博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
Local Privilege Escalation for macOS 10.12.2 and XNU port Feng Shui
阅读量:6477 次
发布时间:2019-06-23

本文共 5552 字,大约阅读时间需要 18 分钟。

0x00 Introduction

From yalu 10.2, we could learn lots of new exploit techniques especially the XNU port feng shui and kpp bypass. In this article, we discuss the technique detail about XNU port feng shui and transform this technique to macOS to gain root privilege. Last but not least, the exploit source code could be downloaded at:

 

0x01 Kernel heap overflow

To gain root privilege in macOS 10.12 through XNU port feng shui, we need a kernel vulnerability. In this article, we choose mach_voucher heap overflow as an example. Mach_voucher_extract_attr_recipe_trap() is a mach trap which can be called inside the sandbox. It's a new function added in iOS 10 and macOS 10.12. But, it has a terrible buffer overflow vulnerability.

In the function, args->recipe_size is a user mode pointer which points to an integer number. So mach_voucher_extract_attr_recipe_trap() copies the size value from user mode through copyin().

The function then uses the sz value to allocate a memory block on the kernel heap. However, the developer forgot args->recipe_size was a user mode pointer and then used it as a size value in copyin(). We know that user mode pointer could be larger than the sz value which will cause a buffer overflow in kernel heap.

Note that we may not be able to control the address of the user mode pointer if we want to allocate a memory block on that address. But it’s not a problem. Copyin() function will automatically stop if it meets unmapped memory. So we could allocate a memory block on a high address and then unmap the rest memory block to control the overflow data.

0x02 Heap feng shui through port

In iOS 10 and macOS 10.12, Apple added a new mitigation mechanism to check the freeing into the wrong zone attack, so we cannot use the classic vm_map_copy (changing vm_map_size) technique to do heap feng shui. In addition, Apple added a freelist randomization mechanism in iOS 9.2 and macOS 10.11, we cannot easily predict the location of reallocated memory block. To solve those problems, we need a new heap feng shui technique. In Yalu 10.2, qwertyoruiop used OOL_PORTS to get the kernel task port which can be used to do arbitrary kernel memory read and write. This technique bypassed all mitigation mechanisms in XNU heap. In the rest of this section, we will discuss the detail of this technique.

Mach msg is the most frequently used IPC mechanism in XNU and a lot of messages are transmitted through “complicated message”. Through the “complicated message” of MACH_MSG_OOL_PORTS_DESCRIPTOR msg_type, we can transmit out-of-line ports to the kernel. For example, we sent 32 MACH_PORT_DEAD ool ports (32*8 bytes=0x100 bytes) to the kalloc.256 zone of kernel.

The ool ports saved in mach msg are ipc_object pointers and the pointer can point to a user mode address. Therefore, we can use mach_voucher vulnerability to overflow those pointers and modify one ipc_object pointer to point to a fake ipc_object in user mode. In addition, we could create a fake task in user mode for the fake port as well.

To insure overflowing the right ipc_object pointer, we need to do some heap feng shui. Firstly, we send lots of ool ports messages to the kernel to insure the new allocated memory blocks are continuous. Then we receive some messages in the middle to dig some slots. Then we send some messages again to make the overflow point at the middle of the slots. At last, we use mach_voucher to trigger the heap overflow at the overflow point.

After overflow, we can receive the rest of mach messages to find the corrupted port (not MACH_PORT_DEAD port).

0x03 arbitrary kernel memory read and write

Firstly, we set the io_bits of the fake ipc_object to IKOT_CLOCK. So we can use clock_sleep_trap() to traverse the kernel to get the address of clock task in the kernel. This address will help us to find the kernel text base later.

Then we set io_bits of the fake ipc_object to IKOT_TASK and craft a fake task for the fake port. By setting the value at the faketask+0x380 (in arm64, it’s 0x360), we could read arbitrary 32 bits kernel memory through pid_for_task(). That’s amazing because the function doesn’t check the validity of the task, and just return the value of *(*(faketask + 0x380) + 0x10). So we could gain arability kernel read without any gadgets and ROP.

By using the leaked kernel address of clock task, we could search the magic number of kernel image in the memory to find the kernel slide.

After getting the kernel base, we can traverse all the processes to find the kernel ipc_object and kernel task. Then we dump this information to our fake ipc_object and fake task. By using task_get_special_port() to our fake ipc_object and task, we could get the kernel task port. Note that the kernel task port is very powerful. It can be used to do arbitrary kernel memory read and write through mach_vm_read() and mach_vm_write().

0x04 Getting root

The credential information, the posix_cred structure, for each process is stored in kernel memory. We need to find our process information first (from kernel base + allproc) and then find the posix_cred structure data of our exploit process. After that, we use mach_vm_write() through kernel_task_port to set the cr_ruid (real user id) value to 0 (which means root). Last but not least, we can use system(“/bin/bash”) to get the root shell!

0x05 Summary

In this article, we introduced how to use mach_voucher heap overflow and port feng shui to achieve local privilege escalation on macOS 10.12.2. And the exploit source code can be downloaded at:

0x06 Reference

1. Yalu 102: 

2. 

转载地址:http://vsqko.baihongyu.com/

你可能感兴趣的文章
Linux 工程师新法宝:在 Visual Studio 上用 C++ 写 Linux
查看>>
Postgre Sql获取最近一周、一月、一年日期函数
查看>>
p4377 [USACO18OPEN]Talent Show
查看>>
快速排序 Gnu glibc qsort_r
查看>>
MyBatis Generator 详解 专题
查看>>
程序员的视角:java 线程(转)
查看>>
VisualSVN
查看>>
自定义Section
查看>>
在.NET开发中的单元测试工具之(2)——xUnit.Net
查看>>
Go之类型判断
查看>>
第二百五十二节,Bootstrap项目实战-首页
查看>>
Gray Code
查看>>
python 依照list中的dic的某key排序
查看>>
机器学习--详解人脸对齐算法SDM-LBF
查看>>
js中几种实用的跨域方法原理详解
查看>>
Go语言的基准测试简单示例
查看>>
PLSQL连接Oracle 数据库配置详解
查看>>
load函数
查看>>
gsp页面标签
查看>>
慎用Outline ,UGUI Outline实现原理分析
查看>>