Android One - mt_wifi IOCTL_GET_STRUCT Privilege Escalation

EDB-ID:

39629

CVE:

N/A




Platform:

Android

Date:

2016-03-28


Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=678

The wireless driver for the Android One (sprout) devices has a bad copy_from_user in the handling for the wireless driver socket private read ioctl IOCTL_GET_STRUCT with subcommand PRIV_CMD_SW_CTRL.

This ioctl is permitted for access from the untrusted-app selinux domain, so this is an app-to-kernel privilege escalation from any app with android.permission.INTERNET.

See ​
 hello-jni.tar.gz​ for a PoC (NDK required to build) that should redirect kernel code execution to 0x40404040.

[   56.843672]-(0)[880:tx_thread]CPU: 0 PID: 880 Comm: tx_thread Tainted: G        W    3.10.57-g9e1c396 #1
[   56.844867]-(0)[880:tx_thread]task: dea3b480 ti: cb99e000 task.ti: cb99e000
[   56.845731]-(0)[880:tx_thread]PC is at 0x40404040
[   56.846319]-(0)[880:tx_thread]LR is at kalDevPortWrite+0x1c8/0x484
[   56.847092]-(0)[880:tx_thread]pc : [<40404040>]    lr : [<c0408be4>]    psr: a0000013
[   56.847092]sp : cb99fdb0  ip : c001813c  fp : cb99fe0c
[   56.848705]-(0)[880:tx_thread]r10: c0cac2f0  r9 : 0000af00  r8 : 00000110
[   56.849552]-(0)[880:tx_thread]r7 : 0000002c  r6 : cc0a63c0  r5 : 00000001  r4 : c0cade08
[   56.850560]-(0)[880:tx_thread]r3 : 40404040  r2 : 00000040  r1 : dd5d0110  r0 : 00000001
[   56.851570]-(0)[880:tx_thread]Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
[   56.852675]-(0)[880:tx_thread]Control: 10c5387d  Table: 9e9b006a  DAC: 00000015
[   56.853585]-(0)[880:tx_thread]
[   56.853585]LR: 0xc0408b64:
[   56.854297]8b64  e50b3028 e3a03000 e50b3044 0a00008a e590c0d0 e30639ac e34c30a8 e35c0000
[   56.855306]8b84  01a0c003 e2851103 e30c3940 e34c30bc e7eb2055 e1a01621 e3a05001 e593e000
[   56.856314]8ba4  e3a03000 e1a01281 e58d3004 e28114ff e58d5000 e1a03008 e08e1001 e59cc010
[   56.857323]8bc4  e12fff3c e5943014 e3530000 e50b002c 0a000002 e5933018 e1a00005 e12fff33
[   56.858332]8be4  e59635cc e2867e5a e2877004 e24b1048 e30650c0 e34c50a6 e1a00007 e5933000
[   56.859340]8c04  e12fff33 e59635cc e1a00007 e5933004 e12fff33 e5959000 e2899f7d e5953000
[   56.860349]8c24  e30610c0 e1a00007 e34c10a6 e0693003 e3530000 aa00005b e59635cc e5933010
[   56.861358]8c44  e12fff33 e3500000 0afffff3 e59635cc e1a00007 e30856a1 e3405001 e5933014
[   56.862369]-(0)[880:tx_thread]
[   56.862369]SP: 0xcb99fd30:
[   56.863083]fd30  00000001 00000110 00000000 40404040 a0000013 ffffffff cb99fd9c 00000110
[   56.864091]fd50  0000af00 c0cac2f0 cb99fe0c cb99fd68 c000e1d8 c00084b8 00000001 dd5d0110
[   56.865100]fd70  00000040 40404040 c0cade08 00000001 cc0a63c0 0000002c 00000110 0000af00
[   56.866108]fd90  c0cac2f0 cb99fe0c c001813c cb99fdb0 c0408be4 40404040 a0000013 ffffffff
[   56.867117]fdb0  00000001 00000000 c07aeeb8 c029c4b0 c0b9d340 00000110 00000000 00000000
[   56.868126]fdd0  cb99fdf4 cb99fde0 c07aef68 c009d670 9d5d0000 180f002c e54b6168 e54af000
[   56.869135]fdf0  e54b5d10 00000110 dd5d0000 00000000 cb99fe6c cb99fe10 c03db164 c0408a28
[   56.870143]fe10  0000af00 00000004 cb99fe44 cb99fe28 c03eddf4 00000001 00007d10 e54b5d14
[   56.871155]-(0)[880:tx_thread]
[   56.871155]IP: 0xc00180bc:
[   56.871868]80bc  ee070f36 e0800002 e1500001 3afffffb f57ff04f e1a0f00e ee103f30 e1a03823
[   56.872877]80dc  e203300f e3a02004 e1a02312 e2423001 e1c00003 ee070f3a e0800002 e1500001
[   56.873885]80fc  3afffffb f57ff04f e1a0f00e ee103f30 e1a03823 e203300f e3a02004 e1a02312
[   56.874894]811c  e2423001 e1c00003 ee070f3e e0800002 e1500001 3afffffb f57ff04f e1a0f00e
[   56.875902]813c  e0811000 e3320002 0affffd0 eaffffe1 e0811000 e3320001 1affffcc e1a0f00e
[   56.876911]815c  00007fff 000003ff e1a0c00d e92dd830 e24cb004 e1a05000 e1a00001 ebfffe6a
[   56.877920]817c  e1a04000 e1a00005 ebfffe67 e1a01004 e1a05000 eb09bf2a e1a00005 ebfffeaa
[   56.878929]819c  e1a00004 ebfffea8 e89da830 e1a0c00d e92dd818 e24cb004 ebfffe5b e3a01a01
[   56.879940]-(0)[880:tx_thread]
[   56.879940]FP: 0xcb99fd8c:
[   56.880653]fd8c  0000af00 c0cac2f0 cb99fe0c c001813c cb99fdb0 c0408be4 40404040 a0000013
[   56.881662]fdac  ffffffff 00000001 00000000 c07aeeb8 c029c4b0 c0b9d340 00000110 00000000
[   56.882671]fdcc  00000000 cb99fdf4 cb99fde0 c07aef68 c009d670 9d5d0000 180f002c e54b6168
[   56.883679]fdec  e54af000 e54b5d10 00000110 dd5d0000 00000000 cb99fe6c cb99fe10 c03db164
[   56.884688]fe0c  c0408a28 0000af00 00000004 cb99fe44 cb99fe28 c03eddf4 00000001 00007d10
[   56.885697]fe2c  e54b5d14 e54af000 00000000 cb99fe6c cb99fe48 c03da49c e54b6168 e54af000
[   56.886705]fe4c  c0cac2f0 00000000 e54af000 00000000 c0cac2f0 cb99fe8c cb99fe70 c03bd0f4
[   56.887714]fe6c  c03dae1c 00000001 00000000 e54b6168 00000000 cb99fee4 cb99fe90 c03bd540
[   56.888726]-(0)[880:tx_thread]
[   56.888726]R1: 0xdd5d0090:
[   56.889439]0090  00000002 60070193 c0a9d860 00000001 00000003 0d050d04 60070193 60070193
[   56.890447]00b0  c0a8d800 00002ab0 cb99fe9c cb99fe50 c00d3a84 c001ee84 0b93115f 00000000
[   56.891456]00d0  ffffffff 00000000 00000036 00000000 75fd19aa cb99fea0 e54dfac4 e54dfab8
[   56.892465]00f0  e54dfac4 60070113 cc0a65f8 c0cac730 cc0a6464 c0cac2f0 cb99fec4 062e062d
[   56.893473]0110  00000000 c2ec5c43 e91cd01a 3ef74ed2 256fb013 c9a73709 0d15c700 aa03b775
[   56.894482]0130  10b66433 696d6e70 4f66e845 6fc5d5f5 fffd363f a9960104 61007ab4 5b193ffc
[   56.895491]0150  25b0d02e 7fbf9ac1 c3de7bb9 b7bc184f 47c837ed 0d3b82cd aa3d7d38 72ac0fad
[   56.896499]0170  a469220b 96e646bc 49677d77 a6fae9d7 2d03b2c7 a52e0556 16f0641d 96c95111
[   56.897511]-(0)[880:tx_thread]
[   56.897511]R4: 0xc0cadd88:
[   56.898224]dd88  c0cadc88 41414141 41414141 41414141 41414141 41414141 41414141 41414141
[   56.899233]dda8  41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
[   56.900241]ddc8  41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
[   56.901250]dde8  41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
[   56.902259]de08  41414142 41414141 41414141 41414141 41414141 c0cadc90 000001d3 000001d3
[   56.903267]de28  000001d2 000000ca 000000c7 00000000 00000000 00000000 00000000 00000000
[   56.904276]de48  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   56.905285]de68  00000000 00000000 c04265ec 00000000 00000000 00000000 00000000 00000000
[   56.906297]-(0)[880:tx_thread]
[   56.906297]R6: 0xcc0a6340:
[   56.907009]6340  00000000 00000000 00000000 dead4ead ffffffff ffffffff cc0a6358 cc0a6358
[   56.908018]6360  df8f9674 dfba8764 df8f9684 00000001 c0b45604 00000000 00000000 00000000
[   56.909027]6380  00000001 de764130 00000000 00000000 c080e18c 00000000 00000000 00000000
[   56.910035]63a0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   56.911044]63c0  dd9e1000 00000000 00000075 0000007f 0000a051 00006107 00000000 00000000
[   56.912053]63e0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   56.913062]6400  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   56.914070]6420  00000000 cb000000 00000700 00000000 00000000 00000000 00000000 00000000
[   56.915082]-(0)[880:tx_thread]
[   56.915082]R10: 0xc0cac270:
[   56.915806]c270  7f54e330 00000000 7f54e330 00000000 7f5b84c9 00000004 00000000 00000000
[   56.916814]c290  00000000 00000000 00000001 00000001 00000001 00000000 00000000 00000000
[   56.917823]c2b0  00000001 00000000 dead4ead ffffffff ffffffff c0cac2c4 c0cac2c4 00000000
[   56.918832]c2d0  00000000 00000001 600f0113 000c000c dead4ead ffffffff ffffffff 00000000
[   56.919840]c2f0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   56.920849]c310  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   56.921858]c330  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   56.922866]c350  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   56.923880]-(0)[880:tx_thread]Process tx_thread (pid: 880, stack limit = 0xcb99e248)
[   56.924845]-(0)[880:tx_thread]Stack: (0xcb99fdb0 to 0xcb9a0000)
[   56.925584]-(0)[880:tx_thread]fda0:                                     00000001 00000000 c07aeeb8 c029c4b0
[   56.926801]-(0)[880:tx_thread]fdc0: c0b9d340 00000110 00000000 00000000 cb99fdf4 cb99fde0 c07aef68 c009d670
[   56.928016]-(0)[880:tx_thread]fde0: 9d5d0000 180f002c e54b6168 e54af000 e54b5d10 00000110 dd5d0000 00000000
[   56.929230]-(0)[880:tx_thread]fe00: cb99fe6c cb99fe10 c03db164 c0408a28 0000af00 00000004 cb99fe44 cb99fe28
[   56.930445]-(0)[880:tx_thread]fe20: c03eddf4 00000001 00007d10 e54b5d14 e54af000 00000000 cb99fe6c cb99fe48
[   56.931660]-(0)[880:tx_thread]fe40: c03da49c e54b6168 e54af000 c0cac2f0 00000000 e54af000 00000000 c0cac2f0
[   56.932874]-(0)[880:tx_thread]fe60: cb99fe8c cb99fe70 c03bd0f4 c03dae1c 00000001 00000000 e54b6168 00000000
[   56.934089]-(0)[880:tx_thread]fe80: cb99fee4 cb99fe90 c03bd540 c03bcf6c 000007d0 cc0a63c0 00000000 00000000
[   56.935304]-(0)[880:tx_thread]fea0: c000009a cc0a6a50 00000000 00000000 cc0a65f8 80000013 cc0a6464 cc0a63c0
[   56.936519]-(0)[880:tx_thread]fec0: cc0a6a5c cb99e000 cc0a65f8 c0cac730 cc0a6464 c0cac2f0 cb99ff44 cb99fee8
[   56.937734]-(0)[880:tx_thread]fee0: c03efce4 c03bd300 dd6b1dd4 a0070013 c0cade28 cb99e028 c0090920 cc0a6a50
[   56.938948]-(0)[880:tx_thread]ff00: 01a5fc40 00000000 dea3b480 c0090920 cb99ff10 cb99ff10 c03ef9d4 dd5bfdbc
[   56.940163]-(0)[880:tx_thread]ff20: 00000000 dd9e1000 c03ef9d4 00000000 00000000 00000000 cb99ffac cb99ff48
[   56.941378]-(0)[880:tx_thread]ff40: c008fadc c03ef9e0 ffffffff 00000000 df9958c0 dd9e1000 00000000 00000000
[   56.942593]-(0)[880:tx_thread]ff60: dead4ead ffffffff ffffffff cb99ff6c cb99ff6c 00000000 00000000 dead4ead
[   56.943807]-(0)[880:tx_thread]ff80: ffffffff ffffffff cb99ff88 cb99ff88 dd5bfdbc c008fa20 00000000 00000000
[   56.945022]-(0)[880:tx_thread]ffa0: 00000000 cb99ffb0 c000e618 c008fa2c 00000000 00000000 00000000 00000000
[   56.946236]-(0)[880:tx_thread]ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   56.947452]-(0)[880:tx_thread]ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 ffffffff ffffffff
[   56.948658]Backtrace: 
[   56.948966]-(0)[880:tx_thread][<c0408a1c>] (kalDevPortWrite+0x0/0x484) from [<c03db164>] (nicTxCmd+0x354/0x638)
[   56.950213] r9:00000000 r8:dd5d0000 r7:00000110 r6:e54b5d10 r5:e54af000
r4:e54b6168
[   56.951190]-(0)[880:tx_thread][<c03dae10>] (nicTxCmd+0x0/0x638) from [<c03bd0f4>] (wlanSendCommand+0x194/0x220)
[   56.952449]-(0)[880:tx_thread][<c03bcf60>] (wlanSendCommand+0x0/0x220) from [<c03bd540>] (wlanProcessCommandQueue+0x24c/0x474)
[   56.953859] r6:00000000 r5:e54b6168 r4:00000000 r3:00000001
[   56.954568]-(0)[880:tx_thread][<c03bd2f4>] (wlanProcessCommandQueue+0x0/0x474) from [<c03efce4>] (tx_thread+0x310/0x640)
[   56.955927]-(0)[880:tx_thread][<c03ef9d4>] (tx_thread+0x0/0x640) from [<c008fadc>] (kthread+0xbc/0xc0)
[   56.957088]-(0)[880:tx_thread][<c008fa20>] (kthread+0x0/0xc0) from [<c000e618>] (ret_from_fork+0x14/0x3c)
[   56.958270] r7:00000000 r6:00000000 r5:c008fa20 r4:dd5bfdbc
[   56.958970]-(0)[880:tx_thread]Code: bad PC value
[   56.959544]-(0)[880:tx_thread]---[ end trace 1b75b31a2719ed1f ]---
[   56.960313]-(0)[880:tx_thread]Kernel panic - not syncing: Fatal exception

The vulnerable code is in /drivers/misc/mediatek/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c:1632

    case PRIV_CMD_SW_CTRL:
        pu4IntBuf = (PUINT_32)prIwReqData->data.pointer;
        prNdisReq = (P_NDIS_TRANSPORT_STRUCT) &aucOidBuf[0];

        //kalMemCopy(&prNdisReq->ndisOidContent[0], prIwReqData->data.pointer, 8);
        if (copy_from_user(&prNdisReq->ndisOidContent[0],
                           prIwReqData->data.pointer,
                           prIwReqData->data.length)) {
            status = -EFAULT;
            break;
        }
        prNdisReq->ndisOidCmd = OID_CUSTOM_SW_CTRL;
        prNdisReq->inNdisOidlength = 8;
        prNdisReq->outNdisOidLength = 8;

        /* Execute this OID */
        status = priv_set_ndis(prNetDev, prNdisReq, &u4BufLen);
        break;

prNdisReq->ndisOidContent is in a static allocation of size 0x1000, and prIwReqData->data.length is a usermode controlled unsigned short, so the copy_from_user results in memory corruption.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39629.zip