* Linux kernel: net/can/isotp: race condition leads to local privilege escalation
@ 2021-05-11 22:00 Norbert Slusarek
2021-05-12 4:16 ` [oss-security] " Salvatore Bonaccorso
0 siblings, 1 reply; 2+ messages in thread
From: Norbert Slusarek @ 2021-05-11 22:00 UTC (permalink / raw)
To: oss-security
Cc: netdev, socketcan, mkl, alex.popov, linux-can, seth.arnold,
steve.beattie, cascardo
A race condition in the CAN ISOTP networking protocol was discovered which
allows forbidden changing of socket members after binding the socket.
In particular, the lack of locking behavior in isotp_setsockopt() makes it
feasible to assign the flag CAN_ISOTP_SF_BROADCAST to the socket, despite having
previously registered a can receiver. After closing the isotp socket, the can
receiver will still be registered and use-after-free's can be triggered in
isotp_rcv() on the freed isotp_sock structure.
This leads to arbitrary kernel execution by overwriting the sk_error_report()
pointer, which can be misused in order to execute a user-controlled ROP chain to
gain root privileges.
The vulnerability was introduced with the introduction of SF_BROADCAST support
in commit 921ca574cd38 ("can: isotp: add SF_BROADCAST support for functional
addressing") in 5.11-rc1.
In fact, commit 323a391a220c ("can: isotp: isotp_setsockopt():
block setsockopt on bound sockets") did not effectively prevent isotp_setsockopt()
from modifying socket members before isotp_bind().
The requested CVE ID will be revealed along with further exploitation details
as a response to this notice on 13th May of 2021.
Credits: Norbert Slusarek
*** exploit log ***
Adjusted to work with openSUSE Tumbleweed.
noprivs@suse:~/expl> uname -a
Linux suse 5.12.0-1-default #1 SMP Mon Apr 26 04:25:46 UTC 2021 (5d43652) x86_64 x86_64 x86_64 GNU/Linux
noprivs@suse:~/expl> ./lpe
[+] entering setsockopt
[+] entering bind
[+] left bind with ret = 0
[+] left setsockopt with flags = 838
[+] race condition hit, closing and spraying socket
[+] sending msg to run softirq with isotp_rcv()
[+] check sudo su for root rights
noprivs@suse:~/expl> sudo su
suse:/home/noprivs/expl # id
uid=0(root) gid=0(root) groups=0(root)
suse:/home/noprivs/expl # cat /root/check
high school student living in germany looking for an internship in info sec.
if interested please reach out to nslusarek@gmx.net.
Regards,
Norbert Slusarek
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [oss-security] Linux kernel: net/can/isotp: race condition leads to local privilege escalation
2021-05-11 22:00 Linux kernel: net/can/isotp: race condition leads to local privilege escalation Norbert Slusarek
@ 2021-05-12 4:16 ` Salvatore Bonaccorso
0 siblings, 0 replies; 2+ messages in thread
From: Salvatore Bonaccorso @ 2021-05-12 4:16 UTC (permalink / raw)
To: oss-security
Cc: netdev, socketcan, mkl, alex.popov, linux-can, seth.arnold,
steve.beattie, cascardo
Hi,
On Wed, May 12, 2021 at 12:00:33AM +0200, Norbert Slusarek wrote:
> A race condition in the CAN ISOTP networking protocol was discovered which
> allows forbidden changing of socket members after binding the socket.
>
> In particular, the lack of locking behavior in isotp_setsockopt() makes it
> feasible to assign the flag CAN_ISOTP_SF_BROADCAST to the socket, despite having
> previously registered a can receiver. After closing the isotp socket, the can
> receiver will still be registered and use-after-free's can be triggered in
> isotp_rcv() on the freed isotp_sock structure.
> This leads to arbitrary kernel execution by overwriting the sk_error_report()
> pointer, which can be misused in order to execute a user-controlled ROP chain to
> gain root privileges.
>
> The vulnerability was introduced with the introduction of SF_BROADCAST support
> in commit 921ca574cd38 ("can: isotp: add SF_BROADCAST support for functional
> addressing") in 5.11-rc1.
> In fact, commit 323a391a220c ("can: isotp: isotp_setsockopt():
> block setsockopt on bound sockets") did not effectively prevent isotp_setsockopt()
> from modifying socket members before isotp_bind().
>
> The requested CVE ID will be revealed along with further exploitation details
> as a response to this notice on 13th May of 2021.
>
> Credits: Norbert Slusarek
>
> *** exploit log ***
>
> Adjusted to work with openSUSE Tumbleweed.
>
> noprivs@suse:~/expl> uname -a
> Linux suse 5.12.0-1-default #1 SMP Mon Apr 26 04:25:46 UTC 2021 (5d43652) x86_64 x86_64 x86_64 GNU/Linux
> noprivs@suse:~/expl> ./lpe
> [+] entering setsockopt
> [+] entering bind
> [+] left bind with ret = 0
> [+] left setsockopt with flags = 838
> [+] race condition hit, closing and spraying socket
> [+] sending msg to run softirq with isotp_rcv()
> [+] check sudo su for root rights
> noprivs@suse:~/expl> sudo su
> suse:/home/noprivs/expl # id
> uid=0(root) gid=0(root) groups=0(root)
> suse:/home/noprivs/expl # cat /root/check
> high school student living in germany looking for an internship in info sec.
> if interested please reach out to nslusarek@gmx.net.
FTR, this issue has CVE-2021-32606[1] assigned.
[1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32606
Regards,
Salvatore
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-05-12 4:16 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-11 22:00 Linux kernel: net/can/isotp: race condition leads to local privilege escalation Norbert Slusarek
2021-05-12 4:16 ` [oss-security] " Salvatore Bonaccorso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).