kernelCTF: Add CVE-2023-4208_lts_cos_mitigation_2

Author: 4ab48b3f1ded2472

pocs/linux/kernelctf/CVE-2023-4208_lts_cos_mitigation_2/docs/exploit.md

@@ -0,0 +1,173 @@
+## Setup
+
+First, we create a root qdisc of the DRR type. 
+Any classful qdisc can be used, but this choice affects the sizes of the objects involved in the exploitation.
+
+Next, we create two child classes: 0x10001 and 0x10002.
+
+We also add two u32 filters attached to the root qdisc:
+- handle 0x80000001, bound to the 0x10001 class, with selector value 0x1234 and mask 0xffff - this will prevent this filter from ever matching.
+- handle 0x80000002, bound to the 0x10001 class, with selector value 0 and mask 0 - this will cause this filter to match on any packet.
+
+## Triggering use-after-free
+
+To trigger the vulnerability [scenario 2](vulnerability.md#scenario-2) is used.
+
+We change the bound class of the first filter (handle 0x80000001) to class 0x10002. 
+This causes field filter_cnt of class 0x10001 to become 0, allowing us to delete it.
+
+## Getting RIP control
+
+Deleting a DRR class frees two objects:
+- struct drr_class, freed directly by kfree() in drr_destroy_class
+- struct qdisc scheduled to be freed through RCU in __qdisc_destroy()
+
+
+### LTS/COS exploit
+
+The simplest way to get code execution is to target ->enqueue() function pointer of the qdisc struct:
+```
+struct qdisc {
+        int                        (*enqueue)(struct sk_buff *, struct qdisc *, struct sk_buff * *); /*     0   0x8 */
+        struct sk_buff *           (*dequeue)(struct qdisc *); /*   0x8   0x8 */
+...
+```
+
+->enqueue() is called from dev_qdisc_enqueue() after a packet is classified to a given class by u32_classify().
+
+Struct qdisc is allocated from kmalloc-512, so we need a heap allocation primitive that will allocate from that cache and gives us control of the first 8 bytes of the object, which excludes some popular options like keys and xattrs.
+
+In this exploit we used a netlink allocation primitive - if a message is sent on the netlink socket (other kinds can be used as well), kernel allocates a buffer for the data to be sent in __alloc_skb() using a kmalloc_reserve() wrapper which for the sizes we are interested in uses a regular general-use kmalloc cache.
+User data is copied at the very beginning of this buffer, with skb metadata (skb_shared_info) added at the end.
+
+One last thing to remember is that we have to sleep for a bit to give RCU time to perform the callback that will free the qdisc object.
+
+After contents of the qdisc object are under our control we just have to send any packet to get RIP control.
+
+In this exploit we rely on the external KASLR leak, so the kernel text address is known beforehand.
+
+
+### Mitigation exploit
+
+When I was writing the original mitigation exploit, I incorrectly assumed that targeting the qdisc object wouldn't work on the mitigation instance because of the static/dynamic kmalloc cache split.
+Looking back at this now, I see that the original exploit for LTS would work perfectly fine on mitigation (after adjusting offsets etc) because qdisc is allocated from dynamic cache due to its size being calculated at runtime in qdisc_alloc().
+
+I'll document this unnecessarily complicated approach here anyways in case someone finds it interesting.
+
+The mitigation exploit targets the other object freed when the class is deleted - struct drr_class. 
+This object has a qdisc pointer at offset 0x60. If we managed to overwrite it with a pointer to a fake qdisc object, we could gain code execution in a similar way to the LTS exploit.
+
+There are two issues to overcome with this approach:
+- drr_class is a fixed-size allocation, so with CONFIG_KMALLOC_SPLIT_VARSIZE enabled we have to find an object allocated from kmalloc-128 that has fixed size and has user-controlled data at offset 0x60
+- We have to have a place with a known address to store the fake qdisc object
+
+First issue is solved by the struct clusterip_config which has a following field at the end:
+```
+struct clusterip_config {
+...
+        char                       ifname[16];           /*  0x60  0x10 */     
+       
+}
+
+```
+
+This object is allocated when creating an iptables rule with the CLUSTERIP target.
+The network interface provided in the ifname field has to exist, but this not a problem because we can rename the loopback interface to any name we want. 
+The only restriction is that we can't use null or whitespace bytes.
+
+The issue with placing the payload at a known address was solved by exploiting a separate infoleak vulnerability in the xfrm subsystem:
+
+```
+author	Herbert Xu <[email protected]>	2023-02-09 09:09:52 +0800
+committer	Steffen Klassert <[email protected]>	2023-02-13 13:38:58 +0100
+commit	8222d5910dae08213b6d9d4bc9a7f8502855e624
+
+xfrm: Zero padding when dumping algos and encap
+```
+
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8222d5910dae08213b6d9d4bc9a7f8502855e624
+
+This vulnerability allows us to leak 64 bytes of uninitialized data from the xfrm_algo object allocated from the kmalloc-96 cache. 
+We'll use it to leak data of a simple_xattr object, which looks like this:
+```
+struct simple_xattr {
+        struct list_head           list;                 /*     0  0x10 */
+        char *                     name;                 /*  0x10   0x8 */
+        size_t                     size;                 /*  0x18   0x8 */
+        char                       value[];              /*  0x20     0 */
+
+};
+```
+
+Here's a procedure to get our data at a known address:
+
+1. Create xattr x1 with data length of 96, but name length of 256 bytes so that simple_xattr is allocated from kmalloc-96, but name from kmalloc-256.
+2. Remove x1 and allocate xfrm_algo in place of its simple_xattr.
+3. Read x1->name pointer using infoleak.
+4. Create a new xattr x2 with data length placing it into kmalloc-256. This will be allocated in place of the x1's name buffer that was freed when x1 was removed. We now have controlled data at the address we leaked + 0x20 (simple_xattr header takes 0x20 bytes).
+
+Next step is to rename the loopback interface to the name matching pointer to our fake qdisc object stored in x2.
+After this is done, we trigger the use-after-free in the same way as with LTS exploit and create an iptables CLUSTERIP rule with input interface set to the fake qdisc's address.
+This overwrites struct drr_class with struct clusterip_config, setting qdisc pointer of the former to the address of our fake object.
+
+Finally, we send a network packet to be matched by u32_classify() leading to the ->enqueue function pointer of our fake qdisc being called.
+
+## Pivot to ROP
+
+When ->enqueue() is called registers are as follows:
+- RDI - pointer to the skb
+- RSI - pointer to the qdisc
+- RAX - copy of the RSI
+
+RDI is not that useful to us, but RSI and RAX point directly to the data under our control..
+
+Stack pivot has three stages using different gadgets.
+
+#### Gadget 1
+
+```
+lea rdi, [rax + 0x20]
+mov rax, qword ptr [rax + 0x30]
+jmp __x86_indirect_thunk_rax
+```
+
+This adds 0x20 to our controlled data pointer, stores it into RDI and jumps to the next gadget. 
+Adding 0x20 is very helpful, because we can't use the very beginning of the buffer as the start of the ROP - it contains the address of our first gadget.
+
+#### Gadget 2
+
+```
+push rdi
+jmp qword [rsi+0x0F]
+```
+
+This pushes location of our ROP chain to the stack and jumps to the next gadget.
+
+#### Gadget 3
+
+```
+pop rsp
+ret
+```
+
+Finally, we pop the previously pushed ROP location into RSP, completing the pivot
+
+Gadgets above are from the LTS exploit, COS/mitigation versions work exactly the same, differences are only in registers used and offsets.
+
+## Second pivot
+
+At this point we have full ROP, but there is not much space - most of our buffer is taken by skb_shared_info struct at the end.
+To have enough space to execute all privilege escalation code we have to pivot again.
+This is quite simple - we choose an unused read/write area in the kernel and use copy_user_generic_string() to copy the second stage ROP from userspace to that area.
+Then we use `pop rsp ; ret` gadget to pivot there.
+
+## Privilege escalation
+
+To escalate our process's privileges we execute following functions from ROP chain:
+
+- commit_creds(init_cred)
+- switch_task_namespaces(find_task_by_vpid(1), init_nsproxy)
+
+Then we set up registers for return to the userspace and jump to the `swapgs ; sysret` gadget in return_via_sysret.
+
+After getting back to userspace we call setns() on namespaces of pid 1 to complete escape to the initial namespace.

pocs/linux/kernelctf/CVE-2023-4208_lts_cos_mitigation_2/docs/vulnerability.md

@@ -0,0 +1,134 @@
+## Requirements to trigger the vulnerability
+
+- CAP_NET_ADMIN in a namespace is required
+- Kernel configuration: CONFIG_NET_CLS_U32
+- User namespaces required: Yes
+
+## Commit which introduced the vulnerability
+
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=de5df63228fcfbd5bb7fd883774c18fec9e61f12
+
+## Commit which fixed the vulnerability
+
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81
+
+## Affected kernel versions
+
+Introduced in 3.18. Fixed in 6.5, 6.1.44, 5.15.125 and other stable trees.
+
+## Affected component, subsystem
+
+net/sched: cls_u32
+
+## Description
+
+When u32_change() is called on an existing filter, the new object is allocated using u32_init_knode() and then u32_set_parms() is called on it:
+```
+...
+                new = u32_init_knode(net, tp, n);
+                if (!new)
+                        return -ENOMEM;
+
+                err = u32_set_parms(net, tp, base, new, tb,
+                                    tca[TCA_RATE], flags, new->flags,
+                                    extack);
+...
+```
+
+u32_init_knode() copies data from the existing "n" filter, including the .res pointer:
+
+```
+static struct tc_u_knode *u32_init_knode(struct net *net, struct tcf_proto *tp,
+                                         struct tc_u_knode *n)
+{
+...
+        new = kzalloc(struct_size(new, sel.keys, s->nkeys), GFP_KERNEL);
+        if (!new)
+                return NULL;
+
+...
+[1]     new->res = n->res;
+```
+
+
+The copied data includes a "res" field which is a tcf_result structure containing a pointer to the target class of a given filter.
+
+u32_set_parms() calls tcf_bind_filter() if TCA_U32_CLASSID is set:
+```
+        if (tb[TCA_U32_CLASSID]) {
+                n->res.classid = nla_get_u32(tb[TCA_U32_CLASSID]);
+[2]             tcf_bind_filter(tp, &n->res, base);
+        }
+```
+
+
+
+tcf_bind_filter() calls .bind_tcf handler on the target class, but if n->res.class was already set it also calls .unbind_tcf on it:
+
+```
+static inline void
+__tcf_bind_filter(struct Qdisc *q, struct tcf_result *r, unsigned long base)
+{
+        unsigned long cl;
+
+        cl = q->ops->cl_ops->bind_tcf(q, base, r->classid);
+        cl = __cls_set_class(&r->class, cl);
+        if (cl)
+[3]                q->ops->cl_ops->unbind_tcf(q, cl);
+}
+```
+
+
+.bind_tcf/.unbind_tcf for most classful qdiscs just increase/decrease filter_cnt counter, which serves as a protection against class being destroyed, e.g.:
+```
+static void drr_unbind_tcf(struct Qdisc *sch, unsigned long arg)
+{
+        struct drr_class *cl = (struct drr_class *)arg;
+
+        cl->filter_cnt--;
+}
+
+static int drr_delete_class(struct Qdisc *sch, unsigned long arg,
+                            struct netlink_ext_ack *extack)
+{
+        struct drr_sched *q = qdisc_priv(sch);
+        struct drr_class *cl = (struct drr_class *)arg;
+
+        if (cl->filter_cnt > 0)
+                return -EBUSY;
+...
+```
+
+Finally, when the change of the existing filter is successful,  tcf_unbind_filter() is called on the old filter in u32_change():
+```
+...
+                u32_replace_knode(tp, tp_c, new);
+[4]             tcf_unbind_filter(tp, &n->res);
+                tcf_exts_get_net(&n->exts);
+                tcf_queue_work(&n->rwork, u32_delete_key_work);
+                return 0;
+...
+```
+
+
+
+
+This leads to a use-after-free (dangling res.class pointer) in two scenarios:
+
+#### Scenario 1
+
+u32_change() is called on the filter with an already bound target class "c1" and there is no TCA_U32_CLASSID in the new parameters.
+tcf_unbind_filter() is called on the old filter in [4].
+filter_cnt of the class "c1" is decreased and it is possible to delete it, however the to the class c1 was copied to fnew in [1] and is still set 
+in the new version of the filter.
+
+
+#### Scenario 2
+
+u32_change() is called on the filter with an already bound target class "c1", there is a TCA_U32_CLASSID in the new parameters, but it is set to the different class "c2"
+Class "c1" is also bound to another filter "f2", so its filter_cnt is 2 at the start.
+
+tcf_bind_filter() is called in [2] leading to the unbind_tcf call [3] on the "c1" class. filter_cnt of "c1" is now 1.
+Finally, tcf_unbind_filter() is called in [4] leading to the second unbind_tcf on the "c1" class.
+This sets the filter_cnt of the "c1" to 0, allowing it to be destroyed, but it is still bound to the "f2" filter.
+

pocs/linux/kernelctf/CVE-2023-4208_lts_cos_mitigation_2/exploit/cos-101-17162.127.42/Makefile

@@ -0,0 +1,9 @@
+INCLUDES = -I/usr/include/libiptc -I/usr/include/libnl3
+LIBS = -L. -pthread -lip4tc -lnl-cli-3 -lnl-route-3 -lnl-3 -ldl
+CFLAGS = -fomit-frame-pointer -static
+
+exploit: exploit.c libip4tc.a
+	gcc -o $@ exploit.c $(INCLUDES) $(CFLAGS) $(LIBS)
+
+prerequisites:
+	sudo apt-get install libnl-cli-3-dev libnl-route-3-dev libip4tc-dev