kpets
welcome to Kernel Pets Simulator!
We wrote a pet store application that was too slow, so we made a kernel module for it instead.
Author: pippinthedog
Hi everyone, this is the writeup for the Facebook CTF 2019 Qualification Round kpets challenge
You may want to checkout the exploit code
Description
We are given a linux kernel module, packed with a qemu VM that runs Linux 5.1.5.
The module, like it’s self-introduction, is a application that can create and view pets.
We’ll communicate with the module by reading and writing over the pseudo-file-descriptor /dev/kpets
dev_read
is the read handler, while dev_write
is the write handler.
The only path that leads us to the flag is in the dev_read
method, when the value 0xAA is in the first byte of a pet.
The other path will print the pets and then return;
We should try to make a pet that have a 0xAA in the first byte.
dev_write
will create a new pet from the struct that we written in.
It’s perform some sanity checks to prevent buffer-overflow.
Most importantly, it checks that the first byte shouldn’t be 0xAA
One more thing, by reversing (which I haven’t found during the CTF 😭), we can see that it saves the pets backward.
Bug
|
|
We can see that it checks the supplied length of the pet’s name and the supplied length of the pet’s description
and then copy that amount of data to kernel memory.
The problem is in this piece of code:
|
|
The module copies the length from the userspace, perform checks on it, and copies it AGAIN from the userspace, unchecked, to use it as the copy length.
By doing this, it introduces a race condition.
That value may have been changed in the user’s memory between two copies, which invalidates the sanity checks.
From here, we have a buffer-overflow with arbitrary data’s length on the name field of the kernel memory.
To exploit this, we can create a new thread that repeatedly changes the length value in the userspace.
The remaining road to the flag….
Well, I did stop here 8 hours before the CTF ends….
It was a late Sunday night…
My teammates are resting for the next Monday…
I was stuck.
Well, after 2 weeks, I’m here.
To finish what I did start….
But then I continued to fail.
I decided to read some spoilers….
Back on.
We can see that it saves the pets backward.
So, we can just first create a pets that satisfies all the condition.
Then use the race condition to make the next pet’s name overflows to the previous one with 0xAA
Then, we got the flag.
Shoutout
-
pippinthedog from Facebook CTF for bringing a great challenge for me.
-
WALLY0813’s writeup. Without that writeup, I couldn’t have finish the leftover part.