Netlink is a socket family designed for inter-process communication (IPC) between the kernel and user-space processes since 1999 with Linux 2.2. With the popularity of Android operating system, it is widely used in the Android kernel modules. Despite its capabilities, Netlink is often overlooked by security researchers due to the strong dominance of ioctl in userspace-kernelspace communication. Its programming complexity compared to ioctl also increases the chance of developers introducing security vulnerabilities. Therefore, Netlink has actually become a hidden attack surface buried deep in the Android ecosystem.
During our research, we found Netlink can be divided into two categories according to its usage, Classic Netlink and Generic Netlink. Each category consists of two message processing flows in the kernel due to its full-duplex characteristic, top-down message parsing and bottom-up message building. Following this idea, we summarized four threat models and analyzed typical vulnerability scenarios for each threat model. Based on these scenarios, we investigated Netlink-related kernel modules from 4 well-known vendors and discovered 30+ security vulnerabilities, and obtained 12 CVEs. Most vulnerabilities have been confirmed, and can lead to serious consequences such as privilege escalation.
In this talk, we will first dive into the Netlink mechanism in the Linux kernel, and then illustrate the security threats of Netlink usage scenarios according to four threat models. Next, we will introduce the analysis, verification and exploitation of Netlink-related vulnerabilities. Finally, we will provide vendors with some security suggestions for using Netlink through vulnerabilities statistics and root cause analysis.
By:
Chao Ma | Security Researcher, Baidu Security
Han Yan | Security Researcher, Baidu Security
Tim Xia | Security Researcher, Baidu Security
Presentation Materials Available:
www.blackhat.c...