After reporting https://bugs.chromium.org/p/project-zero/issues/detail?id=1583
(Android ID 80436257, CVE-2018-9445), I discovered that this issue could also
be used to inject code into the context of the zygote. Additionally, I
discovered a privilege escalation path from zygote to init; that escalation path
is why I'm filing a new bug.
Essentially, the privilege escalation from zygote to init is possible because
system/sepolicy/private/zygote.te contains the following rule:
allow zygote self:capability sys_admin;
(On the current AOSP master branch, the rule looks slightly different, but it's
still there.)
This rule allows processes in the zygote domain to use the CAP_SYS_ADMIN
capability, if they have such a capability. The zygote has the capability and
uses it, e.g. to call umount() and to install seccomp filters without setting
the NO_NEW_PRIVS flag. CAP_SYS_ADMIN is a bit of a catch-all capability: If
kernel code needs to check that the caller has superuser privileges and none of
the capability bits fit the particular case, CAP_SYS_ADMIN is usually used.
The capabilities(7) manpage has a long, but not exhaustive, list of things that
this capability permits:
http://man7.org/linux/man-pages/man7/capabilities.7.html
One of the syscalls that can be called with CAP_SYS_ADMIN and don't have
significant additional SELinux hooks is pivot_root(). This syscall can be used
to switch out the root of the current mount namespace and, as part of that,
change the root of every process in that mount namespace to the new namespace
root (unless the process already had a different root).
The exploit for this issue is in zygote_exec_target.c, starting at
"if (unshare(CLONE_NEWNS))". The attack is basically:
1. set up a new mount namespace with a root that is fully attacker-controlled
2. execute crash_dump64, causing an automatic transition to the crash_dump
domain
3. the kernel tries to load the linker for crash_dump64 from the
attacker-controlled filesystem, resulting in compromise of the crash_dump
domain
4. from the crash_dump domain, use ptrace() to inject syscalls into vold
5. from vold, set up a loop device with an attacker-controlled backing device
and mount the loop device over /sbin, without "nosuid"
6. from vold, call request_key() with a nonexistent key, causing a
usermodehelper invocation to /sbin/request-key, which is labeled as
init_exec, causing an automatic domain transition from kernel to init (and
avoiding the "neverallow kernel *:file { entrypoint execute_no_trans };"
aimed at stopping exploits using usermodehelpers)
7. code execution in the init domain
Note that this is only one of multiple possible escalation paths; for example,
I think that you could also enable swap on an attacker-controlled file, then
modify the swapped-out data to effectively corrupt the memory of any userspace
process that hasn't explicitly locked all of its memory into RAM.
In order to get into the zygote in the first place, I have to trigger
CVE-2018-9445 twice:
1. Use the bug to mount a "public volume" with a FAT filesystem over /data/misc.
2. Trigger the bug again with a "private volume" with a dm-crypt-protected
ext4 filesystem that will be mounted over /data. To decrypt the volume, a key
from /data/misc/vold/ is used.
3. Cause system_server to crash in order to trigger a zygote reboot. For this,
the following exception is targeted:
*** FATAL EXCEPTION IN SYSTEM PROCESS: NetworkStats
java.lang.NullPointerException: Attempt to get length of null array
at com.android.internal.util.FileRotator.getActiveName(FileRotator.java:309)
at com.android.internal.util.FileRotator.rewriteActive(FileRotator.java:183)
at com.android.server.net.NetworkStatsRecorder.forcePersistLocked(NetworkStatsRecorder.java:300)
at com.android.server.net.NetworkStatsRecorder.maybePersistLocked(NetworkStatsRecorder.java:286)
at com.android.server.net.NetworkStatsService.performPollLocked(NetworkStatsService.java:1194)
at com.android.server.net.NetworkStatsService.performPoll(NetworkStatsService.java:1151)
at com.android.server.net.NetworkStatsService.-wrap3(Unknown Source:0)
at com.android.server.net.NetworkStatsService$HandlerCallback.handleMessage(NetworkStatsService.java:1495)
at android.os.Handler.dispatchMessage(Handler.java:102)
at android.os.Looper.loop(Looper.java:164)
at android.os.HandlerThread.run(HandlerThread.java:65)
This exception can be triggered by sending >=2MiB (mPersistThresholdBytes) of
network traffic to the device, then either waiting for the next periodic
refresh of network stats or changing the state of a network interface.
4. The rebooting zygote64 does dlopen() on
/data/dalvik-cache/arm64/system@framework@boot.oat, resulting in code
execution in the zygote64. (For the zygote64 to get to this point, it's
sufficient to symlink
/data/dalvik-cache/arm64/system@framework@boot.{art,vdex} to their
counterparts on /system, even though that code isn't relocated properly.)
I have attached an exploit for the full chain, with usage instructions in USAGE.
WARNING: As always, this exploit is intended to be used only on research devices that don't store user data. This specific exploit is known to sometimes cause data corruption.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45379.zip
