bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/android/dos/41218.txt
Offensive Security 893d590404 DB: 2017-02-02 
12 new exploits

PHP 5.2.0 (Windows x86) - (PHP_win32sti) Local Buffer Overflow
PHP 5.2.0 (Windows x86) - 'PHP_win32sti' Local Buffer Overflow

Apple Safari 4.0.3 (Windows x86) - CSS Remote Denial of Service
Apple Safari 4.0.3 (Windows x86) - 'CSS' Remote Denial of Service (1)

PHP 5.3.0 - getopt() Denial of Service
PHP 5.3.0 - 'getopt()' Denial of Service

Apple Safari 4.0.3 (Windows x86) - CSS Remote Denial of Service
Apple Safari 4.0.3 (Windows x86) - 'CSS' Remote Denial of Service (2)

PHP 4.3.x/5.0 - openlog() Buffer Overflow
PHP 4.3.x/5.0 - 'openlog()' Buffer Overflow
Google Android - 'cfp_ropp_new_key_reenc' and 'cfp_ropp_new_key' RKP Memory Corruption
Google Android -  Unprotected MSRs in EL1 RKP Privilege Escalation
Apple WebKit - 'HTMLFormElement::reset()' Use-After Free
Google Chrome - 'HTMLKeygenElement::shadowSelect()' Type Confusion
Apple WebKit - 'HTMLKeygenElement' Type Confusion
Apple WebKit - Type Confusion in RenderBox with Accessibility Enabled
Google Android - RKP Information Disclosure via s2-remapping Physical Ranges
QNAP NVR/NAS - Buffer Overflow

Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - UDEV < 1.4.1 Privilege Escalation (1)
Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV < 1.4.1 - Privilege Escalation (1)

Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04) - UDEV < 141 Privilege Escalation (2)
Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04) UDEV < 1.4.1 - Privilege Escalation (2)

PHP 5.2.9 (Windows x86) - Local Safemod Bypass Exploit
PHP 5.2.9 (Windows x86) - Local Safemod Bypass

Linux udev - Netlink Privilege Escalation (Metasploit)
Linux Kernel UDEV < 1.4.1 - Netlink Privilege Escalation (Metasploit)

Google Android - RKP EL1 Code Loading Bypass

Linux/CRISv32 - Axis Communication Connect Back Shellcode (189 bytes)

Syntax Desktop 2.7 - (synTarget) Local File Inclusion
Syntax Desktop 2.7 - 'synTarget' Parameter Local File Inclusion
Joomla! Component JTAG Calendar 6.2.4 - 'search' Parameter SQL Injection
LogoStore - 'query' Parameter SQL Injection
2017-02-02 05:01:18 +00:00

47 lines
3 KiB
Text
Executable file
Raw Blame History

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=982
As part of Samsung KNOX, Samsung phones include a security hypervisor called RKP (Real-time Kernel Protection), running in EL2. This hypervisor is meant to ensure that the HLOS kernel running in EL1 remains protected from exploits and aims to prevent privilege escalation attacks by "shielding" certain data structures within the hypervisor.
In order to protect the information processed and stored within RKP (i.e., RKP's heap and stack or the current control-flow protection key), the physical ranges in which RKP and "physmap" are located are unmapped from the stage 2 translation table upon initialization of RKP. This prevents an attacker in EL1 from accessing any of these memory regions, as such an attempt would trigger an s2 translation fault.
However, RKP provides commands which can be used in order to re-map regions in the stage 2 translation table. Most of these commands correctly perform a validation on the given address range using "physmap". However, the "rkp_set_init_page_ro" command (command code 0x51) can be used to mark a region as read-only in stage 2, and performs no such validation. Here is the approximate pseudo-code for this command:
__int64 rkp_set_init_page_ro(unsigned args* args_buffer)
{
unsigned long page_pa = rkp_get_pa(args_buffer->arg0);
if ( page_pa < rkp_get_pa(text) || page_pa >= rkp_get_pa(etext) )
{
if ( !rkp_s2_page_change_permission(page_pa, 128LL, 0, 0) )// RO, XN
return rkp_debug_log("Cred: Unable to set permission for init cred", 0LL, 0LL, 0LL);
}
else
{
rkp_debug_log("Good init CRED is within RO range", 0LL, 0LL, 0LL);
}
rkp_debug_log("init cred page", 0LL, 0LL, 0LL);
return rkp_set_pgt_bitmap(page_pa, 0);
}
The "rkp_s2_page_change_permission" function makes sure the given page is mapped in stage 2 (and if it isn't, it re-maps it). The arguments passed in by "rkp_set_init_page_ro" in this specific case mark the page as read-only and non-executable.
Regardless, the physical address ranges for RKP are already present in the stage 1 translation table:
...
[424] 0x0b5000000-0x0b5200000 [PXN: 1, UXN: 1, AP: 0]
[425] 0x0b5200000-0x0b5400000 [PXN: 1, UXN: 1, AP: 0]
[426] 0x0b5400000-0x0b5600000 [PXN: 1, UXN: 1, AP: 0]
[427] 0x0b5600000-0x0b5800000 [PXN: 1, UXN: 1, AP: 0]
[428] 0x0b5800000-0x0b5a00000 [PXN: 1, UXN: 1, AP: 0]
...
This means an attacker can simply invoke the "rkp_set_init_page_ro" command to s2-map any wanted page, and will subsequently be able to directly read from that page, even if it resides within RKP's physical address range.
I've verified this issue on an SM-G935F device, build version "XXS1APG3". The RKP version present on the device is "RKP4.2_CL7572479".
Proof of concept for the RKP stage 2 remapping issue.
This PoC s2-remaps RKP's physical address range and reads from it in EL1.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41218.zip
Reference in a new issue View git blame Copy permalink