Use After Free – Page 2 – Computer Security Articles

Credit to Author: SSD / Ori Nimron| Date: Mon, 29 Oct 2018 09:23:16 +0000

Vulnerabilities Summary The vulnerability exists in the AppCache subsystem in Chrome Versions 69.0 and before. This code is located in the privileged browser process outside of the sandbox. The renderer interacts with this subsystem by sending IPC messages from the renderer to the browser process. These messages can cause the browser to make network requests, … Continue reading SSD Advisory – Chrome AppCache Subsystem SBX by utilizing a Use After Free

Independent Securiteam

SSD Advisory – IRDA Linux Driver UAF

September 27, 2018 admin Privilege Escalation, SecuriTeam Secure Disclosure, Use After Free

Credit to Author: SSD / Ori Nimron| Date: Thu, 27 Sep 2018 11:23:40 +0000

Vulnerabilities Summary The following advisory describes two vulnerabilities in the Linux Kernel. By combining these two vulnerabilities a privilege escalation can be achieved. The two vulnerabilities are quite old and have been around for at least 17 years, quite a few Long Term releases of Linux have them in their kernel. While the assessment of … Continue reading SSD Advisory – IRDA Linux Driver UAF

Independent Securiteam

SSD Advisory – VirtualBox VRDP Guest-to-Host Escape

August 20, 2018 admin Sandbox escape, SecuriTeam Secure Disclosure, Use After Free

Credit to Author: SSD / Ori Nimron| Date: Mon, 20 Aug 2018 06:00:52 +0000

Vulnerability Summary VirtualBox has a built-in RDP server which provides access to a guest machine. While the RDP client sees the guest OS, the RDP server runs on the host OS. Therefore, to view the guest OS the RDP client will make a connection to the host OS IP address rather than the guest OS … Continue reading SSD Advisory – VirtualBox VRDP Guest-to-Host Escape

Independent Securiteam

SSD Advisory – Linux Kernel AF_PACKET Use After Free (packet_sock)

August 15, 2018 admin SecuriTeam Secure Disclosure, Use After Free

Credit to Author: SSD / Ori Nimron| Date: Wed, 15 Aug 2018 05:26:28 +0000

Vulnerability Summary UAF vulnerability in Linux Kernel’s implementation of AF_PACKET leads to privilege escalation. AF_PACKET sockets allow users to send or receive packets on the device driver level, which lets them implement their own protocol on top of the physical layer or sniffing packets including Ethernet and higher levels protocol and higher levels of the … Continue reading SSD Advisory – Linux Kernel AF_PACKET Use After Free (packet_sock)

Independent Securiteam

SSD Advisory – Infiniband Linux Driver UAF

August 2, 2018 admin SecuriTeam Secure Disclosure, Use After Free

Credit to Author: SSD / Ori Nimron| Date: Thu, 02 Aug 2018 12:10:25 +0000

Vulnerability Summary A bug in the threads synchronization of Infiniband Driver can cause an Use After Free. A struct that is allocated and free’d by a thread, is accessible through a second thread. If the second thread is calling the function “idr_find” before the struct was free’d by the first thread, then he can still … Continue reading SSD Advisory – Infiniband Linux Driver UAF

Independent Securiteam

SSD Advisory – Linux AF_LLC Double Free

April 30, 2018 admin Privilege Escalation, SecuriTeam Secure Disclosure, Use After Free

Credit to Author: SSD / Noam Rathaus| Date: Mon, 30 Apr 2018 13:05:13 +0000

Vulnerability Summary A use after free vulnerability in AF_LLC allows local attackers to control the flow of code that the kernel executes, allowing them to cause it to run arbitrary code and gain elevated privileges. Vendor Response The vulnerability was reported to the Kernel Security, which asked us to contact the netdev team. A patch … Continue reading SSD Advisory – Linux AF_LLC Double Free

Independent Securiteam

SSD安全公告-Linux内核XFRM权限提升漏洞

December 11, 2017 admin Chinese Translation, Privilege Escalation, SecuriTeam Secure Disclosure, Use After Free

Credit to Author: SSD / Maor Schwartz| Date: Mon, 11 Dec 2017 08:51:42 +0000

漏洞概要以下安全公告描述了在Linux内核中发现的一个UAF漏洞，成功利用此漏洞的攻击者可以提升权限。漏洞存在于Netlink 套接字子系统 – XFRM. Netlink用于在内核和用户空间进程之间传输信息。它由用户空间进程的标准基于套接字的接口和内核模块的内部内核API组成。漏洞提交者一位独立的安全研究员Mohamed Ghannam向Beyond Security的SSD报告了该漏洞厂商响应该漏洞已在补丁1137b5e中被修复（“ipsec：修复中止xfrm策略转储崩溃”） CVE: CVE-2017-16939 [crayon-5a2f0459e8bcf346519844/] 漏洞详细信息非特权用户可以更改Netlink 套接字子系统 XFRM sk-> sk_rcvbuf的值（sk ==sock结构体对象）。可以通过setsockopt（SO_RCVBUF）更改sk-> sk_rcvbuf的值为特定的范围。通过recvmsg/recv/read接收数据时，sk_rcvbuf表示接收缓冲区的大小。 sk_rcvbuf值是内核为skb（sk_buff结构体对象）分配的大小。 skb-> trusize是一个变量，它保持对已使用内存的追踪，为了避免内存浪费，方便管理，内核可以在运行时改变skb的大小。例如，如果我们分配一个大的套接字缓冲区（skb），而我们只接收到1字节大小的数据包，内核将通过调用skb_set_owner_r来调整skb-> trusize的大小。通过调用skb_set_owner_r修改sk-> sk_rmem_alloc（引用自原子变量sk-> sk_backlog.rmem_alloc）。当创建XFRM netlink 套接字时，会调用xfrm_dump_policy函数，当我们关闭套接字时，xfrm_dump_policy_done会被调用。当netlink_sock对象的cb_running值为true时调用xfrm_dump_policy_done。 xfrm_dump_policy_done会尝试清理由netlink_callback对象管理的xfrm walk条目。当调用netlink_skb_set_owner_r（如skb_set_owner_r）时，它会更新sk_rmem_alloc。 netlink_dump(): 在上面的代码中，我们可以看到当sk-> sk_rcvbuf小于sk_rmem_alloc（注意我们可以通过stockpot控制sk-> sk_rcvbuf）时，netlink_dump()验证失败。当满足sk-> sk_rcvbuf小于sk_rmem_alloc时，会跳转到函数的结尾，然而cb_running的值还没有被更改为false，netlink_dump()函数就返回了。此时nlk-> cb_running为true，因此会调用xfrm_dump_policy_done()。 nlk-> cb.done指向xfrm_dump_policy_done，值得注意的是这个函数处理一个双向链表，所以如果利用这个漏洞引用一个可控的缓冲区，我们就可以实现任意内存读写。漏洞证明下面的代码在Ubuntu 17.04测试。 [crayon-5a2f0459e8bd9379864677/]

Independent Securiteam

SSD安全公告–Linux内核AF_PACKET 释放后重用漏洞

November 27, 2017 admin Chinese Translation, Privilege Escalation, SecuriTeam Secure Disclosure, Use After Free

Credit to Author: SSD / Maor Schwartz| Date: Mon, 27 Nov 2017 08:12:04 +0000

漏洞概要以下安全公告描述了在Linux内核的AF_PACKET中存在的一个UAF漏洞，成功利用该漏洞可能导致权限提升。 AF_PACKET套接字”允许用户在设备驱动层发送或者接收数据包”。例如，用户可以在物理层之上实现自己的协议，或者嗅探包含以太网或更高层协议头的数据包。漏洞提交者一名独立的安全研究人员发现并向 Beyond Security 的 SSD 报告了该漏洞。厂商响应更新一 CVE:CVE-2017-15649 “该漏洞很可能已经通过以下方式修复了： packet: 重新绑定fanout hook时保持绑定锁定 – http://patchwork.ozlabs.org/patch/813945/ 与此相关，但未合并的是 packet:在packet_do_bind函数中，使用bind_lock测试fanout – http://patchwork.ozlabs.org/patch/818726/ 我们验证了在v4.14-rc2上不会触发该漏洞，但在第一次commit(008ba2a13f2d)上测试成功。” 漏洞详细信息该UAF漏洞是由于fanout_add(来自setsockopt)和AF_PACKET套接字之间竞争条件导致的。即使已经从fanout_add()创建了一个packet_fanout，竞争也会导致来自packet_do_bind()的__unregister_prot_hook()将po-> running设置为0。这允许我们绕过packet_release()中的unregister_prot_hook()的检查，从而导致即使packet_fanout已经被释放，但是仍然可以从packet_type链接列表引用。漏洞证明 [crayon-5a1c8f5b84fe1712795706/] 崩溃日志 [crayon-5a1c8f5b84fea292617098/] 我们知道已经被释放的是一个kmalloc-4096对象： [crayon-5a1c8f5b84ff4648568286/] 当通过af_packet.c中的register_prot_hook()的dev_add_pack()进行注册时，它的prot_hook成员在packet handler中被引用： [crayon-5a1c8f5b84ff7247098366/] 结构体packet_type内部的函数指针，保存在一个大的slab分配器（kmalloc-4096）中，这使得堆喷射变更容易和更可靠，因为内核较少使用较大slab分配器。我们可以使用常规的内核堆喷射来替换被释放的packet_fanout对象的内容，例如用sendmmsg()或其它函数。即使分配的内存空间不是永久的，但仍然可以替换packet_fanout中的目标内容（例如函数指针），并且由于kmalloc-4096非常稳定，所以我们的payload几乎不可能被其它分配破坏。当使用dev_queue_xmit()发送一个skb时会调用id_match()，通过AF_PACKET套接字上的sendmsg可以到达该路径。如果dev_queue_xmit参数非NULL，它通过调用id_match()的包处理程序列表进行循环。因此，可以通过下述方式进行漏洞利用。一旦知道了内核的代码段，我们就可以把内核栈转换成我们伪造的packet_fanout对象和ROP。第一个参数ptype包含我们伪造对象的prot_hook成员的地址，这使得我们知道在哪里跳转。一旦进入ROP，我们可以跳转到native_write_c4(x)去关闭SMEP/SMAP，然后跳回到用户空间执行我们真正的payload，通过调用commit_creds(prepare_kernel_cred(0))，将我们权限提升至root 。