Skip to content
Branch: master
Find file History
Pull request Compare This branch is 1 commit ahead, 3 commits behind mudongliang:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.md
poc.c

README.md

CVE-2017-7533

Experiment Environment

Ubuntu - 16.04, 4.10.0-42-generic

qemu-2.12.0

gcc-7.1.0

INSTALL & Configuration

GCC

Download GCC:

svn checkout svn://gcc.gnu.org/svn/gcc/trunk $GCC
cd $GCC
svn ls -v ^/tags | grep gcc_7_1_0_release
svn up -r 247494

Patch GCC:

diff --git a/gcc/tree.h b/gcc/tree.h
index 3bca90a..fdaa7af 100644
--- a/gcc/tree.h
+++ b/gcc/tree.h
@@ -897,8 +897,8 @@  extern void omp_clause_range_check_failed (const_tree, const char *, int,
 /* If this is true, we should insert a __cilk_detach call just before
    this function call.  */
 #define EXPR_CILK_SPAWN(NODE) \
-  (tree_check2 (NODE, __FILE__, __LINE__, __FUNCTION__, \
-                CALL_EXPR, AGGR_INIT_EXPR)->base.u.bits.unsigned_flag)
+  (TREE_CHECK2 (NODE, CALL_EXPR, \
+                AGGR_INIT_EXPR)->base.u.bits.unsigned_flag)
 
 /* In a RESULT_DECL, PARM_DECL and VAR_DECL, means that it is
    passed by invisible reference (and the TREE_TYPE is a pointer to the true

Install GCC prerequisites:

sudo apt-get install flex bison libc6-dev libc6-dev-i386 linux-libc-dev linux-libc-dev:i386 libgmp3-dev libmpfr-dev libmpc-dev build-essential bc

Build GCC:

mkdir build
mkdir install
cd build/
../configure --enable-languages=c,c++ --disable-bootstrap --enable-checking=no --with-gnu-as --with-gnu-ld --with-ld=/usr/bin/ld.bfd --disable-multilib --prefix=$GCC/install/
make -j64
make install

Linux kernel

Download Linux kernel:

git clone https://github.com/torvalds/linux.git
git checkout v4.10

Generate default configs:

cd $KERNEL
make defconfig
make kvmconfig

Enable some options:

CONFIG_KASAN=y
CONFIG_KASAN_INLINE=y

Besides, configures related to inotify and userpagefault shall also be enabled.

Compile Linux kernel:

make CC="$GCC/install/bin/gcc" -j64

Disk Image

Install debootstrap:

sudo apt-get install debootstrap

Create Image:

touch create_image.sh
chmod +x ./creat_image.sh

Content of create_image.sh:

#!/bin/bash
set -eux

# Create a minimal Debian-wheezy distributive as a directory.
sudo rm -rf wheezy
mkdir -p wheezy
sudo debootstrap --include=openssh-server,curl,tar,gcc,libc6-dev,time,strace,sudo,less,psmisc wheezy wheezy

# Set some defaults and enable promtless ssh to the machine for root.
sudo sed -i '/^root/ { s/:x:/::/ }' wheezy/etc/passwd
echo 'T0:23:respawn:/sbin/getty -L ttyS0 115200 vt100' | sudo tee -a wheezy/etc/inittab
printf '\nauto eth0\niface eth0 inet dhcp\n' | sudo tee -a wheezy/etc/network/interfaces
echo 'debugfs /sys/kernel/debug debugfs defaults 0 0' | sudo tee -a wheezy/etc/fstab
echo "kernel.printk = 7 4 1 3" | sudo tee -a wheezy/etc/sysctl.conf
echo 'debug.exception-trace = 0' | sudo tee -a wheezy/etc/sysctl.conf
echo "net.core.bpf_jit_enable = 1" | sudo tee -a wheezy/etc/sysctl.conf
echo "net.core.bpf_jit_harden = 2" | sudo tee -a wheezy/etc/sysctl.conf
echo "net.ipv4.ping_group_range = 0 65535" | sudo tee -a wheezy/etc/sysctl.conf
echo -en "127.0.0.1\tlocalhost\n" | sudo tee wheezy/etc/hosts
echo "nameserver 8.8.8.8" | sudo tee -a wheezy/etc/resolve.conf
echo "localhost" | sudo tee wheezy/etc/hostname
sudo mkdir -p wheezy/root/.ssh/
rm -rf ssh
mkdir -p ssh
ssh-keygen -f ssh/id_rsa -t rsa -N ''
cat ssh/id_rsa.pub | sudo tee wheezy/root/.ssh/authorized_keys
sudo chroot wheezy /bin/bash -c "apt-get update; apt-get install -y curl tar time strace gcc make sysbench git vim screen usbutils gdb"


# Build a disk image
dd if=/dev/zero of=wheezy.img bs=1M seek=2047 count=1
sudo mkfs.ext4 -F wheezy.img
sudo mkdir -p /mnt/wheezy
sudo mount -o loop wheezy.img /mnt/wheezy
sudo cp -a wheezy/. /mnt/wheezy/.
sudo umount /mnt/wheezy

QEMU

Install QEMU:

sudo apt-get install kvm qemu-kvm

Boot QEMU:

./start_vm.sh

Content of start_vm.sh:

#!/bin/sh
ls
rm vm.pid
KERNEL=$KERNEL/arch/x86/boot/bzImage
IMAGE=$IMG/img/wheezy.img
MONITOR_PORT=9210
qemu-system-x86_64 \
  -kernel $KERNEL \
  -append "console=ttyS0 root=/dev/sda debug earlyprintk=serial oops=panic panic_on_warn=1 ftrace_dump_on_oops=orig_cpu" \
  -hda $IMAGE \
  -net user,hostfwd=tcp::10021-:22 -net nic \
  -enable-kvm \
  -nographic \
  -m 1G \
  -smp 2 \
  -monitor tcp::${MONITOR_PORT},server,nowait,nodelay,reconnect=-1 \
  -pidfile vm.pid \
  -s \
  2>&1 | tee vm.log

PoC

Download PoC:

wget https://raw.githubusercontent.com/mudongliang/LinuxFlaw/master/CVE-2017-7533/poc.c

Compile PoC:

gcc -o poc poc.c -static -pthread -Wno-format

Problems in Installation & Configuration

error: undefined reference to '__ilog2_NaN'

Solution: patch

How to trigger vulnerability

Copy PoC to vm:

scp -r -i $IMAGE/ssh/id_rsa -P 10021 ./poc root@localhost:~

Connect to vm:

ssh -i $IMAGE/ssh/id_rsa -p 10021 -o "StrictHostKeyChecking no" root@localhost

Trigger Vulnerability:

./poc

PoCs

Hardenedlinux

Vulnerability Details & Patch

Root Cause

Stack Trace

Patch

linux patch

References

You can’t perform that action at this time.