The most simple of vulnerabilities
A double-fetch vulnerability is when data is accessed from userspace multiple times. Because userspace programs will commonly pass parameters in to the kernel as pointers, the data can be modified at any time. If it is modified at the exact right time, an attacker could compromise the execution of the kernel.
Let's start with a convoluted example, where all we want to do is change the id
that the module stores. We are not allowed to set it to 0
, as that is the ID of root
, but all other values are allowed.
The code below will be the contents of the read()
function of a kernel. I've removed the boilerplate code mentioned previously, but here are the relevant parts:
The program will:
Check if the ID we are attempting to switch to is 0
If it is, it doesn't allow us, as we attempted to log in as root
Sleep for 1 second (this is just to illustrate the example better, we will remove it later)
Compare the password to p4ssw0rd
If it is, it will set the id
variable to the id
in the creds
structure
Let's say we want to communicate with the module, and we set up a simple C program to do so:
We compile this statically (as there are no shared libraries on our VM):
As expected, the id
variable gets set to 900
- we can check this in dmesg
:
That all works fine.
The flaw here is that creds->id
is dereferenced twice. What does this mean? The kernel module is passed a reference to a Credentials
struct:
This is a pointer, and that is perhaps the most important thing to remember. When we interact with the module, we give it a specific memory address. This memory address holds the Credentials
struct that we define and pass to the module. The kernel does not have a copy - it relies on the user's copy, and goes to userspace memory to use it.
Because this struct is controlled by the user, they have the power to change it whenever they like.
The kernel module uses the id
field of the struct on two separate occasions. Firstly, to check that the ID we wish to swap to is valid (not 0
):
And once more, to set the id
variable:
Again, this might seem fine - but it's not. What is stopping it from changing inbetween these two uses? The answer is simple: nothing. That is what differentiates userspace exploitation from kernel space.
Inbetween the two dereferences creds->id
, there is a timeframe. Here, we have artificially extended it (by sleeping for one second). We have a race codition - the aim is to switch id
in that timeframe. If we do this successfully, we will pass the initial check (as the ID will start off as 900
), but by the time it is copied to id
, it will have become 0
and we have bypassed the security check.
Here's the plan, visually, if it helps:
In the waiting period, we swap out the id
.
If you are trying to compile your own kernel, you need CONFIG_SMP
enabled, because we need to modify it in a different thread! Additionally, you need QEMU to have the flag -smp 2
(or more) to enable 2 cores, though it may default to having multiple even without the flag. This example may work without SMP, but that's because of the sleep - when we most onto part 2, with no sleep, we require multiple cores.
The C program will hang on write
until the kernel module returns, so we can't use the main thread.
With that in mind, the "exploit" is fairly self-explanatory - we start another thread, wait 0.3 seconds, and change id
!
We have to compile it statically, as the VM has no shared libraries.
Now we have to somehow get it into the file system. In order to do that, we need to first extract the .cpio
archive (you may want to do this in another folder):
Now copy exploit
there and make sure it's marked executable. You can then compress the filesystem again:
Use the newly-created initramfs.cpio
to lauch the VM with run.sh
. Executing exploit
, it is successful!
Note that the VM loaded you in as root
by default. This is for debugging purposes, as it allows you to use utilities such as dmesg
to read the kernel module output and check for errors, as well as a host of other things we will talk about. When testing exploits, it's always helpful to fix the init
script to load you in as root! Just don't forget to test it as another user in the end.
Removing the artificial sleep
In reality, there won't be a 1-second sleep for your race condition to occur. This means we instead have to hope that it occurs in the assembly instructions between the two dereferences!
This will not work every time - in fact, it's quite likely to not work! - so we will instead have two loops; one that keeps writing 0
to the ID, and another that writes another value - e.g. 900
- and then calling write
. The aim is for the thread that switches to 0
to sync up so perfectly that the switch occurs inbetween the ID check and the ID "assignment".
If we check the source, we can see that there is no msleep
any longer:
Our exploit is going to look slightly different! We'll create the Credentials
struct again and set the ID to 900
:
Then we are going to write this struct to the module repeatedly. We will loop it 1,000,000 times (effectively infinite) to make sure it terminates:
If the ID returned is 0
, we won the race! It is really important to keep in mind exactly what the "success" condition is, and how you can check for it.
Now, in the second thread, we will constantly cycle between ID 900
and 0
. We do this in the hope that it will be 900
on the first dereference, and 0
on the second! I make this loop infinite because it is a thread, and the thread will be killed when the program is (provided you remove pthread_join()
! Otherwise your main thread will wait forever for the second to stop!).
Compile the exploit and run it, we get the desired result:
Look how quick that was! Insane - two fails, then a success!
The dereferences [rbx]
have just one assembly instruction between, yet we are capable of racing. THAT is just how tight!
You might be wondering how tight the race window can be for exploitation - well, had a race of two assembly instructions: