Re: Linux Kernel eBPF Improper Input Validation Vulnerability

[tr3e wang <tr3e.wang () gmail com>]

Hi,

The exploit code can be found at https://github.com/tr3ee/CVE-2022-23222

Alexander, thanks for the update and for helping me post the exploit
code, I suffered from network outage last week.

tr3e

On Sun, Jun 5, 2022 at 4:24 AM Solar Designer <solar () openwall com> wrote:
> Hi,
>
> I've attached the exploit from the linux-distros thread - hopefully, the
> right one.  (I really shouldn't be the one doing it.  The exploit author
> is most qualified to do it, as required by linux-distros list policy.)
>
> Alexander
>
> On Wed, Jun 01, 2022 at 02:51:57PM +0200, Solar Designer wrote:
> > Hi,
> >
> > In context of the recent discussions of linux-distros list policies and
> > their enforcement, I looked at some of the previously handled issues,
> > and identified that the below wasn't properly handled/enforced.
> >
> > tr3e, since you had shared actual exploit code with linux-distros, you
> > were supposed to post the _code_ to oss-security within 7 days after
> > your initial public disclosure of the vulnerability.  However, you only
> > posted "the exploit overview" and promised that "Full exploit code will
> > be published on github in the near future."  Apparently, the latter
> > never happened, and it wouldn't have satisfied the requirement anyway.
> >
> > Please post the same exploit code you had shared with linux-distros to
> > this thread on oss-security ASAP.  Thank you!
> >
> > Alexander
> >
> > On Tue, Jan 18, 2022 at 09:29:18PM +0800, tr3e wang wrote:
> > > Hi all,
> > >
> > >
> > > This post is the exploit overview of CVE-2022-23222.
> > >
> > >
> > > We successfully exploited this vulnerability to obtain full root
> > > privileges on default installations of Ubuntu 20.04.
> > >
> > >
> > > *Exploit overview*
> > >
> > >
> > > 1. Among all these *_OR_NULL types, we choose PTR_TO_MEM_OR_NULL
> > >    which can be created by BPF_FUNC_ringbuf_reserve. First, we
> > >    pass 0xffff........ffff to BPF_FUNC_ringbuf_reserve to get a
> > >    NULL pointer r0, and copy r0 to r1. Then add r1 by 1, and do
> > >    NULL check on r0. At this point, the verifier will believe that
> > >    both r0 and r1 are zero.
> > >
> > >
> > > 2. ALU sanitation is hardened after commit
> > >    "bpf: Fix leakage of uninitialized bpf stack under speculation".
> > >    To bypass alu sanitation, we use helper func bpf_skb_load_bytes_*
> > >    to get partial/full overwrite the pointer on stack to obtain
> > >    pointer address leakage and arbitrary address read/write.
> > >
> > >
> > > 3. We spawn many child processes, and use arbitrary address read to
> > >    find the address of task_struct and cred around the the address of
> > >    the array map we created. After zeroing out the uid/gid/... ,
> > >    full root privileges obtained.
> > >
> > >
> > > Full exploit code will be published on github in the near future.
> > >
> > >
> > > Regards,
> > > tr3e
> > >
> > >
> > > tr3e wang <tr3e.wang () gmail com> ???2022???1???13????????? 16:21?????????
> > >
> > >
> > > > Hi all,
> > > >
> > > > This vulnerability allows local attackers to escalate privileges on
> > > > affected installations of Linux Kernel. An attacker must first obtain the
> > > > ability to execute low-privileged code on the target system in order to
> > > > exploit this vulnerability.
> > > >
> > > > The specific flaw exists within the handling of eBPF programs. The issue
> > > > results from the lack of proper validation of user-supplied eBPF programs
> > > > prior to executing them. An attacker can leverage this vulnerability to
> > > > escalate privileges and execute code in the context of the kernel.
> > > > BE AWARE, unprivileged bpf is disabled by default in most distros.
> > > >
> > > > *Affected Version*
> > > >
> > > >     Linux Kernel 5.8 or later
> > > >
> > > > *Root Cause Analysis*
> > > >
> > > > The bpf verifier(kernel/bpf/verifier.c) did not properly restrict several
> > > > *_OR_NULL pointer types which allows these types to do pointer arithmetic.
> > > > This can be leveraged to bypass the verifier check and escalate privilege.
> > > > (see
> > > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/kernel/bpf/verifier.c?h=v5.10.83#n6022
> > > > )
> > > >
> > > > *Exploit Code*
> > > >
> > > > Exploit code will be delayed for 5 days and will be posted at 12:00 UTC,
> > > > Jan 18, 2022
> > > >
> > > > *Mitigations*
> > > >
> > > > set kernel.unprivileged_bpf_disabled to 1
> > > >
> > > > BE AWARE AGAIN, unprivileged bpf is disabled by default in most distros.
> > > >
> > > > *Credits*
> > > >
> > > > tr3e of SecCoder Security Lab
> > > > Best,
> > > > tr3e