
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
70 lines
No EOL
4.7 KiB
Text
70 lines
No EOL
4.7 KiB
Text
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=971
|
|
|
|
The "pm_qos" module exposes an interface to kernel space for specifying QoS dependencies. In order to aid in debugging this interface, the module exposes a "debugfs" interface, available under:
|
|
|
|
/sys/kernel/debug/pm_qos
|
|
|
|
This file is world-readable, and allows any user to query the current QOS constraints. The code which prints out each constraint is available under the "pm_qos_debug_show_one" function in the file "kernel/power/qos.c". Here is the code for this function:
|
|
|
|
static void pm_qos_debug_show_one(struct seq_file *s, struct pm_qos_object *qos)
|
|
{
|
|
struct plist_node *p;
|
|
unsigned long flags;
|
|
|
|
spin_lock_irqsave(&pm_qos_lock, flags);
|
|
|
|
seq_printf(s, "%s\n", qos->name);
|
|
seq_printf(s, " default value: %d\n", qos->constraints->default_value);
|
|
seq_printf(s, " target value: %d\n", qos->constraints->target_value);
|
|
seq_printf(s, " requests:\n");
|
|
plist_for_each(p, &qos->constraints->list)
|
|
seq_printf(s, " %pk(%s:%d): %d\n",
|
|
container_of(p, struct pm_qos_request, node),
|
|
(container_of(p, struct pm_qos_request, node))->func,
|
|
(container_of(p, struct pm_qos_request, node))->line,
|
|
p->prio);
|
|
|
|
spin_unlock_irqrestore(&pm_qos_lock, flags);
|
|
}
|
|
|
|
As seen above, the function prints out the QOS constraint entries (which are static variables stored in the kernel's BSS). To avoid leaking the BSS addresses to unprivileged users, the function uses the format specifier "%pk". Note that the 'k' character in this format specifier is lowercase, instead of the correct specifier - "%pK" (using an uppercase 'K'). As format specifiers are case-sensitive, the "vsnprintf" implementation simply ignores the lowercase 'k' - therefore always printing the pointer above.
|
|
|
|
For devices with Samsung KNOX v2.6 (e.g., Galaxy S7 and Galaxy S7 Edge), this allows an attacker to bypass KASLR. This is since the BSS and the kernel's code have the same KASLR "slide" value. An attacker can read the QOS constraint addresses from the "sysfs" entry and compare them to the calculated base address of the kernel's BSS in order to find the value of the KASLR slide.
|
|
|
|
This issue can be addressed by fixing the format specifier to "%pK".
|
|
|
|
Although the original code for the "pm_qos" is written by Intel, I could only trace back this specific code snippet ("pm_qos_debug_show_one") to Samsung kernels. Therefore, I am assuming that this specific code has been added by Samsung at a certain point. If this is not the case, please let me know so that I can report this issue to the additional parties.
|
|
|
|
I've statically verified this issue on an SM-G935F device. The open-source kernel package I analysed was "SM-G935F_MM_Opensource".
|
|
|
|
The sysfs entries mentioned above are world-readable and have an SELinux context of: "u:object_r:debugfs:s0". According to the default SELinux rules as present on the SM-G935F (version XXS1APG3), the following contexts may access these files:
|
|
|
|
allow ipm debugfs : file { ioctl read getattr lock open } ;
|
|
allow RIDL debugfs : file read ;
|
|
allow secure_storage debugfs : dir { ioctl read getattr search open } ;
|
|
allow knox_system_app debugfs : dir { ioctl read getattr search open } ;
|
|
allow debuggerd debugfs : file { ioctl read getattr lock open } ;
|
|
allow trusteddomain debugfs : file { read getattr } ;
|
|
allow bluetooth debugfs : file read ;
|
|
allow knox_system_app debugfs : file { ioctl read getattr lock open } ;
|
|
allow system_app debugfs : file { ioctl read getattr lock open } ;
|
|
allow slogmodem debugfs : file read ;
|
|
allow slogd debugfs : file { ioctl read getattr lock open } ;
|
|
allow debugfs debugfs : filesystem associate ;
|
|
allow domain debugfs : file { write append open } ;
|
|
allow mediaserver debugfs : file { ioctl read write create getattr setattr lock append unlink rename open } ;
|
|
allow debuggerd debugfs : dir { ioctl read getattr search open } ;
|
|
allow domain debugfs : dir { ioctl read getattr search open } ;
|
|
allow cmd_services debugfs : file read ;
|
|
allow dumpstate debugfs : file { ioctl read write getattr lock append open } ;
|
|
allow secure_storage debugfs : file { ioctl read getattr lock open } ;
|
|
allow wcnd debugfs : file read ;
|
|
allow init debugfs : file getattr ;
|
|
allow system_server debugfs : file { ioctl read getattr lock open } ;
|
|
allow untrusteddomain debugfs : file execute ;
|
|
allow shell debugfs : file { ioctl read getattr lock open } ;
|
|
allow surfaceflinger debugfs : file { ioctl read getattr lock open } ;
|
|
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41161.zip |