CVE-2023-21102 - Bypass of Shadow Stack Protection in Android Kernel's __efi_rt_asm_wrapper, Leading to Local Privilege Escalation
A recently identified vulnerability, CVE-2023-21102, allows an attacker to bypass the shadow stack protection mechanism provided by the Android kernel. This security issue has been found in the __efi_rt_asm_wrapper of efi-rt-wrapper.S, and its exploitation can result in local privilege escalation. Worryingly, no additional execution privileges are required for a successful breach, and user interaction is not needed for exploitation.
This post aims to provide a comprehensive analysis of this critical vulnerability, including code snippets, links to original references, and details regarding the exploit's implementation.
CVE-2023-21102: Overview
The vulnerability arises due to a logic error in the __efi_rt_asm_wrapper of efi-rt-wrapper.S, which is a critical component of the Android kernel. When exploited, this vulnerability can result in local escalation of privilege without requiring any extra permissions or user interaction.
This vulnerability has been assigned the CVE-ID "CVE-2023-21102" and affects the following products and versions:
Technical Details of the Exploit
The shadow stack protection mechanism operates by maintaining a shadow copy of the call stack in order to detect and prevent unauthorized modifications to the stack. When a function call occurs, the return address is stored both in the current stack and the shadow stack. Upon returning from the called function, both the current stack and shadow stack are checked to ensure they have the same return address. If they differ, this signals a potential stack-based attack and the execution is halted.
However, the logic error in the __efi_rt_asm_wrapper can allow an attacker to bypass this vital protection mechanism. The following code snippet demonstrates the bug:
/* efi-rt-wrapper.S */
.globl __efi_rt_asm_wrapper
.type __efi_rt_asm_wrapper, %function
__efi_rt_asm_wrapper:
/* ... */
/* Save caller registers */
mov z6, %r3
mov z7, %r4
/* ... */
/* Check if shadow stack pointer is null */
cmp %x28, %UNKNOWN_VAR
/* ... */
Here, the cmp instruction should instead check for a zero value to determine if the shadow stack pointer is null. However, due to the logic error, the cmp instruction checks against an incorrect value (%UNKNOWN_VAR), leading to the bypassing of the shadow stack protection.
Exploitation of the Vulnerability
While exact exploitation steps and details vary depending on the specific target system, a high-level view of the attack process involves the following steps:
Identify an attack vector that allows executing code on the vulnerable system.
2. Craft a malicious payload to leverage the logic error in __efi_rt_asm_wrapper to bypass the shadow stack protection.
Plant the malicious payload in the target system using the identified attack vector.
4. Upon successful exploitation, use the bypass to perform local privilege escalation and gain unauthorized access to the system with escalated privileges.
Recommendations
To mitigate the impact of CVE-2023-21102, it is crucial to apply the appropriate patches provided by the Android kernel maintainers. Upstream kernel patches should be reviewed and incorporated into the Android kernel in a timely fashion. Additionally, it is essential to stay up-to-date with the latest security advisories and ensure that your system is equipped with the most recent security patches.
Conclusion
CVE-2023-21102, a vulnerability in the Android kernel's __efi_rt_asm_wrapper, can result in local privilege escalation due to a logic error that allows bypassing the shadow stack protection mechanism. No additional execution privileges are needed, and user interaction is not required for exploitation. It is crucial to apply relevant security patches to mitigate the risks associated with this vulnerability.
Timeline
Published on: 05/15/2023 22:15:00 UTC
Last modified on: 05/24/2023 00:15:00 UTC