========================================================== Ä¿³Î ¸ðµâÀ» ÅëÇÑ vmsplice() local root exploit Ãë¾àÁ¡ ÆÐÄ¡ by hkpco(¹ÚÂù¾Ï) ---------------------------- mail - hkpco@korea.com homepage - http://hkpco.kr/ date - 2008. 2. 11 ---------------------------- ========================================================== ¿À´Ã(2/11) ¿ì¿¬È÷ vmsplice() root exploitÀÌ °ø°³µÈ°ÍÀ» º¸°í Ä¿³Î¸ðµâÀ» ÅëÇÑ °£´ÜÇÑ ÆÐÄ¡¸¦ ¸¸µé¾ú½À´Ï´Ù. ÇöÀç±îÁö kernel 2.6 ¹öÀü´ë¿¡¼­ root exploitÀÌ 2°³³ª °ø°³µÇ¾ú°í, ±×¿¡´ëÇÑ ÆÐÄ¡´Â sys_vmsplice() ¿¡¼­ È£ÃâµÇ´Â ¸î°¡Áö ÇÔ¼öµéÀÇ ³»ºÎ¿¡ kernel macroÀÎ access_ok()¸¦ »ç¿ëÇؼ­ ¼Ó¼ºÀ» üũÇÏ´Â ·çƾÀ» Ãß°¡½ÃÅ°´Â °ÍÀ¸·Î½á ¿¹¸¦µé¸é ´ÙÀ½°ú °°½À´Ï´Ù. --- linux-2.6.orig/fs/splice.c +++ linux-2.6/fs/splice.c @@ -1237,6 +1237,9 @@ static int get_iovec_page_array(const st if (unlikely(!base)) break; + if (unlikely(!access_ok(VERIFY_READ, base, len))) + break; + access_ok() macro´Â »ç¿ëÀÚ °ø°£ÀÇ ¸Þ¸ð¸®°¡ À¯È¿ÇÑÁö¸¦ ÆÇ´ÜÇÏ´Â ÇÔ¼ö·Î½á ÁÖ·Î »ç¿ëÀÚ ¿µ¿ªÀ» °ËÁõÇϱâ À§ÇØ ¾²¿©Áö¸ç ¸¸¾à ÁÖ¼Ò°ªÀÌ Ä¿³Î¿µ¿ª¿¡ Á¸ÀçÇÒ °æ¿ì¿¡´Â false¸¦ ¸®ÅÏÇÕ´Ï´Ù. ±×·¯¹Ç·Î ÀͽºÇ÷ÎÀÕ Äڵ忡¼­ Ä¿³Î ¿µ¿ªÀÇ ÁÖ¼Ò°ªÀÌ »ðÀԵǴ ºÎºÐ(iov.iov_base = (void *)addr;) ȤÀº À¯È¿ÇÏÁö ¾ÊÀº »ç¿ëÀÚ ¿µ¿ªÀ» access_ok()·Î üũÇÏ¿© Ãë¾àÁ¡À» ¹æ¾îÇÏ´Â °ÍÀÔ´Ï´Ù. ¶Ç Çϳª´Â vmsplice() system callÀ» Á¦°ÅÇÏ´Â ¹æ¹ýÀÔ´Ï´Ù. ÇÏÁö¸¸, µÎ°¡Áö ¹æ¹ý ¸ðµÎ Ä¿³ÎÀ» ´Ù½Ã ÄÄÆÄÀÏ ÇؾßÇÏ´Â ´ÜÁ¡ÀÌ ÀÖ½À´Ï´Ù. ( ±× ÀÌ¿Ü¿¡µµ Àӽà ÆÐÄ¡¿¡ ´ëÇÑ Á¦½Ã°¡ ÀÖ¾úÁö¸¸ ºÒ¾ÈÁ¤ÀûÀ̰ųª vmspliceÀÇ »ç¿ëÀ» ¾Æ¿¹ ¸·¾Æ¹ö¸®´Â µî ºñ È¿À²ÀûÀÔ´Ï´Ù. ) ±×·¡¼­ °£´ÜÇÑ ¹æ¾î¸ðµâÀ» Á¦ÀÛÇØ ºÃ½À´Ï´Ù. ÇöÀç±îÁö ³ª¿Â ÆÐÄ¡¹æ¹ýÀº ¸ðµÎ Ä¿³Î ¼Ò½ºÄڵ带 ¼öÁ¤ÇØ¾ß Çϸç, ¿Ü±¹¿¡¼± ¾Æ·¡ Ä¿³Î ÇÔ¼öµéÀ» ¼öÁ¤ÇÏ´Â ÇüÅ·Π°ø°³µÇ¾ú½À´Ï´Ù. vmsplice_to_pipe(), vmsplice_to_user(), get_iovec_page_array(), copy_from_user_mmap_sem() ±×·±µ¥ À§ ÇÔ¼öµéÀº ´ÙÀ½°ú °°Àº ¼ø¼­·Î È£ÃâµË´Ï´Ù. sys_vmsplice() -> vmsplice_to_pipe() -> get_iovec_page_array() -> copy_from_user_mmap_sem() or sys_vmsplice() -> vmsplice_to_user() ±×¸®°í °¢ kernel api¸¦ ÆÐÄ¡ÇÒ ¶§ Ãß°¡µÇ´Â ·çƾÀº À§ ÇÔ¼öµé¿¡¼­ °øÅëÀûÀ¸·Î Àû¿ëµÇ´Â ÀÎÀÚ°ªÀ̱⠶§¹®¿¡ ¾Æ¿¹ sys_vmsplice() ¿¡¼­ ÇØ´ç ÀÎÀÚ°ªµéÀ» üũÇϵµ·Ï ÇÑ´Ù¸é º¸´Ù °£´ÜÇÏ°Ô Ãë¾àÁ¡À» ¹æ¾îÇÒ ¼ö ÀÖ½À´Ï´Ù. ¾Æ·¡´Â ¹æ¾î¸ðµâ ¼Ò½º ÄÚµå¿Í À̸¦ ÄÄÆÄÀÏ ÇϱâÀ§ÇÑ Makefile ÀÔ´Ï´Ù. ------------------------------ http://hkpco.kr/code/vmpatch.c http://hkpco.kr/code/Makefile ------------------------------ ´ÙÀ½Àº ¹æ¾î¸ðµâÀ» ·ÎµåÇϱâ Àü¿¡ exploitÀ» Å×½ºÆ® ÇÑ °á°úÀÔ´Ï´Ù. =========================== vmsplice local root exploit =========================== [hkpco@localhost ~]$ id uid=500(hkpco) gid=500(hkpco) groups=500(hkpco) context=root:system_r:unconfined_t:SystemLow-SystemHigh [hkpco@localhost ~]$ gcc -o vm_exploit vm_exploit.c [hkpco@localhost ~]$ ./vm_exploit ----------------------------------- Linux vmsplice Local Root Exploit By qaaz ----------------------------------- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7f85000 .. 0xb7fb7000 [+] root [root@localhost ~]# id uid=0(root) gid=0(root) groups=500(hkpco) context=root:system_r:unconfined_t:SystemLow-SystemHigh ´ÙÀ½Àº ¹æ¾î¸ðµâÀ» ·ÎµåÇÏ´Â °úÁ¤ÀÔ´Ï´Ù. ==================== protect module patch ==================== [root@localhost hkpco]# wget http://hkpco.kr/code/vmpatch.c --05:32:18-- http://hkpco.kr/code/vmpatch.c Resolving hkpco.kr... 220.80.107.55 Connecting to hkpco.kr|220.80.107.55|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 2287 (2.2K) [text/plain] Saving to: `vmpatch.c' 100%[====================================================================================>] 2,287 --.-K/s in 0s 05:32:18 (62.0 MB/s) - `vmpatch.c' saved [2287/2287] [root@localhost hkpco]# wget http://hkpco.kr/code/Makefile --05:32:33-- http://hkpco.kr/code/Makefile Resolving hkpco.kr... 220.80.107.55 Connecting to hkpco.kr|220.80.107.55|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 210 [text/plain] Saving to: `Makefile' 100%[====================================================================================>] 210 --.-K/s in 0s 05:32:33 (12.2 MB/s) - `Makefile' saved [210/210] [root@localhost hkpco]# ls Makefile vmpatch.c [root@localhost hkpco]# make make -C /lib/modules/2.6.18-1.2798.fc6/build SUBDIRS=/root/hkpco modules make[1]: Entering directory `/usr/src/kernels/2.6.18-1.2798.fc6-i586' CC [M] /root/hkpco/vmpatch.o Building modules, stage 2. MODPOST CC /root/hkpco/vmpatch.mod.o LD [M] /root/hkpco/vmpatch.ko make[1]: Leaving directory `/usr/src/kernels/2.6.18-1.2798.fc6-i586' [root@localhost hkpco]# ls -l vmpatch.ko -rw-r--r-- 1 root root 109481 Feb 11 05:42 vmpatch.ko [root@localhost hkpco]# insmod vmpatch.ko ´ÙÀ½Àº ¹æ¾î¸ðµâÀ» ·ÎµåÇÑ ÈÄ¿¡ ´Ù½Ã ÀͽºÇ÷ÎÀÕÀ» Àû¿ë½ÃÄѺ» ¸ð½ÀÀÔ´Ï´Ù. ========================== vmplice local root exploit protect module loaded ========================== [hkpco@localhost ~]$ id uid=500(hkpco) gid=500(hkpco) groups=500(hkpco) context=root:system_r:unconfined_t:SystemLow-SystemHigh [hkpco@localhost ~]$ gcc -o vm_exploit vm_exploit.c [hkpco@localhost ~]$ ./vm_exploit ----------------------------------- Linux vmsplice Local Root Exploit By qaaz ----------------------------------- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7f85000 .. 0xb7fb7000 [-] vmsplice: Bad address [hkpco@localhost ~]$ id uid=500(hkpco) gid=500(hkpco) groups=500(hkpco) context=root:system_r:unconfined_t:SystemLow-SystemHigh ÀͽºÇ÷ÎÀÕÀÌ ½ÇÆÐÇÑ°ÍÀ» º¼ ¼ö ÀÖ½À´Ï´Ù. ÇØ´ç ÆÐÄ¡´Â Ãë¾àÇÑ ¸ðµç ¸®´ª½º ½Ã½ºÅÛ¿¡¼­ Àû¿ëÀÌ °¡´ÉÇÕ´Ï´Ù.