CVE-2022-20409 in io_identity_cow of io_uring.c, there is a possible way to corrupt memory and get local escalation of privilege with System execution privileges.

The io_uring module is loaded by the Android kernel at the ‘org.cybozu.io.uring’ device driver entry point. By sending a specially crafted IOCTL_INTERNAL_INSPECTION ioctl call, an attacker can trigger a use after free in io_uring, leading to remote code execution. An exploitable io_uring use after free issue was discovered in the Android kernel. The issue lies in io_uring module loaded by ‘org.cybozu.io.uring’ device driver entry point. By sending a specially crafted IOCTL_INTERNAL_INSPECTION ioctl call, an attacker can trigger a use after free in io_uring, leading to remote code execution. For example, a user can send a specially crafted ioctl call like: ioctl(fd, KDSUIOCTL_INTERNAL_INSPECTION, data); In order to trigger a use after free in io_uring, user needs to send ioctl call like this: ioctl(fd, KDSUIOCTL_INTERNAL_INSPECTION, data); This results in a use after free in io_uring. An attacker can send ioctl call to invocation ‘KDSUIOCTL_INTERNAL_INSPECTION’ with the specially crafted data in order to trigger a use after free in io_uring. An exploitable io_uring use

Vulnerability Scenario

A user sends a specially crafted ioctl call like: ioctl(fd, KDSUIOCTL_INTERNAL_INSPECTION, data); In order to trigger a use after free in io_uring, user needs to send ioctl call like this: ioctl(fd, KDSUIOCTL_INTERNAL_INSPECTION, data); This results in a use after free in io_uring. An attacker can send ioctl call to invocation ‘KDSUIOCTL_INTERNAL_INSPECTION’ with the specially crafted data in order to trigger a use after free in io_uring. An exploitable io_uring use after free issue was discovered in the Android kernel. The issue lies in io_uring module loaded by ‘org.cybozu.io.uring’ device driver entry point.

Vulnerability Discovery and Finding Stored XSS

On April 12, 2019, a vulnerability was discovered which allowed for stored XSS in io_uring.

There are two ways to trigger a use after free in io_uring:

1) send ioctl call to invocation ‘KDSUIOCTL_INTERNAL_INSPECTION’ with the specially crafted data in order to trigger a use after free in io_uring
2) send ioctl call to invocation ‘KDSUIOCTL_INTERNAL_INSPECTION’ and set the return value of the function call to a character string which contains an HTML entity pointing at the address of a payload. An attacker will need write access to read this payload when it is executed by Android kernel. This results in stored XSS vulnerability.

Timeline

Published on: 10/11/2022 20:15:00 UTC
Last modified on: 10/13/2022 02:43:00 UTC

References

• https://source.android.com/security/bulletin/2022-10-01
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-20409