Skip to content

Latest commit

 

History

History

CVE-2018-5703

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
tls.syz
tls.syz
 
 
tls_new.syz
tls_new.syz
 
 

README.md

Run KOOBE against CVE-2018-5703

Follow instructions to create an image for Linux kernel 4.14.0.

// set env
source koobe/bin/activate
cd aeg-analysis

cd s2e/aeg-analysis
// Create a new project named tls (make sure to adjust the path to the correct vmlinux)
python main.py create -p tls --vmlinux ../s2e/source/s2e/s2e-linux-kernel/linux-4.14.0/vmlinux -c testcases/CVE-2018-5703/tls.syz -w testcases/CVE-2018-5703 -i debian-9.2.1-x86_64-4.14.0 --version 4.14.0
// identify the vulnerable object
python main.py run -p tls --findVuln
// identify all the vulnerability sites
python main.py run -p tls --findSites
// Search for target objects matching the capability
python main.py run -p tls --findTarget

The testcase (tls.syz) we initially have does not lead to an exploit. Let's resort to fuzzing to explore more paths.

python main.py run -p tls --fuzz

Unfortunately, the interaction between fuzzing and symbolic execution is not implemented yet. We still require human intervention to inspect the new seeds, although we have some tools to ease the process.

Note that we only implement a coarse-grained scheme following the idea briefly described in FUZE, in which it proposes to only enable certain syscalls that resides in the same module as the vulnerable object in order to reduce the fuzzing space. In this case, as the vulnerable object is an ipv6 socket, we could only enable those syscalls related to it (see gopath/src/github.com/google/syzkaller/sys/linux/socket_inet6.txt). To the end, we could modify the fuzzing config file (aeg-analysis/testcases/CVE-2018-5703/syzkaller.cfg) and replace the original enabled syscall list with the following:

"socket$inet6_tcp", "setsockopt$inet6_tcp_TCP_ULP", "setsockopt$inet6_bool", "setsockopt$inet6_autoflow",
"setsockopt$inet6_mtu", "bind$inet6", "listen", "sendto$inet6", "accept", "getsockopt$inet6_int",
"setsockopt$inet6_int", "getsockopt$inet6_buf", "setsockopt$inet6_buf", "setsockopt$inet6_IPV6_ADDRFORM", 
"getsockopt$inet6_opts", "setsockopt$inet6_opts", "getsockopt$inet6_mreq", "setsockopt$inet6_mreq",
"setsockopt$inet6_IPV6_FLOWLABEL_MGR", "getsockopt$inet6_IPV6_FLOWLABEL_MGR", "getsockopt$inet6_IPV6_IPSEC_POLICY",
"setsockopt$inet6_IPV6_IPSEC_POLICY", "setsockopt$inet6_MRT6_ADD_MIF", "setsockopt$inet6_MRT6_ADD_MFC", 
"setsockopt$inet6_MRT6_DEL_MFC", "setsockopt$inet6_MRT6_ADD_MFC_PROXY", "setsockopt$inet6_MRT6_DEL_MFC_PROXY"

Assume we get a new seed tls_new.syz, we can follow the same procedure as mentioned above.

python main.py create -p tls --vmlinux ../s2e/source/s2e/s2e-linux-kernel/linux-4.14.0/vmlinux -c testcases/CVE-2018-5703/tls_new.syz -w testcases/CVE-2018-5703 -i debian-9.2.1-x86_64-4.14.0 --version 4.14.0
python main.py run -p tls --findVuln
python main.py run -p tls --findSites
python main.py run -p tls --findTarget

Note that we didn't implement the exploit strategy for Linux kernel 4.14.0, you have to manually construct it based on the output poc.c and ans_kmalloc_2048.json.