Immunity Canvas: SPECTRE_FILE_LEAK

2018-01-04T13:29:00
ID SPECTRE_FILE_LEAK
Type canvas
Reporter Immunity Canvas
Modified 2018-01-04T13:29:00

Description

Name| spectre_file_leak
---|---
CVE| CVE-2017-5753
Exploit Pack| CANVAS
Description| Spectre File Leak
Notes| CVE Name: CVE-2017-5753
Notes:
This module gives an unpriviledged user the ability to dump a file from the kernel
memory. A common scenario is to dump the /etc/shadow or kerberos tickets.

Note: For Fedora, the attack is targetless while for Ubuntu / CentOS and others
you will need specific offsets compiled within the binary itself.

Caveats:
1. Attacking vmware is slower, virtualbox while doable is insanely slower.
2. Sometimes on vmware the KASLR bypass may fail, this is work in progress.
3. The more recent the processor, the faster the attack.
4. Not all the filesystems are handled. In particular tmpfs files cannot be leaked.
5. The attack may not work at all on some specific kernels
6. The attack may not work at all on some hardware.
7. With this version you can only dump files fitting within a single page (<= 4096 bytes)

About (possible) future versions:
--------------------------------

a) A cache may be implemented to speedup attempts
b) A completely targetless version (not exclusive to Fedora) may be written later.

CVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753