チャレンジパッドNeoで検証した脆弱性

ページ名:チャレンジパッドNeoで検証した脆弱性

mtk-su

セキュリティパッチがあたっているため不可。

DirtyPipe

Linuxカーネルのバージョンが古いため不可。

CVE-2021-4154

TAB-A05-BD:/data/local/tmp $ ./a.out                                       
1|TAB-A05-BD:/data/local/tmp $ ./strace ./a.out                                
execve("./a.out", ["./a.out"], 0x7fe0025b60 /* 21 vars */) = 0
brk(NULL)                               = 0x393ca000
brk(0x393caf90)                         = 0x393caf90
uname({sysname="Linux", nodename="localhost", ...}) = 0
set_tid_address(0x393ca0d0)             = 5666
set_robust_list(0x393ca0e0, 24)         = 0
rt_sigaction(SIGRTMIN, {sa_handler=0x405d28, sa_mask=[], sa_flags=SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=0x405de8, sa_mask=[], sa_flags=SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlinkat(AT_FDCWD, "/proc/self/exe", "/data/local/tmp/a.out", 4096) = 21
brk(0x393ebf90)                         = 0x393ebf90
brk(0x393ec000)                         = 0x393ec000
mprotect(0x499000, 4096, PROT_READ)     = 0
getcwd("/data/local/tmp", 4096)         = 16
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
rt_sigaction(SIGINT, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
mmap(NULL, 36864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7007499000
rt_sigprocmask(SIG_BLOCK, ~[], [CHLD], 8) = 0
clone(child_stack=0x70074a2000, flags=CLONE_VM|CLONE_VFORK|SIGCHLD) = 5667
munmap(0x7007499000, 36864)             = 0
rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
wait4(5667, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 5667
rt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5667, si_uid=2000, si_status=0, si_utime=0, si_stime=0} ---
fchmodat(AT_FDCWD, "exp_dir", 0777)     = 0
chdir("exp_dir")                        = 0
mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EACCES (Permission denied)
getuid()                                = 2000
getgid()                                = 2000
mprotect(0x4c0000, 4096, PROT_NONE)     = 0
clone(child_stack=0x5bffc0, flags=CLONE_NEWUSER|CLONE_NEWPID) = -1 EINVAL (Invalid argument)
exit_group(1)                           = ?
+++ exited with 1 +++

CVE-2021-43267

TAB-A05-BD:/data/local/tmp $ chmod +x ./a.out                              
TAB-A05-BD:/data/local/tmp $ ./a.out                                           
[$] enabling tipc udp media
socket: Permission denied
[!] ERROR: failed to send netlink control message.
255|TAB-A05-BD:/data/local/tmp $ ./strace ./a.out                              
execve("./a.out", ["./a.out"], 0x7ff8222510 /* 21 vars */) = 0
brk(NULL)                               = 0x1b487000
brk(0x1b487f80)                         = 0x1b487f80
uname({sysname="Linux", nodename="localhost", ...}) = 0
readlinkat(AT_FDCWD, "/proc/self/exe", "/data/local/tmp/a.out", 4096) = 21
brk(0x1b4a8f80)                         = 0x1b4a8f80
brk(0x1b4a9000)                         = 0x1b4a9000
mprotect(0x48d000, 16384, PROT_READ)    = 0
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(0x88, 0x2), ...}) = 0
write(1, "[$] enabling tipc udp media\n", 28[$] enabling tipc udp media
) = 28
getpid()                                = 4837
socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = -1 EACCES (Permission denied)
dup(2)                                  = 3
fcntl(3, F_GETFL)                       = 0x20002 (flags O_RDWR|O_LARGEFILE)
fstat(3, {st_mode=S_IFCHR|0600, st_rdev=makedev(0x88, 0x2), ...}) = 0
write(3, "socket: Permission denied\n", 26socket: Permission denied
) = 26
close(3)                                = 0
write(2, "[!] ERROR: ", 11[!] ERROR: )             = 11
write(2, "failed to send netlink control m"..., 39failed to send netlink control message.) = 39
write(2, "\n", 1
)                       = 1
exit_group(-1)                          = ?
+++ exited with 255 +++
 

CVE-2022-2588

https://seclists.org/oss-sec/2022/q3/132

./strace ./a.out
execve("./a.out", ["./a.out"], 0x7ffe3423a0 /* 21 vars */) = 0
brk(NULL)                               = 0x3bf1d000
brk(0x3bf1df80)                         = 0x3bf1df80
uname({sysname="Linux", nodename="localhost", ...}) = 0
readlinkat(AT_FDCWD, "/proc/self/exe", "/data/local/tmp/a.out", 4096) = 21
brk(0x3bf3ef80)                         = 0x3bf3ef80
brk(0x3bf3f000)                         = 0x3bf3f000
mprotect(0x489000, 4096, PROT_READ)     = 0
unshare(CLONE_NEWUSER|CLONE_NEWNET)     = -1 EINVAL (Invalid argument)
socket(AF_NETLINK, SOCK_RAW|SOCK_NONBLOCK, NETLINK_ROUTE) = 3
write(3, "8\0\0\0\20\0\1\4\1\0\0\0\0\0\0\0\0\0\0\0000\0\0\0\0\0\0\0\0\0\0\0"..., 56) = -1 EACCES (Permission denied)
read(3, 0x7ff3d846a8, 4096)             = -1 EAGAIN (Resource temporarily unavailable)
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(0x88, 0), ...}) = 0
write(1, "0\n", 20
)                      = 2
write(3, "0\0\0\0$\0\1\5\1\0\0\0\0\0\0\0\0\0\0\0000\0\0\0\0\0\1\0\377\377\377\377"..., 48) = -1 EACCES (Permission denied)
read(3, 0x7ff3d846a8, 4096)             = -1 EAGAIN (Resource temporarily unavailable)
write(1, "0\n", 20
)                      = 2
write(3, "D\0\0\0,\0A\4\1\0\0\0\0\0\0\0\0\0\0\0000\0\0\0\0\0\0\0\0\0\1\0"..., 68) = -1 EACCES (Permission denied)
read(3, 0x7ff3d846a8, 4096)             = -1 EAGAIN (Resource temporarily unavailable)
write(1, "0\n", 20
)                      = 2
write(3, "8\0\0\0,\0A\4\1\0\0\0\0\0\0\0\0\0\0\0000\0\0\0\0\0\0\0\0\0\1\0"..., 56) = -1 EACCES (Permission denied)
read(3, 0x7ff3d846a8, 4096)             = -1 EAGAIN (Resource temporarily unavailable)
write(1, "0\n", 20
)                      = 2
write(3, "(\0\0\0\21\0\1\4\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 40) = -1 EACCES (Permission denied)
read(3, 0x7ff3d846a8, 4096)             = -1 EAGAIN (Resource temporarily unavailable)
write(1, "0\n", 20
)                      = 2
exit_group(0)                           = ?
+++ exited with 0 +++

CVE-2022-34918

https://github.com/veritas501/CVE-2022-34918

TAB-A05-BD:/data/local/tmp $ ./strace ./exploit
execve("./exploit", ["./exploit"], 0x7fdd619500 /* 21 vars */) = 0
brk(NULL)                               = 0x6fc0000
brk(0x6fc0f80)                          = 0x6fc0f80
uname({sysname="Linux", nodename="localhost", ...}) = 0
readlinkat(AT_FDCWD, "/proc/self/exe", "/data/local/tmp/exploit", 4096) = 23
brk(0x6fe1f80)                          = 0x6fe1f80
brk(0x6fe2000)                          = 0x6fe2000
mprotect(0x48f000, 4096, PROT_READ)     = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x6fc00d0) = 2425
[*] src/main.c:208 initialize exploit environment ...
[-] src/common.c:20 unshare(CLONE_NEWUSER | CLONE_NEWNS): Invalid argument
[-] src/common.c:20 Exit at line 20
wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 2425
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=2425, si_uid=2000, si_status=1, si_utime=0, si_stime=0} ---
exit_group(0)                           = ?
+++ exited with 0 +++

CVE-2021-3493

TAB-A05-BD:/data/local/tmp $ ./a.out                                                                                                                                                                                                      
 ./a.out: execl ./ovlcap/upper/magic: No such file or directory
 ./a.out: unshare: Invalid argument

CVE-2020-27194

 TAB-A05-BD:/data/local/tmp $ ./blasty-vs-ebpf                                                                                                                                                                                           
 
       $$$ Linux 5.8.15+ CVE-2020-27194 exploit  $$$
             -- by blasty <peter@haxx.in> --
 
 [!] ERROR: failed to create map (13)

CVE-2020-8835

TAB-A05-BD:/data/local/tmp $ ./poc                                                                                                                                                                                                        
 [*] sneaking evil bpf past the verifier
 
 [!] failed to load prog 'Function not implemented'
 1|TAB-A05-BD:/data/local/tmp $ ./poc                                                                                                                                                                                                        
 [*] sneaking evil bpf past the verifier
 
 [!] failed to load prog 'Function not implemented'
 1|TAB-A05-BD:/data/local/tmp $

CVE-2020-14386

 TAB-A05-BD:/data/local/tmp $ ./a.out                                           
 [-] unshare(CLONE_NEWUSER): Invalid argument

CVE-2021-33909

https://github.com/ChrisTheCoolHut/CVE-2021-33909
build.sh

aarch64-linux-gnu-gcc exploit.c -o exploit -static -lpthread -DBLOCK_VIA_USERFAULTFD
 127|TAB-A05-BD:/data/local/tmp $ ./exploit                                     
 died in read_modprobe_path: 1300

umidigi f1 playでの実行結果。Androidでは動作しないのかも。

chdir("\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\") = 0
chdir("/")                              = 0
mmap(NULL, 1056768, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x750ab3c000
mprotect(0x750ab3d000, 1048576, PROT_READ|PROT_WRITE) = 0
socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0
clone(child_stack=0x750ac3d000, flags=CLONE_NEWNS|CLONE_NEWUSER|SIGCHLD) = -1 EINVAL (Invalid argument)
write(2, "died in fork_userns: 177\n", 25died in fork_userns: 177
) = 25
exit_group(1)                           = ?
+++ exited with 1 +++
 

CVE-2021-22555

 TAB-A05-BD:/data/local/tmp $ ./2021-22555                                      
 [+] Linux Privilege Escalation by theflow@ - 2021
 
 [+] STAGE 0: Initialization
 [*] Setting up namespace sandbox...
 [-] unshare(CLONE_NEWUSER): Invalid argument

CVE-2021-28663

 TAB-A05-BD:/data/local/tmp $ ./mali_poc                                      
 Version major,minor = 11,13
 ioctl <KBASE_IOCTL_SET_FLAGS> failed and returned: Invalid argument 

CVE-2021-42008

/tmpを/data/local/tmpに変更しても動作せず

TAB-A05-BD:/data/local/tmp $ ./exploit                                                                                                                                                                                                    
 [*] Assigning process 2894 to core 0
 [*] CPU affinity:
  └ Core #0 = 1
  └ Core #1 = 0
  └ Core #2 = 0
  └ Core #3 = 0
 sh: can't create /tmp/asd: No such file or directory
 chmod: /tmp/asd: No such file or directory
 sh: can't create /tmp/x: No such file or directory
 sh: can't create /tmp/x: No such file or directory
 sh: can't create /tmp/x: No such file or directory
 chmod: /tmp/x: No such file or directory
 [X] Userfaultfd failed: Function not implemented

CVE-2020-8835

TAB-A05-BD:/data/local/tmp $ ./poc                                                                                                                                                                                                          
 [*] sneaking evil bpf past the verifier
 [!] failed to load prog 'Function not implemented'
 
 1|TAB-A05-BD:/data/local/tmp $ ./exp                                                                                                                                                                                                        
 [!] failed to create map 'Function not implemented'

CVE-2021-26708

https://github.com/jordan9001/vsock_poc (コンパイルできない)
https://github.com/azpema/CVE-2021-26708 (VMADDR_CID_LOCALをVMADDR_CID_HOSTに変更してコンパイル)

 TAB-A05-BD:/data/local/tmp $ ./vuln                                                                                                                                                                                                       
 [+] CVE-2021-26708 exploit
 [ ] uid=2000 gid=2000
 [-] open vsock: Permission denied 

CVE-2022-23222

TAB-A05-BD:/data/local/tmp $ ./exploit                                         
[*] phase(1/8) 'create bpf map(s)' running
[!] WARNING: Failed to create comm map: -1 (Operation not permitted)
[-] phase(1/8) 'create bpf map(s)' return with error -1
[*] phase(2/8) 'do some leak' skipped
[*] phase(3/8) 'prepare arbitrary rw' skipped
[*] phase(4/8) 'spawn processes' skipped
[*] phase(5/8) 'find cred (slow)' skipped
[*] phase(6/8) 'overwrite cred' skipped
[*] phase(7/8) 'spawn root shell' skipped
[*] phase(8/8) 'clean up the mess' running
[+] phase(8/8) 'clean up the mess' done
255|TAB-A05-BD:/data/local/tmp $ 

CVE-2021-4204

TAB-A05-BD:/data/local/tmp $ ./exploit
[*] phase(1/7) 'create bpf map(s)' running
[!] WARNING: Failed to create comm map: -1 (Operation not permitted)
[-] phase(1/7) 'create bpf map(s)' return with error -1
[*] phase(2/7) 'corrupt ringbuf' skipped
[*] phase(3/7) 'spawn processes' skipped
[*] phase(4/7) 'find cred (slow)' skipped
[*] phase(5/7) 'overwrite cred' skipped
[*] phase(6/7) 'spawn root shell' skipped
[*] phase(7/7) 'clean up the mess' running
[+] phase(7/7) 'clean up the mess' done
255|TAB-A05-BD:/data/local/tmp $ 

CVE-2022-34918

TAB-A05-BD:/data/local/tmp/CVE-2022-34918-LPE-PoC $ ./poc
Segmentation fault

実行結果記録忘れたが動作しなかったもの

 

CVE-2021-3490(Android には影響なし)
CVE-2021-0485(11のみ)

Androidの謎のバグを利用

Androidには深い階層のディレクトリやファイルを作成すると初期化以外削除が不能になるバグがある。

以下のコードをコンパイルし、/data/local/tmpなどで動かしてみると深い階層のディレクトリが作成される。

#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <unistd.h>
int main()
{
    int a;
    for(a=1; a<=35000; a=a+1){
    mkdir("b", S_IRWXU); //ディレクトリ作成
    chdir("b");
    }
}

これを削除しようとするとrmコマンドからもアプリ側からもbusybox側からも削除ができない。これをアプリ固有のディレクトリ(/data以下)などでやるとアプリをアンインストールしたとしてもディレクトリやファイルがそこに残存してしまう。

これをうまく利用したと思われるものがCVE-2021-33909だ。だがこれ自体はチャレンジパッドneoでは動作しない。

このディレクトリが削除できないバグ自体は最新のAndroid 13でさえ残存しているため別の何らかのバグだということだ。うまく利用すれば異常な動作を引き起こさせ、root権限に昇格することもできるのかもしれない。
 

シェアボタン: このページをSNSに投稿するのに便利です。

コメント

返信元返信をやめる

※ 悪質なユーザーの書き込みは制限します。

最新を表示する

NG表示方式

NGID一覧