Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 12 May 2021 06:16:08 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: netdev@...r.kernel.org, socketcan@...tkopp.net, mkl@...gutronix.de,
	alex.popov@...ux.com, linux-can@...r.kernel.org,
	seth.arnold@...onical.com, steve.beattie@...onical.com,
	cascardo@...onical.com
Subject: Re: Linux kernel: net/can/isotp: race condition leads
 to local privilege escalation

Hi,

On Wed, May 12, 2021 at 12:00:33AM +0200, Norbert Slusarek wrote:
> A race condition in the CAN ISOTP networking protocol was discovered which
> allows forbidden changing of socket members after binding the socket.
> 
> In particular, the lack of locking behavior in isotp_setsockopt() makes it
> feasible to assign the flag CAN_ISOTP_SF_BROADCAST to the socket, despite having
> previously registered a can receiver. After closing the isotp socket, the can
> receiver will still be registered and use-after-free's can be triggered in
> isotp_rcv() on the freed isotp_sock structure.
> This leads to arbitrary kernel execution by overwriting the sk_error_report()
> pointer, which can be misused in order to execute a user-controlled ROP chain to
> gain root privileges.
> 
> The vulnerability was introduced with the introduction of SF_BROADCAST support
> in commit 921ca574cd38 ("can: isotp: add SF_BROADCAST support for functional
> addressing") in 5.11-rc1.
> In fact, commit 323a391a220c ("can: isotp: isotp_setsockopt():
> block setsockopt on bound sockets") did not effectively prevent isotp_setsockopt()
> from modifying socket members before isotp_bind().
> 
> The requested CVE ID will be revealed along with further exploitation details
> as a response to this notice on 13th May of 2021.
> 
> Credits: Norbert Slusarek
> 
> *** exploit log ***
> 
> Adjusted to work with openSUSE Tumbleweed.
> 
> noprivs@...e:~/expl> uname -a
> Linux suse 5.12.0-1-default #1 SMP Mon Apr 26 04:25:46 UTC 2021 (5d43652) x86_64 x86_64 x86_64 GNU/Linux
> noprivs@...e:~/expl> ./lpe
> [+] entering setsockopt
> [+] entering bind
> [+] left bind with ret = 0
> [+] left setsockopt with flags = 838
> [+] race condition hit, closing and spraying socket
> [+] sending msg to run softirq with isotp_rcv()
> [+] check sudo su for root rights
> noprivs@...e:~/expl> sudo su
> suse:/home/noprivs/expl # id
> uid=0(root) gid=0(root) groups=0(root)
> suse:/home/noprivs/expl # cat /root/check
> high school student living in germany looking for an internship in info sec.
> if interested please reach out to nslusarek@....net.

FTR, this issue has CVE-2021-32606[1] assigned.

 [1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32606

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.