98 lines
No EOL
5.3 KiB
Text
98 lines
No EOL
5.3 KiB
Text
After reporting https://bugs.chromium.org/p/project-zero/issues/detail?id=1583
|
|
(Android ID 80436257, CVE-2018-9445), I discovered that this issue could also
|
|
be used to inject code into the context of the zygote. Additionally, I
|
|
discovered a privilege escalation path from zygote to init; that escalation path
|
|
is why I'm filing a new bug.
|
|
|
|
Essentially, the privilege escalation from zygote to init is possible because
|
|
system/sepolicy/private/zygote.te contains the following rule:
|
|
|
|
allow zygote self:capability sys_admin;
|
|
|
|
(On the current AOSP master branch, the rule looks slightly different, but it's
|
|
still there.)
|
|
|
|
This rule allows processes in the zygote domain to use the CAP_SYS_ADMIN
|
|
capability, if they have such a capability. The zygote has the capability and
|
|
uses it, e.g. to call umount() and to install seccomp filters without setting
|
|
the NO_NEW_PRIVS flag. CAP_SYS_ADMIN is a bit of a catch-all capability: If
|
|
kernel code needs to check that the caller has superuser privileges and none of
|
|
the capability bits fit the particular case, CAP_SYS_ADMIN is usually used.
|
|
The capabilities(7) manpage has a long, but not exhaustive, list of things that
|
|
this capability permits:
|
|
http://man7.org/linux/man-pages/man7/capabilities.7.html
|
|
|
|
One of the syscalls that can be called with CAP_SYS_ADMIN and don't have
|
|
significant additional SELinux hooks is pivot_root(). This syscall can be used
|
|
to switch out the root of the current mount namespace and, as part of that,
|
|
change the root of every process in that mount namespace to the new namespace
|
|
root (unless the process already had a different root).
|
|
|
|
The exploit for this issue is in zygote_exec_target.c, starting at
|
|
"if (unshare(CLONE_NEWNS))". The attack is basically:
|
|
|
|
1. set up a new mount namespace with a root that is fully attacker-controlled
|
|
2. execute crash_dump64, causing an automatic transition to the crash_dump
|
|
domain
|
|
3. the kernel tries to load the linker for crash_dump64 from the
|
|
attacker-controlled filesystem, resulting in compromise of the crash_dump
|
|
domain
|
|
4. from the crash_dump domain, use ptrace() to inject syscalls into vold
|
|
5. from vold, set up a loop device with an attacker-controlled backing device
|
|
and mount the loop device over /sbin, without "nosuid"
|
|
6. from vold, call request_key() with a nonexistent key, causing a
|
|
usermodehelper invocation to /sbin/request-key, which is labeled as
|
|
init_exec, causing an automatic domain transition from kernel to init (and
|
|
avoiding the "neverallow kernel *:file { entrypoint execute_no_trans };"
|
|
aimed at stopping exploits using usermodehelpers)
|
|
7. code execution in the init domain
|
|
|
|
|
|
Note that this is only one of multiple possible escalation paths; for example,
|
|
I think that you could also enable swap on an attacker-controlled file, then
|
|
modify the swapped-out data to effectively corrupt the memory of any userspace
|
|
process that hasn't explicitly locked all of its memory into RAM.
|
|
|
|
|
|
|
|
In order to get into the zygote in the first place, I have to trigger
|
|
CVE-2018-9445 twice:
|
|
|
|
1. Use the bug to mount a "public volume" with a FAT filesystem over /data/misc.
|
|
2. Trigger the bug again with a "private volume" with a dm-crypt-protected
|
|
ext4 filesystem that will be mounted over /data. To decrypt the volume, a key
|
|
from /data/misc/vold/ is used.
|
|
3. Cause system_server to crash in order to trigger a zygote reboot. For this,
|
|
the following exception is targeted:
|
|
|
|
*** FATAL EXCEPTION IN SYSTEM PROCESS: NetworkStats
|
|
java.lang.NullPointerException: Attempt to get length of null array
|
|
at com.android.internal.util.FileRotator.getActiveName(FileRotator.java:309)
|
|
at com.android.internal.util.FileRotator.rewriteActive(FileRotator.java:183)
|
|
at com.android.server.net.NetworkStatsRecorder.forcePersistLocked(NetworkStatsRecorder.java:300)
|
|
at com.android.server.net.NetworkStatsRecorder.maybePersistLocked(NetworkStatsRecorder.java:286)
|
|
at com.android.server.net.NetworkStatsService.performPollLocked(NetworkStatsService.java:1194)
|
|
at com.android.server.net.NetworkStatsService.performPoll(NetworkStatsService.java:1151)
|
|
at com.android.server.net.NetworkStatsService.-wrap3(Unknown Source:0)
|
|
at com.android.server.net.NetworkStatsService$HandlerCallback.handleMessage(NetworkStatsService.java:1495)
|
|
at android.os.Handler.dispatchMessage(Handler.java:102)
|
|
at android.os.Looper.loop(Looper.java:164)
|
|
at android.os.HandlerThread.run(HandlerThread.java:65)
|
|
|
|
This exception can be triggered by sending >=2MiB (mPersistThresholdBytes) of
|
|
network traffic to the device, then either waiting for the next periodic
|
|
refresh of network stats or changing the state of a network interface.
|
|
|
|
4. The rebooting zygote64 does dlopen() on
|
|
/data/dalvik-cache/arm64/system@framework@boot.oat, resulting in code
|
|
execution in the zygote64. (For the zygote64 to get to this point, it's
|
|
sufficient to symlink
|
|
/data/dalvik-cache/arm64/system@framework@boot.{art,vdex} to their
|
|
counterparts on /system, even though that code isn't relocated properly.)
|
|
|
|
I have attached an exploit for the full chain, with usage instructions in USAGE.
|
|
|
|
WARNING: As always, this exploit is intended to be used only on research devices that don't store user data. This specific exploit is known to sometimes cause data corruption.
|
|
|
|
Proof of Concept:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45379.zip |