
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
73 lines
No EOL
3.8 KiB
Text
73 lines
No EOL
3.8 KiB
Text
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=967
|
|
|
|
The TSP touchscreen controller driver exposes several sysfs entries through which the driver may be configured. One such entry, "cmd", allows the user to write commands to be executed by the driver.
|
|
|
|
Specifically, the "cmd" entry is writable, and is present under:
|
|
|
|
/sys/devices/virtual/sec/tsp/cmd
|
|
|
|
Writes to this sysfs entry are handled by the function "cmd_store", under drivers/input/touchscreen/sec_ts/sec_ts_fn.c
|
|
|
|
This function fails to validate the length of the supplied buffer, before copying data from it into two memory locations. First, the data is copied into a static structure:
|
|
|
|
...
|
|
memset(ts->cmd, 0x00, sizeof(ts->cmd));
|
|
memcpy(ts->cmd, buf, length);
|
|
memset(ts->cmd_param, 0, sizeof(ts->cmd_param));
|
|
memset(buffer, 0x00, sizeof(buffer));
|
|
...
|
|
|
|
The "buf" argument contains the user-supplied data, and the "length" argument is completely user-controlled. Since the length of ts->cmd is defined to be CMD_STR_LEN (256), this memcpy will overflow into adjacent fields in the "ts" structure, allowing the attack to replace these with attack-controlled data.
|
|
|
|
Second, the user-supplied data is copied into a local stack-allocated buffer, like so:
|
|
|
|
...
|
|
char buffer[CMD_STR_LEN];
|
|
...
|
|
pos = strchr(buf, (int)delim);
|
|
if (pos)
|
|
memcpy(buffer, buf, pos - buf);
|
|
else
|
|
memcpy(buffer, buf, length);
|
|
...
|
|
|
|
|
|
This means that the attacker can also overwrite the data on the stack, including the value of frame pointer and return address, simply by providing a buffer of length >CMD_STR_LEN. This allows the attacker to directly hijack the control flow when the function returns.
|
|
|
|
I've statically and dynamically verified this issue on an SM-G935F device. The open-source kernel package I analysed was "SM-G935F_MM_Opensource", the device's build is "XXS1APG3".
|
|
|
|
The sysfs entries mentioned above have UID "system" and GID "radio". The SELinux context for these entries is: "u:object_r:sysfs_sec:s0".
|
|
|
|
According to the default SELinux rules as present on the SM-G935F (version XXS1APG3), the following contexts may access these files:
|
|
|
|
allow shell sysfs_sec : file { read open } ;
|
|
allow system_app sysfs_sec : file { ioctl read write getattr lock append open } ;
|
|
allow rild sysfs_sec : file { ioctl read write getattr lock append open } ;
|
|
allow system_app sysfs_sec : dir { ioctl read write getattr add_name remove_name search open } ;
|
|
allow diagexe sysfs_sec : file { ioctl read write getattr lock append open } ;
|
|
allow at_distributor sysfs_sec : file { ioctl read write getattr setattr lock append open } ;
|
|
|
|
|
|
Proof of concept for the buffer overflow in the TSP driver.
|
|
|
|
Includes a short ROP chain which allows execution of any arbitrary function in the context of the linux kernel, with arbitrary arguments. This PoC also uses the KASLR bypass in "pm_qos" to adjust for the KASLR slide).
|
|
|
|
The high-level flow for executing a function in the kernel is the following:
|
|
-Allocate a (user-space) buffer on the heap with a dummy "marker" value
|
|
-Start a new thread (denote it "Thread B", denote the original thread "Thread A")
|
|
-Thread A:
|
|
-Perform a busy loop waiting for the dummy value to be updated
|
|
-Thread B:
|
|
-Create a ROP chain which does the following:
|
|
-Prepares arguments for a function call
|
|
-Calls the wanted function in the context of the kernel
|
|
-Stores X0 in a sysfs entry in the kernel VAS (e.g., uevent_seqnum)
|
|
-Change the dummy value shared from thread A to indicate completion
|
|
-Enter idle loop
|
|
-Thread A:
|
|
-(Exit busy loop as the marker value has been modified)
|
|
-Read the result of the execution by reading the sysfs entry
|
|
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41130.zip |