NDAY-2017-0102: Elevation of Privilege Vulnerability in NVIDIA Video Driver - Zimperium

Written by zLabs | Apr 25, 2017

Share this blog

By: Zuk Avraham
Follow Zuk Avraham (@ihackbanme)

Nicolas Trippar
Follow Nicolas Trippar (@ntrippar)

Following our announcement on the N-Days Exploit Acquisition Program for smartphones, we are delighted to share the first couple of submissions. We received many submissions and we’re in the process of sharing them with ZHA followed by a public disclosure. We plan to release additional EOPs, RCEs and Infoleaks purchased through Zimperium N-Days EAP in the next few months. If you have a mobile N-Day exploit that you would like to monetize, or would like to practice on exploitation and get paid for it – check out the submission guidelines in our N-Days Exploit Acquisition Program announcement. We encourage all partners of ZHA to share exploit submissions for better collaboration between all those involved in making our mobile devices safer.

zNID: NDAY-2017-0102

CVE: CVE-2016-2435

Type: Elevation of Privileges

Platform: Android 6.0

Device type: Nexus 9

Zimperium protection: Detected the exploit without an update. Zimperium partners and customers do not need to take any action to detect this exploit on all affected devices.

Android bulletin: https://source.android.com/security/bulletin/2016-05-01.html

Public release date: 25th of April, 2017
Credit: Jianqiang Zhao ( @jianqiangzhao) and pjf ( weibo.com/jfpan) of IceSword Lab, Qihoo 360

Download Exploit (password zimperium_ndays)

Vulnerability Details

Vulnerable file drivers/gpu/nvgpu/gk20a/channel_gk20a.c
When we perform an IOCTL operation on /dev/nvhost-gpu with cmd NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER it calls function gk20a_init_error_notifier. This function does not validate args->offset from userspace leading to elevation of privileges to the context of the kernel.

Exploitation

mmap a memory in userland, set args->offset a number to let va + args->offset overflow to this range of memory in userland. as a result we can calculate the value of va.
set va + args->offset to the address of ptmx_fops, to set the value of ptmx_cdev->ops from 0xffffffc0010aa420 to 0x00000000010aa420. 0x00000000010aa420 is a user space address. As a result, we can modify ptmx_cdev->ops to a fake ops pointer that can be controlled by a userspace application.
set ptmx_cdev->ops->ioctl to a ROP read or write kernel gadget to read 8 bytes from arbitrary kernel address or write 4 bytes to arbitrary kernel address.
After achieving read8 and write4 capabilities, the path to get elevated privileges and disabling of selinux is clear.

static int gk20a_init_error_notifier(struct channel_gk20a *ch,

struct nvhost_set_error_notifier *args) {

void *va;

struct dma_buf *dmabuf;

if (!args->mem) {

pr_err("gk20a_init_error_notifier: invalid memory handle\n");

return -EINVAL;

}

dmabuf = dma_buf_get(args->mem);

if (ch->error_notifier_ref)

gk20a_free_error_notifiers(ch);

if (IS_ERR(dmabuf)) {

pr_err("Invalid handle: %d\n", args->mem);

return -EINVAL;

}

/* map handle */

va = dma_buf_vmap(dmabuf);

if (!va) {

dma_buf_put(dmabuf);

pr_err("Cannot map notifier handle\n");

return -ENOMEM;

}

/* set channel notifiers pointer */

ch->error_notifier_ref = dmabuf;

ch->error_notifier = va + args->offset;

ch->error_notifier_va = va;

memset(ch->error_notifier, 0, sizeof(struct nvhost_notification));

return 0;

}

view raw NDAY-2017-0102.c hosted with ❤ by GitHub

View full post