PWN2OWN 2017 the Linux kernel to mention the right vulnerability analysis-vulnerability warning-the black bar safety net

!

0. Foreword

In 2017, the PWN2OWN contest, the long Pavilion security research lab Chaitin Security Research Lab successfully demonstrates Ubuntu 16.10 Desktop of the local extraction rights. This attack mainly use the linux kernel IPSEC framework(from linux2. 6 Start support)in a memory bounds vulnerability, the CVE number for CVE-2017-7184。

As is well known, Linux the applications range far and wide,we often use the Android, Redhat, CentOS, Ubuntu, Fedora, etc all use Linux operating system. In PWN2OWN, after, Google, Redhat also for the corresponding products issued a vulnerability announcement or patch(see Resources) to. And shows the long Pavilion security research lab Acknowledgements, this is also recommended not to upgrade the server kernel to the friends timely to update the kernel to the latest version:P

Unlike the usual case, in order to increase the game difficulty, the PWN2OWN contest using the Linux version on the many vulnerability mitigation measures, kASLR and SMEP AND SMAP are turned on by default, in this case, the vulnerability becomes extremely difficult to use, a lot of vulnerability possible only in these mitigation measures before it will be defeated.

In addition it is worth mentioning that the use of the vulnerability concealment is very high, in the linux kernel in the presence of time is also very long. Because the trigger this vulnerability requires not only the arrangement of a kernel data structure, and the need to make the kernel handle the attacker carefully constructed data packet, using the traditional fuzz way is almost impossible to find this vulnerability.

Ultimately, the long Pavilion security research lab successfully exploited this vulnerability at PWN2OWN the arena pop-up a PWN2OWN history of the first xcalc, ZDI staff were seen after also expressed surprise endless.

! [](/Article/UploadPic/2017-5/201753105816366. png)! [](/Article/UploadPic/2017-5/201753105816366. png)

Below together look at the entire vulnerability discovery and use of the process.

1. The IPSEC Protocol introduction

IPSEC is a Protocol combination, which contains the AH, ESP, IKE Protocol that provides packet authentication and encryption functions.

In order to help better understand the vulnerability causes the following are several concepts that need briefly explain

(1) SA(Security Associstion)

SA by spi, ip, security Protocol identifier(AH or ESP)these three parameters are uniquely determined. The SA defines the ipsec parties the ip address, ipsec Protocol, encryption algorithm, key, mode, anti-replay window, etc.

(2) AH(Authentication Header)

AH to ip packets provides data integrity check and authentication functions, to provide anti-replay capability, the authentication algorithm from the SA specified.

(3) ESP(Encapsulating security payload)

The ESP for the ip packet to provide integrity check, authentication and encryption.

2. The Linux kernel IPSEC implementation

In the linux kernel IPSEC implementation that is xfrm this framework, on the xfrm code mainly in net/xfrm as well as net/ipv4.

The following is/net/xfrm under the code probably functions

xfrm_state. c state management
xfrm_policy. c xfrm Policy Management
xfrm_algo. c algorithm management
xfrm_hash. c hash calculation function
xfrm_input. c secure path(sec_path)processing for processing the incoming ipsec packet
xfrm_user. c netlink interface of the SA and the SP(Security Policy)Management of

Wherein xfrm_user. c in the code allows us to kernel send netlink message to call the associated handler to achieve the SA and SP configuration, which relates to the processing function as follows.

xfrm_dispatch[XFRM_NR_MSGTYPES] = {
[XFRM_MSG_NEWSA - XFRM_MSG_BASE] = { . doit = xfrm_add_sa },
[XFRM_MSG_DELSA - XFRM_MSG_BASE] = { . doit = xfrm_del_sa },
[XFRM_MSG_GETSA - XFRM_MSG_BASE] = { . doit = xfrm_get_sa,
. dump = xfrm_dump_sa,
. done = xfrm_dump_sa_done },
[XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = { . doit = xfrm_add_policy },
[XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = { . doit = xfrm_get_policy },
[XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { . doit = xfrm_get_policy,
. dump = xfrm_dump_policy,
. done = xfrm_dump_policy_done },
[XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { . doit = xfrm_alloc_userspi },
[XFRM_MSG_ACQUIRE - XFRM_MSG_BASE] = { . doit = xfrm_add_acquire },
[XFRM_MSG_EXPIRE - XFRM_MSG_BASE] = { . doit = xfrm_add_sa_expire },
[XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = { . doit = xfrm_add_policy },
[XFRM_MSG_UPDSA - XFRM_MSG_BASE] = { . doit = xfrm_add_sa },
[XFRM_MSG_POLEXPIRE - XFRM_MSG_BASE] = { . doit = xfrm_add_pol_expire},
[XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = { . doit = xfrm_flush_sa },
[XFRM_MSG_FLUSHPOLICY - XFRM_MSG_BASE] = { . doit = xfrm_flush_policy },
[XFRM_MSG_NEWAE - XFRM_MSG_BASE] = { . doit = xfrm_new_ae },
[XFRM_MSG_GETAE - XFRM_MSG_BASE] = { . doit = xfrm_get_ae },
[XFRM_MSG_MIGRATE - XFRM_MSG_BASE] = { . doit = xfrm_do_migrate },
[XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = { . doit = xfrm_get_sadinfo },
[XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE] = { . doit = xfrm_set_spdinfo,
. nla_pol = xfrma_spd_policy,
. nla_max = XFRMA_SPD_MAX },
[XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = { . doit = xfrm_get_spdinfo },
};

The following simple introduce several functions:

xfrm_add_sa

Create a new SA, and can specify the attr, the kernel, is to use a xfrm_state structure to represent an SA.

xfrm_del_sa

To delete an SA, i.e. to delete a specified xfrm_state it.

xfrm_new_ae

According to the incoming parameters, update the specified xfrm_state structure of the content.

xfrm_get_ae

According to the incoming parameters, the query specifies the xfrm_state structure of the content(including the attr to).

3. Vulnerability causes

When we send a XFRM_MSG_NEWSA type of message, you can call xfrm_add_sa function to create a new SA, a new xfrm_state will also be created. In the kernel, in fact the SA is to use xfrm_state this structure to represent.

[1] [2] [3] next