关联漏洞
标题:
Android Qualcomm GPU驱动提权漏洞
(CVE-2016-2067)
描述:Android是美国谷歌(Google)公司和开放手持设备联盟(简称OHA)共同开发的一套以Linux为基础的开源操作系统。Qualcomm GPU Driver是使用在其中的一个美国高通(Qualcomm)公司开发的图形处理器驱动程序。 Android中的Qualcomm GPU驱动存在提权漏洞,该漏洞源于程序没有正确处理KGSL_MEMFLAGS_GPUREADONLY标识。攻击者可借助恶意的应用程序利用该漏洞在内核上下文中执行任意代码。
介绍
# ADRENO GPU IOMMU DMA EXPLOIT
Tested under Nexus 6p (google/angler/angler:6.0.1/MMB29M/2431559:user/release-keys)
# About the bug
Discussed in 2016 via [Blackhat EU](https://www.blackhat.com/docs/eu-16/materials/eu-16-Taft-GPU-Security-Exposed.pdf)
# About the exploit
With iommu dma writes, vdso.so is overwritten with shellcode.
So after /init executes __kernel_clock_gettime, the shellcode will get executed.
/init process then connect back with a root shell.
# Logs
```
Reverse shell target: 127.0.0.1:4919
shellcode patch done
hook patch done
Waiting for reverse connect shell...
TERMINAL>>>
id
uid=0(root) gid=0(root) groups=0(root) context=u:r:init:s0
```
# Tips
Delete /data/local/tmp/x if any before the exploit.
If the waiting time is too long, try open "Time and Date" options inside the settings of your phone.
# Porting to other devices
Check the verison of adreno, currently it is built for 4xx.
For 5xx and above:
- use cp_type7_packet instead of cp_type3_packet
- use IOCTL_KGSL_GPU_COMMAND instead of IOCTL_KGSL_RINGBUFFER_ISSUEIBCMDS
文件快照
[4.0K] /data/pocs/1ed9788bc27274397bafc7560c8ad5dacf3c5c92
├── [4.0K] jni
│ ├── [ 161] Android.mk
│ ├── [ 48] Application.mk
│ ├── [ 327] build.sh
│ ├── [7.4K] exploit.c
│ ├── [ 45K] msm_kgsl.h
│ └── [4.5K] payload.s
├── [ 34K] LICENSE
└── [1.0K] README.md
1 directory, 8 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。