to get arbitrarily free primitive | ||
- This technique is used in mitigation exploit. | ||
|
||
### Advantages | ||
- Can be allocate on kmalloc-256 -> kmalloc-8192 (dyn-kmalloc-256 -> dyn-kmalloc-8192 in mitigation instance). | ||
|
||
### Disadvantages | ||
- Require CAP_NET_RAW to create packet socket. | ||
- Need to setup data look like `struct packet_fanout` object in the free location. Let's call this location: A1. | ||
- Need to control at least one `struct packet_fanout` object linked list. This fake linked list will be used to reach A1. | ||
|
||
## Overlap `struct user_key_payload` object with `struct packet_fanout` object | ||
- This technique is used in mitigation exploit. | ||
|
||
```c | ||
struct packet_fanout { | ||
possible_net_t net; | ||
unsigned int num_members; | ||
u32 max_num_members; | ||
u16 id; | ||
u8 type; | ||
u8 flags; | ||
union { | ||
atomic_t rr_cur; | ||
struct bpf_prog __rcu *bpf_prog; | ||
}; | ||
struct list_head list; | ||
spinlock_t lock; | ||
refcount_t sk_ref; | ||
struct packet_type prot_hook ____cacheline_aligned_in_smp; | ||
struct sock __rcu *arr[]; | ||
}; | ||
``` | ||
|
||
```c | ||
struct packet_type { | ||
__be16 type; /* This is really htons(ether_type). */ | ||
bool ignore_outgoing; | ||
struct net_device *dev; /* NULL is wildcarded here */ | ||
netdevice_tracker dev_tracker; | ||
int (*func) (struct sk_buff *, | ||
struct net_device *, | ||
struct packet_type *, | ||
struct net_device *); | ||
void (*list_func) (struct list_head *, | ||
struct packet_type *, | ||
struct net_device *); | ||
bool (*id_match)(struct packet_type *ptype, | ||
struct sock *sk); | ||
struct net *af_packet_net; | ||
void *af_packet_priv; | ||
struct list_head list; | ||
}; | ||
``` | ||
|
||
```c | ||
static LIST_HEAD(fanout_list); | ||
``` | ||
- Let's call the overlapped `struct packet_fanout`: pf. | ||
### Advantages | ||
- Can be overlapped in kmalloc-256 -> kmalloc-8192 (dyn-kmalloc-256 -> dyn-kmalloc-8192 in mitigation instace). | ||
- Read "in object" heap only. This make the leak 100% success. Especially useful on mitigation instance where reading out-of-slab data lead to kernel crash. | ||
- Each new allocated `struct packet_fanout` is inserted at the head of `fanout_list`. Therefore, read `pf->list.prev` will allow to leak heap address from kmalloc-256 -> kmalloc-8192 (dyn-kmalloc-256 -> dyn-kmalloc-8192 in mitigation instance). | ||
- Read `pf->prot_hook.func` will give us address of `packet_rcv_fanout` kernel function. This can be used to calculate kernel base. | ||
- Read `pf->prot_hook.id_match` will give us address of `match_fanout_group` kernel function. This can be used to calculate kernel base. | ||
- Read `pf->prot_hook.af_packet_priv` will give us address of our overlapped `struct packet_fanout` object that we are currenly using. | ||
- Read `pf->prot_hook.af_packet_net` will give us address of current `net` namespace. | ||
### Disadvantages | ||
- Require CAP_NET_RAW to create packet socket. | ||
- Require specific primitive to make the overlap happen. | ||
## Leverage `struct ovl_dir_file` to get code execution | ||
- This technique is used in LTS instance. | ||
### Advantages | ||
- Need to control only `is_real` field and `realfile` field. | ||
- When trigger code execution through lseek, RBP register set to `offset` value passed into lseek. Usually, we can find gadget like: `mov rsp, rbp; pop rbp; ret`. | ||
### Disadvantages | ||
- Require CAP_SYS_ADMIN to mount overlayfs. | ||
- Allocate only on kmalloc-64. | ||
- Need a place to store fake `struct file_operations` object with `lseek` pointer set to gadget address | ||
- Need a place to store fake `struct file` object with `f_op` pointer set to fake `struct file` object. |
27 changes: 27 additions & 0 deletions
27
pocs/linux/kernelctf/CVE-2023-5345_lts_mitigation/docs/vulnerability.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
# Vulnerability | ||
|
||
A double-free vulnerability was found in the Linux kernel's SMBFS subsystem (`fs/smb/client/fs_context.c`). Forget to reset pointer to NULL after kfree_sensitive makes it possible to trigger the free again on the same pointer. | ||
|
||
## Requirements to trigger the vulnerability: | ||
- Capabilities: To trigger the vulnerability, `CAP_SYS_ADMIN` capability is required to use fsopen syscall. | ||
- Kernel configuration: `CONFIG_SMBFS` is required to trigger this vulnerability. | ||
- Are user namespaces needed?: Yes. As this vulnerability requires `CAP_SYS_ADMIN`, which is not usually given to the normal user, we used the unprivileged user namespace to achieve this capability. | ||
|
||
## Commit which introduced the vulnerability | ||
- This vulnerability was introduced in Linux v6.0.16, with commit [a4e430c8c8ba96be8c6ec4f2eb108bb8bcbee069](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a4e430c8c8ba96be8c6ec4f2eb108bb8bcbee069) | ||
- This commit replaced `kfree` with `kfree_sensitive`. | ||
|
||
## Commit which fixed the vulnerability | ||
- This vulnerability was fixed with commit [e6e43b8aa7cd3c3af686caf0c2e11819a886d705](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e6e43b8aa7cd3c3af686caf0c2e11819a886d705) | ||
|
||
## Affected kernel versions | ||
- Linux version 6.0.16 - 6.5.5 affects to this vulnerability | ||
|
||
## Affected component, subsystem | ||
- fs/smb/client | ||
|
||
## Cause (UAF, BoF, race condition, double free, refcount overflow, etc) | ||
- Double-free | ||
|
||
## Which syscalls or syscall parameters are needed to be blocked to prevent triggering the vulnerability? (If there is any easy way to block it.) | ||
- Block fsopen syscall with `smb3` in `_fs_name` parameter. |
4 changes: 4 additions & 0 deletions
4
pocs/linux/kernelctf/CVE-2023-5345_lts_mitigation/exploit/lts-6.1.52/Makefile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
exploit: | ||
gcc -static exploit.c -o exploit -lkeyutils | ||
run: | ||
./exploit |
Binary file added
BIN
+1.02 MB
pocs/linux/kernelctf/CVE-2023-5345_lts_mitigation/exploit/lts-6.1.52/exploit
Binary file not shown.
Oops, something went wrong.