During the last few months/year I was studying and approaching the Kernel Exploitation subject and during this journey I developed few tools that assissted me (and currently assist) on better understanding specific topics. Today I want to release my favourine one: KRWX (Kernel Read Write Execute). It is a simple LKM (Linux Kernel Module) that lets you play with kernel memory, allocate and free kernel objects directly from user-land!
What
The main goal of this tool is to use kernel functions from userland (from C code) in order to avoid slower kernel debugging and developing of kernel modules to demostrate specific vulnerabilities (instead, you can emulate them with provided IOCTLs). Also, it can assist the exploitation phase. These are the project main features (all these features are accessible from a low level user from user-land):
Arbitrary kfree objects (and also free arbitrary addresses, if you want)
Allocate/free multiple objects
Log every copy_[from|to]_user/ kmalloc/kfree called by the KRWX module through hooking (readable from dmesg).
Mainly, a more powerful read and write primitive :]
Why
Initially I was writing this module to study the SLUB memory allocator in Linux by allocating, freeing and re-allocating arbitrary chunks easily from an userland process. That automatically leads to study also some exploitation techniques that, with this module, I found a lot easier to understand since you can easily play with kernel memory as you are the god of your system. Then I started to heavily use it for multiple purposes and thatβs the reason why Iβm sharing it.
How
These are some exported functions:
void* kmalloc(size_t arg_size, gfp_t flags) -> Allocate a chunk with specific size and flag options.
int kfree(void* address) -> Free arbitrary chunks by their address (also, you can free arbitrary memory).
unsigned long int kread64(void* address) -> Read 8 bytes of memory at address.
int kwrite64(void* address, uint64_t value) -> Write 8 bytes specified by value into address.
void read_memory(void* start_address, size_t size) -> Read size amount of memory starting from start_address.
And, since one of my favourite hobby is overengineer and Iβm lazy enough to do not want to write loops everytime:
void multiple_kmalloc(void** array, uint32_t n_objs, uint32_t size) -> Allocate n_objs number of objects with specified size and return addresses in array.
void multiple_kfree(void** array, uint64_t to_free[], uint64_t to_free_size) -> Free specified addresses in to_free from array (to_free_size is the size of the to_free array). If youβre interested in the source code feel free to check out the github project.
Examples
Allocate, free and read arbitrary chunks
You can find the full source code in example/01.c. Here will follows some snippets and a little walkthrough.
First, include the external library and call its initialization function (init_krwx):
#include "./lib/krwx.h"
int main(){
init_krwx();
[..]
}
So, 10 chunks with size 256 are allocated using multiple_kmalloc, and the memory of the 7th allocation is read using read_memory after writing 0x4141414141414141 at its first bytes:
Once they are freed, new chunks with the same size are allocated and initialized with 0x4343434343434343, and the memory of the 7h freed chunk is displayed using read_memory again:
With few lines of code has been demostrated how our 7th chunk has been replaced with a new one after it has been freed (the read_memory targeted the chunks[7]). As simple as it is, it has been written for demonstration purposes.
Use-After-Free
To simulate a UAF scenario itβs simple as few lines of code:
void* chunk = kmalloc(<SIZE>, <FLAGS>);
kfree(chunk);
// Allocate your target chunk
// Simulate UAF using k[write|read]64()
For example, if we want to simulate an attack scenario where we want to replace our vulnerable freed chunk with a target object (for example an iovec struct) we can allocate a chunk with kmalloc and later kfree it just before allocating the target structure:
// Allocate the vulnerable object
void* chunk = kmalloc(150, _GFP_KERN);
// Allocate target object
struct iovec iov[10] = {0};
char iov_buf[0x100];
iov[0].iov_base = iov_buf;
iov[0].iov_len = 0x1000;
iov[1].iov_base = iov_buf;
iov[1].iov_len = 0x1337;
int pp[2];
pipe(pp);
if(!fork()){
kfree(chunk); // Freeing the chunk just before allocating the iovec
readv(pp[0], iov, 10); // allocate iovec and blocks (keeping the object in the kernel)
exit(0);
}
sleep(1); // Give time to the child process
read_memory(chunk, 0x40);
Then, with read_memory we can show the block of memory in our interest and as you can see from the following output, our arbitrary allocated/freed object has been replaced with the target object:
Instead of just print the content, you can simulate a UAF read/write using k[read|write] and play with it.
The full code of this example can be found in client/example/02.c
Setup
To compile the module change the K variable in the Makefile with your compiled kernel root directory and compile with make, then insmod.
Conclusions
Personally, I used it to study the SLUB allocator, understand UAF/Heap Overflows/Double Free/userfaultd and some hardening features in the kernel, but it can assist the exploitation phase too or more. Blog posts on some Kernel vulnerabilities and their attack methodologies will follow these months and this module will come useful to demonstrate them. So, stay tuned and enjoy !
PS. The βExecuteβ part of the name will be a future implementation to control pc/rip.
I was searching for a vulnerability that permitted me to practise what Iβve learned in the last period on Linux Kernel Exploitation with a βreal-lifeβ scenario. Since I had a week to dedicate my time in Hacktive Security to deepen a specific argument, I decided to search for a public vulnerability without a public exploit to develop it by myself. After a quick introduction on how I found the known vulnerability, I will detail the exploitation phase of a race condition that leads to a Use-After-Free in Linux kernel 4.9.
TL;DR
This blog post has two parts:
Vulnerability hunting: About public resources to identify known vulnerabilities in the Linux Kernel in order to practise some Kernel Exploitation in a real-life scenario. These resources includes: BugZilla, SyzBot, changelogs and git logs.
Kernel Exploitation: The vulnerability is a Race Condition that causes a write Use-After-Free. The race window has been extended using the userfaultd technique handling page faults from user-space and usingΒ msg_msgΒ to leak a kernel address and I/O vectors to obtain a write primitive. With the write primitive, theΒ modprobe_pathΒ global variable has been overwritten and a root shell popped.
Public bugs
The first thing I asked myself was: how do I find a suitable bug for my purpose? I excluded searching it by CVE since not all vulnerabilities have an assigned CVE (and usually they are the most βfamousβ ones) and thatβs when I used the most powerful hacking skill: googling. That led me to various resources that I would like to share today starting by saying that thatβs only the result of my personal work that could not reflect the best way to perform the same job. That said, this is what Iβve used to find my βmatchedβ Nday:
Bugzilla
SyzBot
Changelogs
Git log
Kernel changelogs is definetly my favourite one but letβs say few words on all of them.
BugZilla
BugZilla is the standard way to report bugs in the upstream Linux kernels. You can find interesting vulnerabilities organised by subsystem (e.g. Networking with IPv4 and IPv6 or file system with ext* types and so on) and you can also search for keywords (such as βoverflowβ, βheapβ, βUAFβ and so on ..) using the standard search or the more advanced one. The personal downside is the mix of a lot of βnon vulnerabilitiesβ, hangs and stuff like that. Also, you do not have the most powerful search options (e.g. some bash). However, it is still a good option and I personally pinned few vulnerabilities that i excluded afterwards.
Syzbot
βsyzbot is a continuous fuzzing/reporting system based on syzkaller fuzzerβ (Introducing the syzbot dashboard). Not the best GUI but at least you can have a lot of potentially open and fixed vulnerabilties. There isnβt a built-in search option but you can use your browserβs one or parse the HTML with an HTML parser. One of the downside, beyond the lack of searching, is the presence of tons of false-positives (in the βOpen sectionβ). However, upsides are pretty good: you can find open vulnerabilites (still not fixed), reproducers (C or syzlang), fixed commits and reported issues have the syzkaller nomenclature that is pretty self-explainationary.
Syzkaller-bugs (Google Group)
The lack of a search functionality in syz-bot is well replaced by the βsyzkaller-bugsβ Google Group from where you can find syz-bot reported bugs with additional information from the comment section and an enanched search bar. I really enjoy this option !
Changelogs
Thatβs my favourite method: download all changelogs from the kernel CDN of your desired kernel version and you can enjoy all downloaded files with your favourite bash commands. This approach is similar to search from git commits but with the advantage that it is way faster. With some bash-fu, you can download all changelogs for a target kernel version (e.g. 4.x) with the following inline:Β URL=https://cdn.kernel.org/pub/linux/kernel/v4.x/ && curl $URL | grep "ChangeLog-4.9" | grep -v '.sign' | cut -d "\"" -f 2 | while read line; do wget "$URL/$line"; done. Once all changelogs have been downloaded itβs possible toΒ grepΒ for juicy keywoards like UAF, OOB, overflow and so on. I found very useful to display text before and after the selected keyword, like:Β grep -A5 -B5 UAF *. In that way, you can instantly have quick information about vulnerability details, impacted subsystem, limitations, .. For each identified vulnerability, itβs possible to see its patch by diffing the patch commit with the previous one (linux source from git is needed):Β git diff <commit before> <commit patch>.
Git log
As said before, this is a similar approach to the βChangelogsβ method. The concept is pretty simple: clone the github repository and search for juicy keywoards in the commit history. You can do that with the following commands:
In that way, you can do the same thing as before onΒ git.logΒ file. The big downside, however, is that the file is too big and it takes more time (11.429.573 lines on 4.9.316). Thatβs the reason why I prefer the βChangelogβ method.
Hunt for a good vulnerability
I was searching for an Use-After-Free vulnerability and I started to search for it in all mentioned resources: BugZilla, SyzBot, Changelogs and git history. I wrote them down in a table with a resume description in order to further analyze them later on. I started to dig into few of them viewing their patch and source code in order to understand reachability, compile dependencies and exploitability. I strumbled into an interesting one: a vulnerability in the RAWMIDI interface (commit c13f1463d84b86bedb664e509838bef37e6ea317). I discovered it with the βChangelogβ method, by searching for the βUAFβΒ keyword reading the previous and next five lines:Β grep -A5 -B5 UAF *. By seeing its behaviours, I was convinced to go with that vulnerability, an Use-After-Free triggered in a race condition.
RAWMIDI interface
Before facing the vulnerability, letβs see few important things needed to follow this write-up. The vulnerable driver is exposed as a character device inΒ /dev/snd/midiC0D*Β (or similar name based on the platform) and depends onΒ CONFIG_SND_RAWMIDI. It exposes the following file operations:
The ones we are interesed into areΒ open,Β writeΒ andΒ unlocked_ioctl.
open
The open (snd_rawmidi_open) operation allocates everything needed to interact with the device, but what is just necessary to know for us is the first allocation ofΒ snd_rawmidi_runtime->bufferΒ asΒ GFP_KERNELΒ with a size of 4096 (PAGE_SIZE) bytes. This is theΒ snd_rawmidi_runtimeΒ struct:
struct snd_rawmidi_runtime {
struct snd_rawmidi_substream *substream;
unsigned int drain: 1, /* drain stage */
oss: 1; /* OSS compatible mode */
/* midi stream buffer */
unsigned char *buffer; /* buffer for MIDI data */
size_t buffer_size; /* size of buffer */
size_t appl_ptr; /* application pointer */
size_t hw_ptr; /* hardware pointer */
size_t avail_min; /* min avail for wakeup */
size_t avail; /* max used buffer for wakeup */
size_t xruns; /* over/underruns counter */
/* misc */
spinlock_t lock;
wait_queue_head_t sleep;
/* event handler (new bytes, input only) */
void (*event)(struct snd_rawmidi_substream *substream);
/* defers calls to event [input] or ops->trigger [output] */
struct work_struct event_work;
/* private data */
void *private_data;
void (*private_free)(struct snd_rawmidi_substream *substream);
};
write
After having allocated everything from theΒ openΒ operation, we can write into the file descriptor likeΒ write(fd, &buf, 10). In that way, it will fill 10 bytes into theΒ snd_rawmidi_runtime->bufferΒ and usingΒ snd_rawmidi_runtime->appl_ptrΒ it will remember the offset to start writing again later. In order to write into that buffer, the driver does the following calls:Β snd_rawmidi_writeΒ =>Β snd_rawmidi_kernel_write1Β =>Β copy_from_user
ioctl
TheΒ snd_rawmidi_ioctlΒ is responsible to handle IOCTL commands and the one we are interested in isΒ SNDRV_RAWMIDI_IOCTL_PARAMSΒ that callsΒ snd_rawmidi_output_paramsΒ with user-controllable parameter:
This IOCTL is crucial for this vulnerability. With this command itβs possible to re-size the internal buffer with an arbitrary value reallocating it[1] and later replace that buffer with the older one [2], that will be freed[3].
Vulnerability Analysis
The vulnerability has been patched by the commit βc13f1463d84b86bedb664e509838bef37e6ea317β that introduced a reference counter on the targeted vulnerable buffer. In order to understand where the vulnerbility lived itβs a good thing to see its patch:
diff --git a/include/sound/rawmidi.h b/include/sound/rawmidi.h
index 5432111c8761..2a87128b3075 100644
--- a/include/sound/rawmidi.h
+++ b/include/sound/rawmidi.h
@@ -76,6 +76,7 @@ struct snd_rawmidi_runtime {
size_t avail_min; /* min avail for wakeup */
size_t avail; /* max used buffer for wakeup */
size_t xruns; /* over/underruns counter */
+ int buffer_ref; /* buffer reference count */
/* misc */
spinlock_t lock;
wait_queue_head_t sleep;
diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
index 358b6efbd6aa..481c1ad1db57 100644
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -108,6 +108,17 @@ static void snd_rawmidi_input_event_work(struct work_struct *work)
runtime->event(runtime->substream);
}
+/* buffer refcount management: call with runtime->lock held */
+static inline void snd_rawmidi_buffer_ref(struct snd_rawmidi_runtime *runtime)
+{
+ runtime->buffer_ref++;
+}
+
+static inline void snd_rawmidi_buffer_unref(struct snd_rawmidi_runtime *runtime)
+{
+ runtime->buffer_ref--;
+}
+
static int snd_rawmidi_runtime_create(struct snd_rawmidi_substream *substream)
{
struct snd_rawmidi_runtime *runtime;
@@ -654,6 +665,11 @@ int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream,
if (!newbuf)
return -ENOMEM;
spin_lock_irq(&runtime->lock);
+ if (runtime->buffer_ref) {
+ spin_unlock_irq(&runtime->lock);
+ kfree(newbuf);
+ return -EBUSY;
+ }
oldbuf = runtime->buffer;
runtime->buffer = newbuf;
runtime->buffer_size = params->buffer_size;
@@ -962,8 +978,10 @@ static long snd_rawmidi_kernel_read1(struct snd_rawmidi_substream *substream,
long result = 0, count1;
struct snd_rawmidi_runtime *runtime = substream->runtime;
unsigned long appl_ptr;
+ int err = 0;
spin_lock_irqsave(&runtime->lock, flags);
+ snd_rawmidi_buffer_ref(runtime);
while (count > 0 && runtime->avail) {
count1 = runtime->buffer_size - runtime->appl_ptr;
if (count1 > count)
@@ -982,16 +1000,19 @@ static long snd_rawmidi_kernel_read1(struct snd_rawmidi_substream *substream,
if (userbuf) {
spin_unlock_irqrestore(&runtime->lock, flags);
if (copy_to_user(userbuf + result,
- runtime->buffer + appl_ptr, count1)) {
- return result > 0 ? result : -EFAULT;
- }
+ runtime->buffer + appl_ptr, count1))
+ err = -EFAULT;
spin_lock_irqsave(&runtime->lock, flags);
+ if (err)
+ goto out;
}
result += count1;
count -= count1;
}
+ out:
+ snd_rawmidi_buffer_unref(runtime);
spin_unlock_irqrestore(&runtime->lock, flags);
- return result;
+ return result > 0 ? result : err;
}
long snd_rawmidi_kernel_read(struct snd_rawmidi_substream *substream,
@@ -1262,6 +1283,7 @@ static long snd_rawmidi_kernel_write1(struct snd_rawmidi_substream *substream,
return -EAGAIN;
}
}
+ snd_rawmidi_buffer_ref(runtime);
while (count > 0 && runtime->avail > 0) {
count1 = runtime->buffer_size - runtime->appl_ptr;
if (count1 > count)
@@ -1293,6 +1315,7 @@ static long snd_rawmidi_kernel_write1(struct snd_rawmidi_substream *substream,
}
__end:
count1 = runtime->avail < runtime->buffer_size;
+ snd_rawmidi_buffer_unref(runtime);
Two functions were added:Β snd_rawmidi_buffer_refΒ andΒ snd_rawmidi_buffer_unref. They are respectively used to take and remove a reference to the buffer usingΒ snd_rawmidi_runtime->buffer_refΒ when it is copying (snd_rawmidi_kernel_read1) or writing (snd_rawmidi_kernel_write1) into that buffer. But why this was needed? Because read and write operations handled byΒ snd_rawmidi_kernel_write1Β andΒ snd_rawmidi_kernel_read1Β temporarly unlock the runtime lock during the copying from/to userspace usingΒ spin_unlock_irqrestore[1]/spin_lock_irqrestore[2] giving a small race window where the object can be modified during theΒ copy_from_userΒ call:
static long snd_rawmidi_kernel_write1(struct snd_rawmidi_substream *substream, const unsigned char __user *userbuf, const unsigned char *kernelbuf, long count) {
// [..]
spin_unlock_irqrestore(&runtime->lock, flags); // [1]
if (copy_from_user(runtime->buffer + appl_ptr,
userbuf + result, count1)) {
spin_lock_irqsave(&runtime->lock, flags);
result = result > 0 ? result : -EFAULT;
goto __end;
}
spin_lock_irqsave(&runtime->lock, flags); // [2]
// [..]
}
If a concurrent thread re-allocate theΒ runtime->bufferΒ using theΒ SNDRV_RAWMIDI_IOCTL_PARAMSΒ ioctl, that thread can lock the object fromΒ spin_lock_irqΒ [1] (that has been left unlocked in the small race window given byΒ snd_rawmidi_kernel_write1) and free that buffer[2], making possible to re-allocate an arbitrary object and write on that. Also, theΒ kmalloc[3] inΒ snd_rawmidi_output_paramsΒ is called withΒ params->buffer_sizeΒ that is totally user controllable.
What happen if, while a thread is writing into the buffer withΒ copy_from_user, another thread frees that buffer using theΒ SNDRV_RAWMIDI_IOCTL_PARAMSΒ ioctl and reallocates a new arbitrary one? The object is replaced with an new one and theΒ copy_from_userΒ will continue writing into another object (the βvictim objectβ) corrupting its values => User-After-Free (Write).
The really good part about this vulnerability is the βfreedomβ you can have:
Itβs possible to callΒ kmallocΒ with an arbitrary size (and this will be the freed object that we are going to replace to cause a UAF) which means that we can target our favourite slab cache (based on what we need, ofc)
We can write as much as we want in the buffer with theΒ writeΒ syscall
Extend the Race Time Window
We know we have a small race window with few instructions while copying data from userland to kernel as explained before, but the great news is that we have aΒ copy_from_userΒ that can be suspended arbitrarly handling page fault in user-space ! Since I was exploiting the vulnerability in a 4.9 kernel (4.9.223) and hence userfaultd is still not unprivileged as in >5.11, we can still use it to extend our race window and have the necessary time to re-allocate a buffer!
Exploitation Plan
We stated that we are going to use the userfaultd technique to extend the time window. If you are new to this technique is well explainedΒ here, in thisΒ videoΒ (you can use substitles) andΒ here. To summarize: you can handle page faults from user-land, temporarly blocking kernel execution while handling the page fault. If weΒ mmapΒ a block of memory withΒ MAP_ANONYMOUSΒ flag, the memory will be demand-zero paged, meaning that itβs not yet allocated and we can allocate it via userfaultd. The idea using this technique is:
Initialize theΒ runtime->bufferΒ withΒ openΒ => This will allocate the buffer with 4096 size (that will land inΒ kmalloc-4096)
SendΒ SNDRV_RAWMIDI_IOCTL_PARAMSΒ ioctl command in order to re-allocate the buffer with our desired size (e.g. 30 wil land inΒ kmalloc-32)
Allocate withΒ mmapΒ a demand-zero paged (MAP_ANON) and initializeΒ userfaultdΒ to handle its page fault
writeΒ to the rawmidi file descriptor using our previously allocated mmaped memory => This will trigger the userland page fault inΒ copy_from_user
While the kernel thread is suspended waiting for the userland page fault we can send again theΒ SNDRV_RAWMIDI_IOCTL_PARAMSΒ in order to free the currentΒ runtime->buffer
We allocate an object in, for example,Β kmalloc-32Β and if we did some spray before on that cache it will take the place of the previous freedΒ runtime->buffer
We release the page fault from userland and theΒ copy_from_userΒ will continue writing its data (totally in user control) to the new allocated object
With this primitive, we can forges arbitrary objects withΒ arbitrary sizeΒ (specified in theΒ writeΒ syscall),Β arbitrary content,Β arbitrary offsetΒ (since we can trigger userfaultd between two pages as demostrated later on) andΒ arbitrary cacheΒ (we can control the size allocation in theΒ SNDRV_RAWMIDI_IOCTL_PARAMSΒ ioctl). As you can deduce, we have a really great and powerful primitive !
Information Leak
Victim Object
We are going to use what we previously explained in the βExploitation Planβ section to leak an address that we will re-use to have an arbitrary write. Since we can choose which cache trigger the UAF on (and thatβs gold from an exploitation point of view) I choose to leak theΒ shm_file_data->nsΒ pointer that points toΒ init_ipc_nsΒ in the kernelΒ .dataΒ section and it lives inΒ kmalloc-32Β (I also used the same function to spray theΒ kmalloc-32Β cache):
From that pointer, we will deduce the pointer ofΒ modprobe_pathΒ in order to use that technique later to elevate our privileges.
msg_msg
struct msg_msg {
struct list_head m_list;
long m_type;
size_t m_ts; /* message text size */
struct msg_msgseg *next;
void *security;
/* the actual message follows immediately */
};
struct msg_msgseg {
struct msg_msgseg *next;
/* the next part of the message follows immediately */
};
In order to leak that address, however, we have to compromise some other object inΒ kmalloc-32, maybe a length field that would read after its own object. For that case,Β msg_msgΒ is our perfect match because it has a length field specified in itsΒ msg_msg->m_tsΒ and it can be allocated in almost any cache starting fromΒ kmalloc-32Β toΒ kmalloc-4096, with just one downside: The minimun allocation for theΒ msg_msgΒ struct is 48 (sizeof(struct msg_msg)) and it can lands minimun atΒ kmalloc-64. If you want to read more about this structure you can checkoutΒ Fire of Salvation Writeup,Β Wall Of PerditionΒ and theΒ kernel source code. However, when a message is sent usingΒ msgsndΒ with size more thanΒ DATALEN_MSGΒ (((size_t)PAGE_SIZE-sizeof(struct msg_msg))) that is 4096-48, a segment (or multiple segments if needed) is allocated, and the message is splitted between theΒ msg_msgΒ (the payload is just after the struct headers) and theΒ msg_msgseg, with the total size of the message specified inΒ msg_msg->m_ts.
In order to allocate our target object inΒ kmalloc-32Β we have to send a message with size: ( ( 4096 β 48 ) + 10 ).
TheΒ msg_msgΒ structure will be allocated inΒ kmalloc-4096Β and the first (4096 β 48) bytes will be written in theΒ msg_msgΒ structure.
To allocate the remaining 10 bytes, a segmentΒ msg_msgsegΒ will be allocated inΒ kmalloc-32
With these conditions, we can forge theΒ msg_msgΒ structure inΒ kmalloc-4096Β overwriting itsΒ m_tsΒ value with our UAF and withΒ msgrcvΒ we can receive a message that will contains values past our segment allocated inΒ kmalloc-32Β (including our targetedΒ init_ipc_nsΒ pointer).
Dealing with offsets
However, we want to overwrite theΒ m_tsΒ value without overwriting anything else in theΒ msg_msgΒ structure, how we can do that? If you remember, I said we can overwrite chunks with arbitrary size, content andΒ offset. If we create aΒ mmapΒ memory with sizeΒ PAGE_SIZE * 2Β (two pages) and we handle the page fault only for the second page, we can start writing into the originalΒ runtime->bufferΒ and trigger the page fault when it receives theΒ msg_msg->m_tsΒ offset (0x18). Now that the kernel thread is blocked, itβs possible to replace the object withΒ msg_msgΒ and when theΒ copy_from_userΒ resumes, it will starts writing exactly at theΒ msg_msg->m_tsΒ value the remaining bytes. The size we are writing into the file descriptor is (0x18 + 0x2) since the first 0x18 bytes will be used to land at the exact offset and the 2 remaining bytes will writeΒ 0xffffΒ inΒ msg_msg->m_ts. The concept is also explained in the following picture:
Now from the received message fromΒ msgrcvΒ we can retrieve theΒ init_ipc_nsΒ pointer fromΒ shm_file_dataΒ and we can deduce theΒ modprobe_pathΒ address calculating its offset and proceed with the arbitrary write phase.
Arbitrary Write
In order to write at arbitrary locations we are using the same userfault technique described above but instead of targetingΒ msg_msgΒ we will use the Vectored I/O (pipeΒ +Β iovec) primitive. This primitive has been fixed in kernel 4.13 withΒ copyinΒ andΒ copyoutΒ wrappers, with anΒ access_okΒ addition. This technique has been widely used exploiting the Android Binder CVE-2019-2215 and is well detailedΒ hereΒ andΒ here.
The idea is to trigger the UAF once again but targeting theΒ iovecΒ struct:
TheΒ minimun allocationΒ forΒ iovecΒ occurs withΒ sizeof(struct iovec) * 9Β orΒ 16 * 9Β (144) that will land atΒ kmalloc-192Β (otherwise it is stored in the stack). However I choose to allocate 13 vectors usingΒ readvΒ to make the object land inΒ kmalloc-256.
TheΒ readvΒ is a blocking call thatΒ staysΒ (does not free) the object in the kernel so that we can corrupt it using our UAF and re-use it later with our arbitrary modified content. If we corrupt theΒ iov_baseΒ of anΒ iovecΒ structure we can write at arbitrary kernel addresses with aΒ writeΒ syscall since it is uses the unsafeΒ __copy_from_userΒ (same asΒ copy_from_userΒ but without checks).
Our idea is:
Resize theΒ runtime->bufferΒ withΒ SNDRV_RAWMIDI_IOCTL_PARAMSΒ in order to lands intokmalloc-256Β with a size greater than 192
writeΒ into the file descriptor specifycing a demanded-zero paged memory (MAP_ANON) so thatΒ copy_from_userΒ will stop its execution waiting for our user-land page fault handler
While the kernel thread is waiting, free the buffer using again the re-size ioctl commandΒ SNDRV_RAWMIDI_IOCTL_PARAMS
Allocate theΒ iovecΒ struct usingΒ readvΒ that will replace the previously allocatedΒ runtime->buffer
Resume the kernel execution releasing the page fault handler. Now theΒ copy_from_userΒ will start to write into theΒ iovecΒ structure and we will overwriteΒ iov[1].iov_baseΒ with theΒ modprobe_pathΒ address.
Now, in order to overwrite theΒ modprobe_pathΒ value we just have to write our arbitrary content using theΒ writeΒ syscall intoΒ pipe[0]. In the released exploit I overwrote the second iov entry (iov[1]) using the same technique described before with adjacent pages. However, itβs also possible to directly overwrite the firstΒ iov[0].iov_base.
Nice ! Now we have overwrittenΒ modprobe_pathΒ withΒ /tmp/xΒ and .. itβs time to pop a shell !
modprobe_path & uid=0
If you are not familiar withΒ modprobe_pathΒ I suggest you to check outΒ Exploiting timerfd_ctx Objects In The Linux KernelΒ and theΒ man page. To summarize,Β modprobe_pathΒ is a global variable with a default value ofΒ /sbin/modprobeΒ used byΒ call_usermodehelper_execΒ to execute a user-space program in case a program with an unkown header is executed. Since we have overwrittenΒ modprobe_pathΒ withΒ /tmp/x, when a file with an unknown header is executed, our controllable script is executed as root.
These are the exploit functions that prepares and later executes a suid shell:
What the exploit does is simply create theΒ /tmp/xΒ binary that will suid as root a file dropped inΒ /tmp/suidΒ and create a file with an unknown header (/tmp/nnn) that will trigger the executon as root ofΒ /tmp/xΒ fromΒ call_usermodehelper_exec. After that, theΒ /tmp/suidΒ gives root privileges and spawns a root shell.
POC:
/ $ uname -a
Linux (none) 4.9.223 #3 SMP Wed Jun 1 23:15:02 CEST 2022 x86_64 GNU/Linux
/ $ id
uid=1000(user) gid=1000 groups=1000
/ $ /main
[*] Starting exploitation ..
[+] userfaultfd registered
[*] First write to init substream..
[*] Resizing buffer_size to 4096 ..
[*] snd_write triggered (should fault)
[*] Freeing buf using SNDRV_RAWMIDI_IOCTL_PARAMS
[+] Page Fault triggered for 0x5551000!
s -l[*] Replacing freed obj with msg_msg .
[*] Waiting for userfaultd to finish ..
[*] Page fault thread terminated
[+] Page fault lock released
[+] init_ipc_ns @0xffffffff81e8d560
[+] calculated modprobe_path @0xffffffff81e42a00
[+] Starting the arbitrary write phase ..
[*] Closing and reopening re-opening rawmidi fd ..
[+] userfaultfd registered
[*] First write to init substream..
[*] Resizing buffer_size to land into kmalloc-256 ..
[*] snd_write triggered (should fault)
[*] Freeing buf from SNDRV_RAWMIDI_IOCTL_PARAMS
[+] Page Fault triggered for 0x7771000!
[*] Waiting for readv ..
[*] Page fault thread terminated
[+] Page fault lock released
[*] Writing into the pipe ..
[*] write = 24
[+] enjoy your r00t shell [:
/ # id
uid=0(root) gid=0 groups=1000
/ #
Conclusion
I illustrated my experience on finding a public vulnerability using public resources to practise some linux kernel exploitation. Once identified a good candiate, I developed the exploit for a 4.9 kernel achieving arbitrary read and write. With tese primitives, a root shell was spawned.
Tl;Dr The Engintron plugin for CPanel presents a default configuration which could expose applications to account takeover and / or sensitive data exposure due to cache poisoning attacks.
Whenever a client sends a request to a web server, the received response is processed and served by the back-end service each time.
Default Request-Response HTTP Flow
In case of an high traffic volume, this behavior could generate a server overload, resulting in service performance issues. To solve this problem, reverse proxies implements mechanisms such as the web cache. When a user sends a request to a reverse proxy, the nginx core module will first check if a valid response is available in its caching storage. if no valid response is found, the original client request is then forwarded to the webserver, and the response is stored for future use before being send back to the client.
When another user will request the same resource, the nginx core will serve the response stored in the cache, instead of forwarding the request to the backend server, resulting in a much more fluent browsing for the client.
Request-Cached response HTTP Flow
Once the cache time is expired, the cached response is deleted. When another user request the same resource, the flow starts again by getting a new response from the webserver, storing it in the cache and so on.
Request-Store in cache HTTP Flow
Web-cache is also a complex mechanism which could easily be misconfigured, resulting in a wide variety of attack vectors.
Finding the bug
Engintron is an Nginx implementation for CPanel, which comes with some pre-enabled advanced functionalities, such as a micro-caching service for dynamic HTML content.
Micro caching configuration
This caching service allows the storage of dynamic HTML responses in the cache for 1 second. To avoid caching responses containing sensitive information, the application avoids caching responses for requests carrying cookies or urls with some common prefix
Cookie validation regexURI validation regex
The cache key is set to $MOBILE$scheme$host$request_uri, meaning that two users sending a request to the same URL could receive the same responses.
Attack scenario
Scenario: A small webapplication used to send personal information for a candidacy, hosted by an Apache Web Server behind Nginx and running on a CPanel instance. The Nginx implementation is handled with the plugin βEngintronβ.
Session handling is required, as the application allows to resume the candidacy later on by using a password set during the initial submission.
The first step requires some basic personal information, an email address and a password.
Vulnerable service homepage
The email and the password can be used to resume the candidacy later on.
Resume candidacy on vulnerable service
When submitting this form, the backend writes the provided information into a temporary file, and the client gets redirected to the second step.
Temporary file containing sensitive information
After a redirect to step2.php, some additional information are required, before being able to submit the final candidacy.
vulnerable application candidacy step 2
When the form gets submitted the temporary file is deleted, and the session is discarded as not useful anymore.
The attack
the response where the session cookie is being set is not handling cache control, exposing the application to some sort of web-cache poisoning attack, which would lead to account takeovers and sensitive data disclosure.
As mentioned at the beginning of this article, Engintron presents a micro-caching service which holds dynamic HTML resources in the reverse proxy cache for 1 second. Letβs analyze some responses:
Non cached response HTTP response
A legitimate request carrying the set βsession-cookieβ results in the Engintron cache being ignored. To verify this it is possible to send several requests in a short period of time, looking for discrepances in the responses, or for some header containing cache directives, such as βX-Nginx-Upstream-Cache-Statusβ. In this case, the cache-status header explicitly declare a bypass of the cached context.
Using the Burpsuite intruder we can send the request 100 times in a short period of time to verify it
Configuring intruder attack
and as expected, there is no difference in any of the responses
Verifying differences in responses
This happens because the βsession-cookieβ cookie matches the engintron regex and prevents caching of private responses.
To get a cached response we have to provide a request which does not get validated by any of the Engintron cache bypass conditions. This is possible simply by removing the Cookie header from the request.
Cached response
The cached response contained a really interesting header: βSet-Cookieβ. This header is setting the session-cookie value for the current user, identifying a session.
By sending the request twice in the same second, we would get the same set-cookie header. To verify this, we can wrap a curl command in a while loop and observe that multiple responses are carrying the same value.
Verifying cached session cookie
Because of this, an attacker could automate the process of retrieving valid session cookies from the cached context, and try to use them to retrieve user sensitive information before he submits the final form.
To perform this attack Iβve built a small tool written in GO. Please excuse me for my bad code writing skill, I will try to explain the relevant parts of the exploit code.
The exploit starts a thread which collects a new cookie for each second, storing it in a JSON file
Exploit function retrieving cached cookies
The cookie struct is holding the cookie value, how many times it got used by the script (Count), and if it got used to retrieve sensitive information (Consumed).
the JSON file looks like this
Stored / stolen session cookies JSON file
While the first thread collects cookies, a second thread is spawned to collect any new sensitive data associated with the stolen sessions.
Exploit collecting sensitive information
When the βmydata.phpβ page content length is greater then 933, it means that some data has been stored, and in that case a copy of the response would get saved.
Follows a video showing a proof of concept of the mentioned exploit
Exploit video proof-of-concept
This kind of application logic is common in many scenarios such as job candidacies. The impact of this issue highly depends on the kind of data processed by the application.
Another thing to note is that detecting attacks like this would be really difficult, as the generated traffic would look legit.
Remediation
As a workaround for this issue it is recommended to disable the dynamic cache service from Engintron. To do this, it is necessary to comment the line 53 in the configuration file located at /etc/nginx/common_http.conf
Slide: https://hacktivesecurity-my.sharepoint.com/:b:/p/alessandro/EX9sSrCCRIlLqvkHoRl7_jQBB6xKgV_qLL9UA5fIwf2Cbw?e=cCQpix Materiale utilizzato nel video (per poter replicare i lab): https://hacktivesecurity-my.sharepoint.com/:u:/p/alessandro/EX08cV3wTzZJsEeEQwZvw80BbybF2CpUmJdsXXGlY0hnwA?e=JaGru3 Il materiale Γ¨ stato testato con Ubuntu 20.04 con architettura x86_64. Non dovrebbero esserci problemi con altre release.
Per iscriverti al workshop del 25 settembre, segui le pagine social di Cyber Saiyan (organizzazione di Romhack)
Slide: https://hacktivesecurity-my.sharepoint.com/:b:/p/alessandro/EX9sSrCCRIlLqvkHoRl7_jQBB6xKgV_qLL9UA5fIwf2Cbw?e=cCQpix Materiale utilizzato nel video (per poter replicare i lab): https://hacktivesecurity-my.sharepoint.com/:u:/p/alessandro/EX08cV3wTzZJsEeEQwZvw80BbybF2CpUmJdsXXGlY0hnwA?e=JaGru3 Il materiale Γ¨ stato testato con Ubuntu 20.04 con architettura x86_64. Non dovrebbero esserci problemi con altre release.
Per iscriverti al workshop del 25 settembre, segui le pagine social di Cyber Saiyan (organizzazione di Romhack)
A few months ago me and my friend Jacopo Tediosi made an interesting discovery about an Akamai misconfiguration that allowed us to earn more than 46,000 dollars. Our research highlighted how manipulating a particular HTTP header made it possible to change the way how proxies communicated with each other and how this allowed us to perform different request smuggling attacks or, in particular cases, allowed us to poison the cache with arbitrary content chosen by us. In this post we will go directly into detail without explaining how these vulnerabilities work in general, hoping that the reader knows what we are talking about. If not, there are so many resources online and even labs to practice with them.
Now the question is: how were we able to reveal the misconfiguration? and how was it actually handled by major bug bounty platforms and private companies? Even today you can encounter this header in the response in several Server under the Akamai network.
Probably many of you have already understood or had already tried to force the use of Content-Length instead of Transfer-Encoding. But letβs go one step at a time. Once we noticed this particular thing, any attempt to abuse the Connection header with Content-Length as a value to perform a Request Smuggling attack didnβt work.
One curious thing we noticed was some unusual responses being provided by Akamai, such as [no URL].
Or, with www.example.com:
if we use the same host, the server actually provided different responses, but as many will know it is difficult to determine if it was actually Request Smuggling, HTTP Pipelining, or a normal server behavior by setting the Connection header in keep-alive.
Trying to redirect the requests with my co-worker we actually found that it worked. But currently, we only had one potential Denial of Service which is often rejected for lack of impact. Once this was done, we did some tests from a different network to verify that it was an open desync.
Only later we discovered that by inserting other host within the Akamai network we were completely able to redirect each other and finally we had a complete request smuggling. This sounds good, but we had a problem. We donβt have a host within Akamai network. How can you prove that through the attack you can arbitrarily redirect users if you donβt have any logs to show? As we continued to try, and luckily for us, we were able to abuse this bug to arbitrarily cache content from other hosts. We also found that, in addition to the GET method, we could use the OPTIONS method to perform the desired attack, moreover, there were more chances that Akamai would not notice that the request was actually malicious.
To poison the cache, it was necessary to send a first GET or OPTIONS request to a nonexistent path (also to avoid damage to the platform), preferably with static resource extensions (more likely to be taken from the cache), with the second request to arbitrary hosts. After a couple of requests, the content of the second hostβs file was correctly cached due to its revalidation, like this:
From then on it was possible to visit the URL /it/it/medusa.txt which returned the robots.txt of the second host.
Obviously, the content we decided to cache was not malicious but we could cache many types of files such as html or js.
by sending the request twice it was possible to cache the contents of robots.txt of the second host. As soon as the discovery was made, we started responsible disclosure, reporting the vulnerability to Akamai. We have not received immediate confirmation from them. While we waited, we realized that not all Akamai hosts were vulnerable or some did not allow arbitrary content caching (they probably had no cache or particular cache key settings that did not allow the attack). We thought maybe it was some general misconfiguration and decided to report it in bug bounty platforms as well.
Vulnerability management by bug bounty platforms: Our sincere admiration for the triagers of the Hackerone platform. After a very short time, they were able to replicate and understand the vulnerability by assigning the right severity.
Unfortunately, in Bugcrowd many of the triagers were unable to replicate the vulnerability despite providing a oneliner with curls, video POC, screenshots, and more. Some just didnβt put the two blank lines in GET requests, others had wrong burp targets and we have also received duplicated (?). like:
We were very disappointed with the Bugcrowd triagers.
Microsoft: Microsoft replied very late, saying it was unable to replicate the vulnerability (Akamai had already introduced the security fix).
Apple: Apple responded late, and was unable to replicate the vulnerability due to Akamaiβs fix. They were very kind and we received thanks by email, but no bounty was paid (we didnβt want any).
Intigriti: We only filed a bug, the triager was very nice and friendly, but he gave us a duplicated.
THE FIX: Akamai took very little time to get the security fix after our report, now any attempt to use the Connection header in an inappropriate way is automatically blocked. Akamai has given us permission to make a public disclosure.
Login
